Z-push configuration issues

[kbell88]

I have searched and have not been able to find anything relating to my issue. If i missed it I am sorry.

I have z-push setup and working mostly on a separate server with its own external and internal IP. I am able to access the page at as.iluq.net, but not able to login. 
My Zimbra server is located at http://mail.iluq.net and it is working with no issues. It is not using SSL at the time because I wanted to remove any potential issues with z-push.
Both server are on my internal network with full nat to there respective external ips.
Z-push is at 192.168.1.38 - as.iluq.net
Zimbra is at 192.168.1.138 - mail.iluq.net
On my Zimbra server i have whitlisted the IP by running "zmprov mcf zimbraHttpThrottleSafeIPs 192.168.1.38"
"zmprov mcf zimbraHttpThrottleSafeIPs 192.168.1.0/24"
"zmprov mcf zimbraHttpThrottleSafeIPs 184.189.104.214"
I may have over did it, but i got frustrated.
I would like to use SSL once i figure this issue out i will then switch to SSL and probably have a new issue, anyways....
Here is the error log from z-push. 

04/03/2015 10:31:53 [ 3247] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]
04/03/2015 10:31:53 [ 3247] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }
04/03/2015 10:32:03 [ 3248] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]
04/03/2015 10:32:03 [ 3248] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }
04/03/2015 10:32:31 [ 3250] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]
04/03/2015 10:32:31 [ 3250] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }
04/03/2015 10:32:35 [ 3250] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]
04/03/2015 10:32:35 [ 3250] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }

I tried logging in a few times.
Here is my z-push config.php

<?php
/***********************************************
* File : config.php
* Project : Z-Push
* Descr : Main configuration file
*
* Created : 01.10.2007
*
* Copyright 2007 - 2013 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation with the following additional
* term according to sec. 7:
*
* According to sec. 7 of the GNU Affero General Public License, version 3,
* the terms of the AGPL are supplemented with the following terms:
*
* "Zarafa" is a registered trademark of Zarafa B.V.
* "Z-Push" is a registered trademark of Zarafa Deutschland GmbH
* The licensing of the Program under the AGPL does not imply a trademark license.
* Therefore any rights, title and interest in our trademarks remain entirely with us.
*
* However, if you propagate an unmodified version of the Program you are
* allowed to use the term "Z-Push" to indicate that you distribute the Program.
* Furthermore you may use our trademarks where it is necessary to indicate
* the intended purpose of a product or service provided you use it in accordance
* with honest practices in industrial or commercial matters.
* If you want to propagate modified versions of the Program under the name "Z-Push",
* you may only do so if you have a written permission by Zarafa Deutschland GmbH
* (to acquire a permission please contact Zarafa at trademark@zarafa.com).
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
************************************************/
/**********************************************************************************
* Default settings
*/
// Defines the default time zone, change e.g. to "Europe/London" if necessary
define('TIMEZONE', 'America/Chicago');
// Defines the base path on the server
define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
// Try to set unlimited timeout
define('SCRIPT_TIMEOUT', 0);
// When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
define('USE_X_FORWARDED_FOR_HEADER', false);
// When using client certificates, we can check if the login sent matches the owner of the certificate.
// This setting specifies the owner parameter in the certificate to look at.
define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
/*
* Whether to use the complete email address as a login name
* (e.g. user@company.com) or the username only (user).
* This is required for Z-Push to work properly after autodiscover.
* Possible values:
* false - use the username only (default).
* true - use the complete email address.
*/
define('USE_FULLEMAIL_FOR_LOGIN', false);
/**********************************************************************************
* Default FileStateMachine settings
*/
define('STATE_DIR', '/var/lib/zpush/');

/**********************************************************************************
* Logging settings
* Possible LOGLEVEL and LOGUSERLEVEL values are:
* LOGLEVEL_OFF - no logging
* LOGLEVEL_FATAL - log only critical errors
* LOGLEVEL_ERROR - logs events which might require corrective actions
* LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
* LOGLEVEL_INFO - usually completed actions
* LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
* LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
* LOGLEVEL_DEVICEID - also prints the device id for every log entry
* LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
*
* The verbosity increases from top to bottom. More verbose levels include less verbose
* ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
* LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
*/
define('LOGFILEDIR', '/var/log/zpush/');
define('LOGFILE', LOGFILEDIR . 'zpush.log');
define('LOGERRORFILE', LOGFILEDIR . 'zpush-error.log');
define('LOGLEVEL', LOGLEVEL_INFO);
define('LOGAUTHFAIL', false);

// To save e.g. WBXML data only for selected users, add the usernames to the array
// The data will be saved into a dedicated file per user in the LOGFILEDIR
// Users have to be encapusulated in quotes, several users are comma separated, like:
// $specialLogUsers = array('info@domain.com', 'myusername');
define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
$specialLogUsers = array();
// Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
// Uncomment and modify the following line if the validation of the certificates fails.
// define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
/**********************************************************************************
* Mobile settings
*/
// Device Provisioning
define('PROVISIONING', false);
// This option allows the 'loose enforcement' of the provisioning policies for older
// devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution
// false (default) - Enforce provisioning for all devices
// true - allow older devices, but enforce policies on devices which support it
define('LOOSE_PROVISIONING', false);
// Default conflict preference
// Some devices allow to set if the server or PIM (mobile)
// should win in case of a synchronization conflict
// SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
// SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default)
define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
// Global limitation of items to be synchronized
// The mobile can define a sync back period for calendar and email items
// For large stores with many items the time period could be limited to a max value
// If the mobile transmits a wider time period, the defined max value is used
// Applicable values:
// SYNC_FILTERTYPE_ALL (default, no limitation)
// SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS,
// SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS
define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL);
// Interval in seconds before checking if there are changes on the server when in Ping.
// It means the highest time span before a change is pushed to a mobile. Set it to
// a higher value if you have a high load on the server.
define('PING_INTERVAL', 30);
// Interval in seconds to force a re-check of potentially missed notifications when
// using a changes sink. Default are 300 seconds (every 5 min).
// This can also be disabled by setting it to false
define('SINK_FORCERECHECK', 300);
// Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
// It will only affect new/modified contacts on the mobile which then are synced to the server.
// Possible values are:
// SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname"
// SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename"
// SYNC_FILEAS_COMPANYONLY - fileas will be "Company"
// SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)"
// SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)"
// SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)"
// SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)"
// The company-fileas will only be set if a contact has a company set. If one of
// company-fileas is selected and a contact doesn't have a company set, it will default
// to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first
// option is selected for company).
// If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set
// SYNC_FILEAS_LASTFIRST will be used
define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST);
// Amount of items to be synchronized per request
// Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
// Exporting too much items can cause mobile timeout on busy systems.
// Z-Push will use the lowest value, either set here or by the mobile.
// default: 100 - value used if mobile does not limit amount of items
define('SYNC_MAX_ITEMS', 100);
// The devices usually send a list of supported properties for calendar and contact
// items. If a device does not includes such a supported property in Sync request,
// it means the property's value will be deleted on the server.
// However some devices do not send a list of supported properties. It is then impossible
// to tell if a property was deleted or it was not set at all if it does not appear in Sync.
// This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
// supported properties.
// See also https://jira.zarafa.com/browse/ZP-302.
// Possible values:
// false - do not unset properties which are not sent during Sync (default)
// true - unset properties which are not sent during Sync
define('UNSET_UNDEFINED_PROPERTIES', false);
// ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked
// in the semantic sanity checks and contacts with larger photos are not synchronized.
// This limitation is not being followed by the ActiveSync clients which set much bigger
// contact photos. You can override the default value of the max photo size.
// default: 49152 - 48 KB default max photo size in bytes
define('SYNC_CONTACTS_MAXPICTURESIZE', 49152);
// Over the WebserviceUsers command it is possible to retrieve a list of all
// known devices and users on this Z-Push system. The authenticated user needs to have
// admin rights and a public folder must exist.
// In multicompany environments this enable an admin user of any company to retrieve
// this full list, so this feature is disabled by default. Enable with care.
define('ALLOW_WEBSERVICE_USERS_ACCESS', false);
// Users with many folders can use the 'partial foldersync' feature, where the server
// actively stops processing the folder list if it takes too long. Other requests are
// then redirected to the FolderSync to synchronize the remaining items.
// Device compatibility for this procedure is not fully understood.
// NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING.
define('USE_PARTIAL_FOLDERSYNC', false);
/**********************************************************************************
* Backend settings
*/
// the backend data provider
define('BACKEND_PROVIDER', 'BackendZimbra');
/**********************************************************************************
* Search provider settings
*
* Alternative backend to perform SEARCH requests (GAL search)
* By default the main Backend defines the preferred search functionality.
* If set, the Search Provider will always be preferred.
* Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php)
*/
define('SEARCH_PROVIDER', '');
// Time in seconds for the server search. Setting it too high might result in timeout.
// Setting it too low might not return all results. Default is 10.
define('SEARCH_WAIT', 10);
// The maximum number of results to send to the client. Setting it too high
// might result in timeout. Default is 10.
define('SEARCH_MAXRESULTS', 10);

/**********************************************************************************
* Synchronize additional folders to all mobiles
*
* With this feature, special folders can be synchronized to all mobiles.
* This is useful for e.g. global company contacts.
*
* This feature is supported only by certain devices, like iPhones.
* Check the compatibility list for supported devices:
* http://z-push.sf.net/compatibility
*
* To synchronize a folder, add a section setting all parameters as below:
* store: the ressource where the folder is located.
* Zarafa users use 'SYSTEM' for the 'Public Folder'
* folderid: folder id of the folder to be synchronized
* name: name to be displayed on the mobile device
* type: supported types are:
* SYNC_FOLDER_TYPE_USER_CONTACT
* SYNC_FOLDER_TYPE_USER_APPOINTMENT
* SYNC_FOLDER_TYPE_USER_TASK
* SYNC_FOLDER_TYPE_USER_MAIL
*
* Additional notes:
* - on Zarafa systems use backend/zarafa/listfolders.php script to get a list
* of available folders
*
* - all Z-Push users must have full writing permissions (secretary rights) so
* the configured folders can be synchronized to the mobile
*
* - this feature is only partly suitable for multi-tenancy environments,
* as ALL users from ALL tenents need access to the configured store & folder.
* When configuring a public folder, this will cause problems, as each user has
* a different public folder in his tenant, so the folder are not available.
* - changing this configuration could cause HIGH LOAD on the system, as all
* connected devices will be updated and load the data contained in the
* added/modified folders.
*/
$additionalFolders = array(
// demo entry for the synchronization of contacts from the public folder.
// uncomment (remove '/*' '*/') and fill in the folderid
/*
array(
'store' => "SYSTEM",
'folderid' => "",
'name' => "Public Contacts",
'type' => SYNC_FOLDER_TYPE_USER_CONTACT,
),
*/
);


And finally my Zimbra backend config

<?php
/***********************************************
* File : config.php
* Project : Z-Push
* Descr : Main configuration file
*
* Created : 01.10.2007
*
* Copyright 2007 - 2012 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation with the following additional
* term according to sec. 7:
*
* According to sec. 7 of the GNU Affero General Public License, version 3,
* the terms of the AGPL are supplemented with the following terms:
*
* "Zarafa" is a registered trademark of Zarafa B.V.
* "Z-Push" is a registered trademark of Zarafa Deutschland GmbH
* The licensing of the Program under the AGPL does not imply a trademark license.
* Therefore any rights, title and interest in our trademarks remain entirely with us.
*
* However, if you propagate an unmodified version of the Program you are
* allowed to use the term "Z-Push" to indicate that you distribute the Program.
* Furthermore you may use our trademarks where it is necessary to indicate
* the intended purpose of a product or service provided you use it in accordance
* with honest practices in industrial or commercial matters.
* If you want to propagate modified versions of the Program under the name "Z-Push",
* you may only do so if you have a written permission by Zarafa Deutschland GmbH
* (to acquire a permission please contact Zarafa at trademark@zarafa.com).
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
************************************************/
// **********************
// BackendZimbra settings
// **********************
// define('ZIMBRA_URL', 'http[s]://<zimbra url>');
// === Url to access zimbra server - no trailing slash ===
// The ZIMBRA_URL should be set to the value of the setting publicURL on the zimbra
// server configuration. This should allow requests to the mail server to be properly
// routed/proxied as appropriate by zimbra.
// Assuming that z-push is not running on the same IP address as zimbra, if you are
// running zimbra 8.0 or later, you will need to whitelist the IP Address of the z-push
// server to avoid connection issues. See http://wiki.zimbra.com/wiki/DoSFilter
// for 8.0.0-8.0.2 see http://www.zimbra.com/forums/announceme ... 0-2-a.html
define('ZIMBRA_URL', 'http://mail.iluq.net');
define('ZIMBRA_USER_DIR', 'zimbra');
define('ZIMBRA_SYNC_CONTACT_PICTURES', true);
define('ZIMBRA_VIRTUAL_CONTACTS',true);
define('ZIMBRA_VIRTUAL_APPOINTMENTS',true);
define('ZIMBRA_VIRTUAL_TASKS',true);
define('ZIMBRA_IGNORE_EMAILED_CONTACTS',true);
define('ZIMBRA_HTML',true);
// define('ZIMBRA_TIMEZONE', 'Europe/Dublin');
define('ZIMBRA_ENFORCE_VALID_EMAIL', true);
define('ZIMBRA_SMART_FOLDERS',true);
define('ZIMBRA_RETRIES_ON_HOST_CONNECT_ERROR',5);
define('ZIMBRA_LOCAL_CACHE', true);
// define('ZIMBRA_LOCAL_CACHE_LIFETIME', 3600);
// define('ZIMBRA_SERVER_INVITE_REPLY', true);
// define('ZIMBRA_MB_DETECT_ORDER', 'ASCII, UTF-8, ISO-8859-1, ISO-8859-15' );
define('ZIMBRA_DEBUG',false);
// define('ZIMBRA_DEBUG','setup');
// define('ZIMBRA_DEBUG','username');

// In case Function Overload is being detect for mbstring functions we set the define
// to the overload level so that we can handle binary data propper...
define('MBSTRING_OVERLOAD', (extension_loaded('mbstring') ? ini_get('mbstring.func_overload') : false));

Please let me know if you find anything that needs to be changed. This is not a production box, so i am willing to try almost anything to get it working.
Thank you in advance.

[imanudin11]

Hi,



Are you could resolve this name mail.iluq.net from your Z-Push server? how if try to using IP Address instead of name?



define('ZIMBRA_URL', 'http://192.168.1.138');



Please change also zmtlsctl Zimbra to BOTH



su - zimbra

zmtlsctl both

[kbell88]

I have performed the requested actions and looks like the same issue is occuring. Here is my zpush error log



05/03/2015 08:41:09 [26398] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]

05/03/2015 08:41:09 [26398] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }

05/03/2015 08:41:17 [26396] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]

05/03/2015 08:41:17 [26396] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }

05/03/2015 08:42:02 [26399] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]

05/03/2015 08:42:02 [26399] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }

05/03/2015 08:42:12 [26397] [ERROR] [kenny] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]

05/03/2015 08:42:12 [26397] [ERROR] [kenny] Zimbra->Logon(): END Logon { connected = false }

[imanudin11]

Hi,



Could you please give us information about your Zimbra version and Z-Push version

[kbell88]

Zimbra Version - 8.6.0_GA_1153.FOSS

Zpush version - 2.2.0-1934

[imanudin11]

Hi,



What version of Z-Push Zimbra Backend? if using Z-Push Zimbra Backend Release 60 and older, please try disable SSLv3 on z-push/backend/zimbra/zimbra.php so that like following



// on line curl_setopt($this->_curl, CURLOPT_SSLVERSION, 3 );

[kbell88]

I am using Zimbra Backend Revision 61.2.
Looks like one of the changes they made is to comment that out already.
I was hoping that was it to.
I can post my zimbra.php if you need,

[BurntTech]

I'm not sure if your issue if related but i had a issue it appears has to do with if the logins are forcing using a username user@domain.com. I updated my default domain in command line and it fixed it. I realize this might be a config issue on my side and only works if your running one domain. Might be worth testing to see if it works by changing this or as I found out by testing with a user from the default domain. Not sure if its related but let me know if helps or not.
Changing Default Domain on Zimbra Server
https://wiki.zimbra.com/wiki/Setting_a_ ... omain_name
su - zimbra
zmprov mcf zimbraDefaultDomainName mycompany.com
Versions
Zimbra - 8.6.0_GA_1153 
Zpush - 2.2.0-1934
ZimbraBackend - 61

ERROR
15/04/2015 13:58:02 [44388] [INFO] [user] Version='2.2.0-1934' method='GET' from='X.X.X.X' cmd='' getUser='user' devId='' devType=''
15/04/2015 13:58:02 [44388] [ERROR] [user] Zimbra->SoapRequest(): SOAP FAULT: Error Code Returned [account.AUTH_FAILED]
15/04/2015 13:58:02 [44388] [ERROR] [user] Zimbra->Logon(): END Logon { connected = false }
15/04/2015 13:58:02 [44388] [INFO] [user] AuthenticationRequiredException: Access denied. User credentials are invalid - code: 0