No authtoken and no soap fault

[carloscesario]

Hi folks,

Currently we are facing some errors in SASL service, after some authentication tries with wrong password the SASL service show me the folow log

Code: Select all

Jan 29 17:52:16 mail saslauthd[22509]: zmpost: url='https://mail.maydomain.com:7073/service/admin/soap/' returned buffer->data='<html>#012<head>#012<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>#012<title>Error 503 Service Unavailable</title>#012</head>#012<body><h2>HTTP ERROR 503</h2>#012<p>Problem accessing /service/admin/soap/. Reason:#012<pre>    Service Unavailable</pre></p>#012</body>#012</html>#012', hti->error=''
Jan 29 17:52:16 mail saslauthd[22509]: auth_zimbra: myaccount@maydomain.com auth failed: no authtoken and no soap fault text in document
Jan 29 17:52:16 mail saslauthd[22509]: do_auth         : auth failure: [user=myaccount@maydomain.com] [service=smtp] [realm=maydomain.com] [mech=zimbra] [reason=Unknown]
Jan 29 17:52:16 mail postfix/submission/smtpd[895]: warning: unknown[111.111.111.111]: SASL LOGIN authentication failed: authentication failure
Jan 29 17:52:16 mail postfix/submission/smtpd[895]: lost connection after AUTH from unknown[111.111.111.111]
Jan 29 17:52:16 mail postfix/submission/smtpd[895]: disconnect from unknown[111.111.111.111] ehlo=2 starttls=1 auth=0/1 commands=3/4

And after this even usage the correct password, the authentication does not work, it is needed restart the zmmailboxdctl to the service works as expected.

It is similar this one

https://forums.zextras.com/zextras-migr ... 8-7-a.html


Does someone have idea about fix it ?

Regards,

Carlos



$ zmcontrol -v
Release 8.8.11.GA.3737.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.11_P1.

[pup_seba]

Hi,

Try this:
$ grep -i suspended /opt/zimbra/log/mailbox.log
$ grep -i "account lockout" /opt/zimbra/log/mailbox.log

You'll see DoSFilter blocked ips with first command. You'll see accounts being locked by jetty with second command.

I'm not sure about the specific log entries you have as being 'caused by DoSfilter being trigger to block an IP address.

Also, did you tried throttling the filter? It works good when server is being overwhelmed by soap calls (typical during migrations). https://wiki.zimbra.com/wiki/DoSFilter

Regards,

[carloscesario]

Hi, Sebastián.
Thanks you by your tips.

But I already check it when the problem happen

$ grep -i suspended /opt/zimbra/log/mailbox.log
$ grep -i "account lockout" /opt/zimbra/log/mailbox.log

And no results are found.

And about the DoSfilter I already tried several values since 10, 100, 500, 1000 without success.

Best regards

Carlos

[pup_seba]

Hi,

Can you run these commands and share the results?

As zimbra user in your mailbox server:
$ zmprov gs `zmhostname` | grep -i httpdosfilter
$ zmprov gs `zmhostname` | grep -i safeips
--> You can change this values, i need to know the format, and who the ips belong, not the IPs itself.
$ zmprov gs `zmhostname` | grep -i invalidlogin
$ zmprov gas
$ zmprov gs `zmhostname` | grep -i serviceenabled
$ zmprov gs `zmhostname` | grep -i trustedip
--> Again, you may change this values, i only need to know the format and who the ips belong, not the IPs itself.
$ zmlocalconfig | grep -i originating

Regards,

[carloscesario]

Hi, it follow the result commands,

Code: Select all

zimbra@mydomain.com:~$ zmprov gs `zmhostname` | grep -i httpdosfilter
zimbraHttpDosFilterDelayMillis: 0
zimbraHttpDosFilterMaxRequestsPerSec: 100
zimbra@mydomain.com:~$ zmprov gs `zmhostname` | grep -i safeips
zimbraHttpThrottleSafeIPs: 200.XXX.XXX.YY
zimbra@mydomain.com:~$ zmprov gs `zmhostname` | grep -i invalidlogin
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 15
zimbraInvalidLoginFilterMaxFailedLogin: 10
zimbraInvalidLoginFilterMaxSizeOfFailedIpDb: 7000
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
zimbra@mydomain.com:~$ zmprov gas
mydomain.com
zimbra@mydomain.com:~$ zmprov gs `zmhostname` | grep -i serviceenabled
zimbraChatServiceEnabled: TRUE
zimbraServiceEnabled: amavis
zimbraServiceEnabled: antivirus
zimbraServiceEnabled: antispam
zimbraServiceEnabled: opendkim
zimbraServiceEnabled: ldap
zimbraServiceEnabled: logger
zimbraServiceEnabled: memcached
zimbraServiceEnabled: stats
zimbraServiceEnabled: mta
zimbraServiceEnabled: snmp
zimbraServiceEnabled: spell
zimbraServiceEnabled: proxy
zimbraServiceEnabled: service
zimbraServiceEnabled: zimbra
zimbraServiceEnabled: zimbraAdmin
zimbraServiceEnabled: zimlet
zimbraServiceEnabled: mailbox
zimbra@mydomain.com:~$ zmprov gs `zmhostname` | grep -i trustedip
zimbraMailTrustedIP: 200.XXX.XXX.ZZ
zimbraMailTrustedIP: 127.0.0.1
zimbraMailTrustedIP: 200.XXX.XXX.YY
zimbra@mydomain.com:~$ zmlocalconfig | grep -i originating
zimbra_http_originating_ip_header = X-Forwarded-For
zimbra@mydomain.com:~$

Best regards

Carlos

[pup_seba]

Hi,

I would recommend:
- Your safe ip list looks not valid for your zimbra version. You need to add the netmask, like 200.XXX.XXX.YY/32
- Is your IP the one in the zimbraHttpThrottleSafeIPs? If so, then that's ok.
- If for your zimbraMailTrustedIP, one of those 2 IPs is the one of your host, then that's ok. If not, you need to add it.

Maybe you could try adding delay to your zimbraHttpDosFilterDelayMillis? To see if that helps in case of contention or some limit being reached?

[carloscesario]

Hi Sebastián,

Even with these changes the problem persists.

$ zmprov gcf zimbraHttpThrottleSafeIPs
zmprov gcf zimbraHttpThrottleSafeIPs
zimbraHttpThrottleSafeIPs: xxx.xxx.xxx.xx/32
zimbraHttpThrottleSafeIPs: yyy.yyy.yyy.yyy/32

Yes one of these IP is my server IP Address

$ zmprov gcf zimbraMailTrustedIP
zimbraMailTrustedIP: xxx.xxx.xxx.xx
zimbraMailTrustedIP: 127.0.0.1
zimbraMailTrustedIP: yyy.yyy.yyy.yyy



About the zimbraHttpDosFilterDelayMillis I just change it to 0 to if this could cause some effect, but now it is value 20

$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: 20



But even with this, Im facing this problem


Best regards

[bqeg]

Suffering with a similar issue. I'm facing timeouts in an application that connects to zimbra through imap. Added this application ip to the zimbraHttpThrottleSafeIPs, it shows the ip added but when I restart the mailbox service the IP is not being whitelisted.

[mqaroush]

the same problem here..

Jun 11 10:13:05 smtp10 saslauthd[18145]: zmauth: authenticating against elected url 'https://webmail10.xx.yy:7071/service/admin/soap/' ...
Jun 11 10:13:06 smtp10 saslauthd[18145]: zmpost: url='https://webmail10.xx.yy:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault
><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [ZZZZZ]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-11554:https://192.0.0.204:7071/se
rvice/admin/soap/:1560237122275:ac3437295c899cff</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Jun 11 10:13:06 smtp10 saslauthd[18145]: auth_zimbra: ZZZZZ auth failed: authentication failed for [ZZZZZ]
Jun 11 10:13:06 smtp10 saslauthd[18145]: do_auth : auth failure: [user=ZZZZZ] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]

[sruwaid]

the same problem here..

Jun 11 10:13:05 smtp10 saslauthd[18145]: zmauth: authenticating against elected url 'https://webmail10.xx.yy:7071/service/admin/soap/' ...
Jun 11 10:13:06 smtp10 saslauthd[18145]: zmpost: url='https://webmail10.xx.yy:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault
><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [ZZZZZ]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-11554:https://192.0.0.204:7071/se
rvice/admin/soap/:1560237122275:ac3437295c899cff</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Jun 11 10:13:06 smtp10 saslauthd[18145]: auth_zimbra: ZZZZZ auth failed: authentication failed for [ZZZZZ]
Jun 11 10:13:06 smtp10 saslauthd[18145]: do_auth : auth failure: [user=ZZZZZ] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]

This is the same problem I am facing today. Did you get any solution?