IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
I have recently updated from 8.7.11 to 8.8.5, FOSS, running on CentOS 6 64-bit. There are a total of about 15 mailboxes on the system, with only 6 of them heavily used.
Since the upgrade I have had multiple issues that I have been trying to isolate. One is that a couple of my mailboxes seem to get locked up as far as IMAP access goes. Messages such as the following are displayed in mailbox.log, while nothing shows in the zmmailboxd.out log:
2018-01-03 08:30:55,032 INFO [ImapSSLServer-245] [ip=x.x.x.x;] imap - dropping connection for user xxx@xxx.net (LOGOUT)
2018-01-03 08:31:08,829 ERROR [Timer-Zimbra] [] mailbox - Failed to lock mailbox
Write Lock Owner - ImapSSLServer-185 prio=5 id=4250 state=TERMINATED
com.zimbra.cs.mailbox.MailboxLock$LockFailedException: timeout
at com.zimbra.cs.mailbox.MailboxLock.lock(MailboxLock.java:211)
at com.zimbra.cs.mailbox.Mailbox.lock(Mailbox.java:10411)
at com.zimbra.cs.imap.ImapListener.unload(ImapListener.java:580)
at com.zimbra.cs.imap.ImapSessionManager$SessionSerializerTask.run(ImapSessionManager.java:195)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
The only way I have found to restore access to the mailbox is to restart the mailbox service.
The second problem is that there seems to be an issue with LDAP TLS connections, at least those that originate from opendkim. Under 8.7.x, I ran with DKIM enabled without any issues. Since the upgrade, I get the following error when starting up with DKIM enabled:
opendkim: /opt/zimbra/conf/opendkim.conf: ldap://xxx.xxx.net:389/?DKIMSelector?sub?(DKIMIdentity=$d): dkimf_db_open(): Connect error
Failed to start opendkim: 0
If I edit /opt/zimbra/conf/opendkim.conf and change the LDAPUseTLS value from 1 to 0, the process starts without an issue. Looking at my backups from 8.7.x, the LDAPUseTLS value was always 1, so I don't think it's an appropriate solution to just disable TLS when it worked previously.
I have re-installed my commercial SSL certificate just in case. It passes all tests, and the same cert is installed for web and IMAP access and works without any issues there.
I am also able to connect to ldap with TLS enabled and browse the directory without any issues, so it does not seem to be a problem with LDAP itself.
For the time being I have restored mail flow by disabling DKIM in the admin interface and then restarting services.
Lastly, when running zmcontrol start, mailbox shows as "Failed" even though no failures are indicated in mailbox.log or zmmailboxd.out -- and all functions of the mailbox service seem to work fine. Webmail works, IMAP works, mail delivery works.
Since the upgrade I have had multiple issues that I have been trying to isolate. One is that a couple of my mailboxes seem to get locked up as far as IMAP access goes. Messages such as the following are displayed in mailbox.log, while nothing shows in the zmmailboxd.out log:
2018-01-03 08:30:55,032 INFO [ImapSSLServer-245] [ip=x.x.x.x;] imap - dropping connection for user xxx@xxx.net (LOGOUT)
2018-01-03 08:31:08,829 ERROR [Timer-Zimbra] [] mailbox - Failed to lock mailbox
Write Lock Owner - ImapSSLServer-185 prio=5 id=4250 state=TERMINATED
com.zimbra.cs.mailbox.MailboxLock$LockFailedException: timeout
at com.zimbra.cs.mailbox.MailboxLock.lock(MailboxLock.java:211)
at com.zimbra.cs.mailbox.Mailbox.lock(Mailbox.java:10411)
at com.zimbra.cs.imap.ImapListener.unload(ImapListener.java:580)
at com.zimbra.cs.imap.ImapSessionManager$SessionSerializerTask.run(ImapSessionManager.java:195)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
The only way I have found to restore access to the mailbox is to restart the mailbox service.
The second problem is that there seems to be an issue with LDAP TLS connections, at least those that originate from opendkim. Under 8.7.x, I ran with DKIM enabled without any issues. Since the upgrade, I get the following error when starting up with DKIM enabled:
opendkim: /opt/zimbra/conf/opendkim.conf: ldap://xxx.xxx.net:389/?DKIMSelector?sub?(DKIMIdentity=$d): dkimf_db_open(): Connect error
Failed to start opendkim: 0
If I edit /opt/zimbra/conf/opendkim.conf and change the LDAPUseTLS value from 1 to 0, the process starts without an issue. Looking at my backups from 8.7.x, the LDAPUseTLS value was always 1, so I don't think it's an appropriate solution to just disable TLS when it worked previously.
I have re-installed my commercial SSL certificate just in case. It passes all tests, and the same cert is installed for web and IMAP access and works without any issues there.
I am also able to connect to ldap with TLS enabled and browse the directory without any issues, so it does not seem to be a problem with LDAP itself.
For the time being I have restored mail flow by disabling DKIM in the admin interface and then restarting services.
Lastly, when running zmcontrol start, mailbox shows as "Failed" even though no failures are indicated in mailbox.log or zmmailboxd.out -- and all functions of the mailbox service seem to work fine. Webmail works, IMAP works, mail delivery works.
-
- Posts: 8
- Joined: Tue Jan 02, 2018 12:15 am
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
Your first problem appears to be the exact same one I am having (viewtopic.php?f=13&t=63339). For those users whose accounts get locked, are they having trouble logging into the web mail as well?
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
Out of curiosity, Do the owners of the failing mailboxes use DAVdroid or K-9 mail client or some other software for email and calendar/task sync?
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
Yes, users who have the lock issue are unable to access webmail. POP works fine. Other users are able to access both IMAP and Webmail without issue, so it does not appear to be a server-wide issue or an issue relating to maxing out IMAP threads (which seem to be the only other instances of this that I've seen with any sort of answers supplied).mntwinsfan wrote:Your first problem appears to be the exact same one I am having (viewtopic.php?f=13&t=63339). For those users whose accounts get locked, are they having trouble logging into the web mail as well?
One account uses iPhone Mail + Thunderbird or Webmail. The other uses iPhone/iPad Mail only, via IMAP. Obviously the common thread here so far seems to be the use of the iOS mail client, but I have two other users on the server with iOS devices who are not experiencing the issue (yet, anyway).nikonaum wrote:Out of curiosity, Do the owners of the failing mailboxes use DAVdroid or K-9 mail client or some other software for email and calendar/task sync?
I did resolve my mailboxd "failed" error which was due to a missing /opt/zimbra/.platform file. That was inadvertently removed during my tinkering to try and resolve these issues. I put it back in place and that error is now gone. (Interestingly enough, the error message that tipped me off to it only shows up when running zmmailboxdctl and not when using zmcontrol.
-
- Posts: 8
- Joined: Tue Jan 02, 2018 12:15 am
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
Same goes for me. All the users impacted are iPhone users but not all of my iPhone users are having trouble, just select ones.Obviously the common thread here so far seems to be the use of the iOS mail client, but I have two other users on the server with iOS devices who are not experiencing the issue (yet, anyway).
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
Are You using NGINX proxy for IMAP? Is NIO for IMAP enabled? What is the output of this command: zmprov getConfig zimbraImapMaxRequestSize ?
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
No proxy.nikonaum wrote:Are You using NGINX proxy for IMAP? Is NIO for IMAP enabled? What is the output of this command: zmprov getConfig zimbraImapMaxRequestSize ?
NIO is not enabled:
Code: Select all
$ zmlocalconfig|grep nio_imap_enabled
nio_imap_enabled = false
Code: Select all
$ zmprov getConfig zimbraImapMaxRequestSize
zimbraImapMaxRequestSize: 10240
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
The proxy is a required component from 8.8.x onwards: https://wiki.zimbra.com/wiki/Zimbra_Nex ... _Upgradingbrcp40 wrote:No proxy.
Any particular reason for that?brcp40 wrote:NIO is not enabled
-
- Ambassador
- Posts: 2747
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
Was you initial setup 8.7.11 or was it an older version, upgraded to 8.7.x?
NIO should be enabled.
https://wiki.zimbra.com/wiki/IMAP_NIO
NIO should be enabled.
https://wiki.zimbra.com/wiki/IMAP_NIO
Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade
I didn't have PROXY for IMAP and POP3 enabled, neither, nor NIO. Cause I tend to be an early adopter, every time there is a new ZMC version I rush to install it. And at one of the updates the NGINx PROXY and Memcached were mandatory. I enabled the proxy just for webmail not for IMAP, cause I didn't have enough time to set it up.
But NIO, I didn't play with NIO options and It is disabled on my machine.
So after enabling NIO and proxy for IMAP there are no problems in my box. I increased the IMAP fetch size to 1,5MB from the original 10KB. So far so good!
But NIO, I didn't play with NIO options and It is disabled on my machine.
So after enabling NIO and proxy for IMAP there are no problems in my box. I increased the IMAP fetch size to 1,5MB from the original 10KB. So far so good!