Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
fakamaka
Posts: 4
Joined: Tue Jan 24, 2017 11:52 pm

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by fakamaka »

Just take Zextras backup for consideration to be safe next time ;)
einsibjani
Posts: 5
Joined: Mon Oct 22, 2018 11:18 am

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by einsibjani »

I hate to wake up a long dead thread, but I'm seeing exactly the same thing. Running 8.7.11 and after trying for an A rating on SSL Labs IMAPS no longer works through proxy. Connecting to 7993 works, but 993 doesn't. The error I'm seeing in nginx.log is:

Code: Select all

2018/10/22 11:21:42 [info] 5609#0: *254 client xxx.xxx.xxx.96:13465 connected to xxx.xxx.xxx.72:993
2018/10/22 11:21:42 [info] 5609#0: *254 peer closed connection in SSL handshake while SSL handshaking to lookup handler, client: xxx.xxx.xxx.96:13465, server: xxx.xxx.xxx.72:993, login: "kortareports"
2018/10/22 11:21:42 [warn] 5609#0: *254 zm lookup: ngx_zm_lookup_connect connect lookup handle error for host:xxx.xxx.xxx.72:7072, uri:/service/extension/nginx-lookup, fail over to the next one while SSL handshaking to lookup handler, client:xxx.xxx.xxx.96:13465, server: xxx.xxx.xxx.72:993, login: "kortareports"
2018/10/22 11:21:42 [error] 5609#0: *254 An error occurred in mail zmauth: error occurs when reading lookup response from handler while SSL handshaking to lookup handler, client: xxx.xxx.xxx.96:13465, server: xxx.xxx.xxx.72:993, login: "kortareports"
I have been at this for a couple of days now. Tried every combination of URL in conf/nginx/templates/nginx.conf.zmlookup.template but nothing works.

Plain IMAP on port 143 works, and the web interface works. It's just IMAPS on port 993 that fails. Does anyone have any ideas before I just disable the proxy for IMAPS?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by L. Mark Stone »

einsibjani wrote:I hate to wake up a long dead thread, but I'm seeing exactly the same thing. Running 8.7.11 and after trying for an A rating on SSL Labs IMAPS no longer works through proxy. Connecting to 7993 works, but 993 doesn't. The error I'm seeing in nginx.log is:

Code: Select all

2018/10/22 11:21:42 [info] 5609#0: *254 client xxx.xxx.xxx.96:13465 connected to xxx.xxx.xxx.72:993
2018/10/22 11:21:42 [info] 5609#0: *254 peer closed connection in SSL handshake while SSL handshaking to lookup handler, client: xxx.xxx.xxx.96:13465, server: xxx.xxx.xxx.72:993, login: "kortareports"
2018/10/22 11:21:42 [warn] 5609#0: *254 zm lookup: ngx_zm_lookup_connect connect lookup handle error for host:xxx.xxx.xxx.72:7072, uri:/service/extension/nginx-lookup, fail over to the next one while SSL handshaking to lookup handler, client:xxx.xxx.xxx.96:13465, server: xxx.xxx.xxx.72:993, login: "kortareports"
2018/10/22 11:21:42 [error] 5609#0: *254 An error occurred in mail zmauth: error occurs when reading lookup response from handler while SSL handshaking to lookup handler, client: xxx.xxx.xxx.96:13465, server: xxx.xxx.xxx.72:993, login: "kortareports"
I have been at this for a couple of days now. Tried every combination of URL in conf/nginx/templates/nginx.conf.zmlookup.template but nothing works.

Plain IMAP on port 143 works, and the web interface works. It's just IMAPS on port 993 that fails. Does anyone have any ideas before I just disable the proxy for IMAPS?
There are several things that all need to be configured correctly for proxy to work:

- The proxy's Internet-facing port for IMAPS must be set to 993.
- The proxy's mailboxd-facing port must be set to 8993.
- Mailboxd's proxy-facing IMAPS port must be set to 8993.
- Both proxy and mailboxd must have the same TLS (or not) setting.

In other words, proxy <--> mailboxd communication needs to agree on the port and the protocol, AND proxy's Internet-facing side must be configured for the correct port -- for every service you wish to route through the Proxy.

https://wiki.zimbra.com/wiki/Zimbra_Proxy_Guide will give you much greater detail on how proxy works.

https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached will show you example zmproxyconfig commands you can use to correct your own system's proxy issues.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
einsibjani
Posts: 5
Joined: Mon Oct 22, 2018 11:18 am

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by einsibjani »

L. Mark Stone wrote: There are several things that all need to be configured correctly for proxy to work:

- The proxy's Internet-facing port for IMAPS must be set to 993.
- The proxy's mailboxd-facing port must be set to 8993.
- Mailboxd's proxy-facing IMAPS port must be set to 8993.
- Both proxy and mailboxd must have the same TLS (or not) setting.

In other words, proxy <--> mailboxd communication needs to agree on the port and the protocol, AND proxy's Internet-facing side must be configured for the correct port -- for every service you wish to route through the Proxy.
The ports are correctly setup (using 7993 not 8993 on the mailboxd side). TLS settings could be the culprit, but which settings should I be looking at? Looking at the log, the error seems to occur even before contacting the imap server on the mailboxd side, since the proxy can't communicate with the lookup handler.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by L. Mark Stone »

Sorry; my bad on the port - I had been working with a Barracuda just before I wrote that...

If you are on a single-server, try looking at the following (from an 8.8.10 server):

Code: Select all

zimbra@zimbra:~$ zmprov gs `zmhostname` | grep MailMode
zimbraMailMode: https
zimbraReverseProxyMailMode: redirect
zimbra@zimbra:~$ zmprov gcf zimbraReverseProxySSLToUpstreamEnabled
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbra@zimbra:~$ zmprov gs `zmhostname` | grep -i cleartext
zimbraCalendarCalDavClearTextPasswordEnabled: TRUE
zimbraImapCleartextLoginEnabled: TRUE
zimbraMailClearTextPasswordEnabled: TRUE
zimbraPop3CleartextLoginEnabled: TRUE
zimbraShareNotificationMtaConnectionType: CLEARTEXT
zimbra@zimbra:~$ 
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
einsibjani
Posts: 5
Joined: Mon Oct 22, 2018 11:18 am

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by einsibjani »

I changed zimbraReverseProxyMailMode to redirect, all others were the same as you posted, but no change. Still getting connect lookup handle error. I've been trying to enable debug logging for the lookup handler but I'm not getting any useful logging. I tried setting log4j.logger.zimbra=DEBUG in logger4j.properties, but I don't get any debug mesages in nginx.log and nothing related to the lookup handler in mailbox.log.

Any more ideas?
einsibjani
Posts: 5
Joined: Mon Oct 22, 2018 11:18 am

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by einsibjani »

After setting zimbraReverseProxyLogLevel to debug I finally got some debug info for the lookup handler in nginx.log. The following are, I think, the relevant lines in the debug log:

Code: Select all

2018/10/24 11:34:59 [debug] 15461#0: *25 zm lookup: elected route handler #0
2018/10/24 11:34:59 [debug] 15461#0: *25 socket 20
2018/10/24 11:34:59 [debug] 15461#0: *25 epoll add connection: fd:20 ev:80002005
2018/10/24 11:34:59 [debug] 15461#0: *25 connect to xxx.xxx.xxx.72:7072, fd:20 #26
2018/10/24 11:34:59 [debug] 15461#0: *25 event timer add: 20: 15000:1540380914687
2018/10/24 11:34:59 [debug] 15461#0: *25 event timer add: 20: 15000:1540380914687
2018/10/24 11:34:59 [debug] 15461#0: *25 posix_memalign: 0000000000957080:256 @16
2018/10/24 11:34:59 [debug] 15461#0: *25 SSL_do_handshake: -1
2018/10/24 11:34:59 [debug] 15461#0: *25 SSL_get_error: 2
2018/10/24 11:34:59 [debug] 15461#0: *25 zm lookup: ngx_zm_lookup_ssl_init_connection ngx_ssl_handshake returned NGX_AGAIN
2018/10/24 11:34:59 [debug] 15461#0: *25 SSL_do_handshake: 0
2018/10/24 11:34:59 [debug] 15461#0: *25 SSL_get_error: 5
2018/10/24 11:34:59 [info] 15461#0: *25 peer closed connection in SSL handshake while SSL handshaking to lookup handler, client: xxx.xxx.xxx.239:43894, server: xxx.xxx.xxx.72:993, login: "xxxxxxx"
I'm starting to suspect that zimbra doesn't like our lets encrypt certificate for some reason. Can anyone make sense of what fails here?

I also want to try to disable SSL when talking to the route handler, but I'm unsure if that would mean to disable SSL to upstream completely and what parameters need to be changed on the proxy side and which on the backside
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by L. Mark Stone »

I'd rerun the relevant proxy configuration generation commands again, perhaps like:

Code: Select all

/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https  -H `zmhostname`
/opt/zimbra/libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname`
Also, it wouldn't hurt to make sure the public service hostname variables are set correctly, e.g.

Code: Select all

zmprov mcf zimbraPublicServiceHostname mail.domain.com
zmprov md domaina.com zimbraPublicServiceHostname mail.domaina.com
zmprov md domaina.com zimbraPublicServiceProtocol https
zmprov md domaina.com zimbraPublicServicePort 443
And, just for review, this might help:
https://wiki.zimbra.com/wiki/Zimbra_Pro ... es_via_CLI

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
einsibjani
Posts: 5
Joined: Mon Oct 22, 2018 11:18 am

Re: Ubuntu 14.04 - 8.7.4 imapS issue after upgrade.

Post by einsibjani »

Ok, thanks for your help. I'll check it out, but I've disabled the proxy for POP/IMAP and if this doesn't work out, I'm giving up on getting POP/IMAP working with the proxy.
Post Reply