Hi,
I am running Zimbra 8.6.0 on Centos 7.
Some of MS Outlook user unable to receive large size mail attachment. It happen for slow internet connection but it’s never happen before proxy installation and I can’t disable proxy service because of SSL certification.
I try to change proxy configuration file - /opt/zimbra/conf/nginx/includes/nginx.conf.mail & nginx.conf.mail.pop3s.default. But it remain unchanged after proxy restart.
Is there any way to customize proxy setting for this case.
How to disable SSL encryption only for POP3 connection? It showing SSL certificate warning for MS outlook client.
Could anyone help me to fix this issue?
Problem with proxy service
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: Problem with proxy service
What are you running for SSL certificates on your Zimbra server?
You can always test your Zimbra server here: https://www.ssllabs.com/ssltest/
Not a good idea to turn off encryption on the public side; your POP3 users' login credentials will be traversing the Internet in plain text.
Hope that helps,
Mark
You can always test your Zimbra server here: https://www.ssllabs.com/ssltest/
Not a good idea to turn off encryption on the public side; your POP3 users' login credentials will be traversing the Internet in plain text.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Problem with proxy service
Thanks for quick response.
I’m running Lets encrypt SSL certificate on my Zimbra server. Actually I want to turn off SSL certificate warning for outlook users.
Outlook POP3 users getting slow response. Is it Proxy issue or do I need to change POP3 port 995 ?
I’m running Lets encrypt SSL certificate on my Zimbra server. Actually I want to turn off SSL certificate warning for outlook users.
Outlook POP3 users getting slow response. Is it Proxy issue or do I need to change POP3 port 995 ?
Re: Problem with proxy service
Hi Mark Stone,
Please check the below nginx.log –
SSL_read() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while proxying and reading from upstream
I found the above logs when user tries to download a mail via POP3 (port 995) and also found some similar threads in Zimbra forum -
viewtopic.php?t=13422
viewtopic.php?t=15303
https://trac.nginx.org/nginx/ticket/215
Its seems proxy_buffers issue.
I didn’t find proxy_buffers parameters in nginx.conf / nginx.conf.default file.
Please check the below nginx.log –
SSL_read() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while proxying and reading from upstream
I found the above logs when user tries to download a mail via POP3 (port 995) and also found some similar threads in Zimbra forum -
viewtopic.php?t=13422
viewtopic.php?t=15303
https://trac.nginx.org/nginx/ticket/215
Its seems proxy_buffers issue.
I didn’t find proxy_buffers parameters in nginx.conf / nginx.conf.default file.
Re: Problem with proxy service
Can someone please shed some light on this issue ?
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: Problem with proxy service
Can you post something about your servers' configurations?aminzm wrote:Can someone please shed some light on this issue ?
Number of CPU cores, amount of RAM, what ZImbra components are installed, networking between servers, etc.
"Upstream unavailable" means the proxy isn't having a good conversation with the (upstream) mailbox server. Typically, the mailbox server is indeed down; very busy or there is a networking issue between the two.
In my experience the proxy buffer thing is a red herring, unless the proxy itself is thrashing from resource constraints.
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Problem with proxy service
Hi,
Sorry. I was busy with some maintenance work.
Server’s CPU cores are 4 and RAM 15 GB. Zimbra components are -
I needed to fix this proxy issue urgent. Now I have disabled proxy and moved to Commercial SSL.
Regards,
Sorry. I was busy with some maintenance work.
Server’s CPU cores are 4 and RAM 15 GB. Zimbra components are -
Code: Select all
amavis Running
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
snmp Running
spell Running
stats Running
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
zmconfigd Running
I needed to fix this proxy issue urgent. Now I have disabled proxy and moved to Commercial SSL.
Regards,
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Problem with proxy service
It appears to be an openssl bug. I haven't seen this issue myself and am running centos 6.9 but I could just be lucky. I need to dig deeper to know why.aminzm wrote:Can someone please shed some light on this issue ?
Here is the technical detail https://github.com/openssl/openssl/issues/1799 and this hopefully being the fix.https://github.com/openssl/openssl/pull/1823
To recap, it looks like in some circumstances, you may be able to push the bug around a bit with a nginx (proxy_buffers 8 32k) but it probably won't completely solve it without fixing the root cause.