Problem with proxy service

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
aminzm
Posts: 9
Joined: Mon Oct 10, 2016 6:48 am

Problem with proxy service

Post by aminzm »

Hi,

I am running Zimbra 8.6.0 on Centos 7.
Some of MS Outlook user unable to receive large size mail attachment. It happen for slow internet connection but it’s never happen before proxy installation and I can’t disable proxy service because of SSL certification.

I try to change proxy configuration file - /opt/zimbra/conf/nginx/includes/nginx.conf.mail & nginx.conf.mail.pop3s.default. But it remain unchanged after proxy restart.

Is there any way to customize proxy setting for this case.
How to disable SSL encryption only for POP3 connection? It showing SSL certificate warning for MS outlook client.

Could anyone help me to fix this issue?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Problem with proxy service

Post by L. Mark Stone »

What are you running for SSL certificates on your Zimbra server?

You can always test your Zimbra server here: https://www.ssllabs.com/ssltest/

Not a good idea to turn off encryption on the public side; your POP3 users' login credentials will be traversing the Internet in plain text.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
aminzm
Posts: 9
Joined: Mon Oct 10, 2016 6:48 am

Re: Problem with proxy service

Post by aminzm »

Thanks for quick response.

I’m running Lets encrypt SSL certificate on my Zimbra server. Actually I want to turn off SSL certificate warning for outlook users.

Outlook POP3 users getting slow response. Is it Proxy issue or do I need to change POP3 port 995 ?
aminzm
Posts: 9
Joined: Mon Oct 10, 2016 6:48 am

Re: Problem with proxy service

Post by aminzm »

Hi Mark Stone,

Please check the below nginx.log –

SSL_read() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while proxying and reading from upstream

I found the above logs when user tries to download a mail via POP3 (port 995) and also found some similar threads in Zimbra forum -
viewtopic.php?t=13422
viewtopic.php?t=15303

https://trac.nginx.org/nginx/ticket/215

Its seems proxy_buffers issue.
I didn’t find proxy_buffers parameters in nginx.conf / nginx.conf.default file.
aminzm
Posts: 9
Joined: Mon Oct 10, 2016 6:48 am

Re: Problem with proxy service

Post by aminzm »

Can someone please shed some light on this issue ?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Problem with proxy service

Post by L. Mark Stone »

aminzm wrote:Can someone please shed some light on this issue ?
Can you post something about your servers' configurations?

Number of CPU cores, amount of RAM, what ZImbra components are installed, networking between servers, etc.

"Upstream unavailable" means the proxy isn't having a good conversation with the (upstream) mailbox server. Typically, the mailbox server is indeed down; very busy or there is a networking issue between the two.

In my experience the proxy buffer thing is a red herring, unless the proxy itself is thrashing from resource constraints.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
aminzm
Posts: 9
Joined: Mon Oct 10, 2016 6:48 am

Re: Problem with proxy service

Post by aminzm »

Hi,
Sorry. I was busy with some maintenance work.
Server’s CPU cores are 4 and RAM 15 GB. Zimbra components are -

Code: Select all

        amavis                  Running
        antispam                Running
        antivirus               Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy		             Running
        service webapp          Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zimbra webapp           Running
        zimbraAdmin webapp      Running
        zimlet webapp           Running
        zmconfigd               Running


I needed to fix this proxy issue urgent. Now I have disabled proxy and moved to Commercial SSL.

Regards,
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Problem with proxy service

Post by JDunphy »

aminzm wrote:Can someone please shed some light on this issue ?
It appears to be an openssl bug. I haven't seen this issue myself and am running centos 6.9 but I could just be lucky. I need to dig deeper to know why.

Here is the technical detail https://github.com/openssl/openssl/issues/1799 and this hopefully being the fix.https://github.com/openssl/openssl/pull/1823

To recap, it looks like in some circumstances, you may be able to push the bug around a bit with a nginx (proxy_buffers 8 32k) but it probably won't completely solve it without fixing the root cause.
Post Reply