Weird Imap proxy behaviour during rolling upgrade

Looking to migrate to ZCS? Ask here. Got a great tip or script that helped you migrate? Post it here.
Post Reply
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Weird Imap proxy behaviour during rolling upgrade

Post by gabrieles »

We are in the middle of a rolling upgrade migration from ZCS 8.0.8 to ZCS 8.8.12 and experiencing some weird behaviour related to the IMAP proxy.
At this point some users have been moved to the new 8.8.12 server and some are on the old 8.0.6.
All users access now from the proxy service on the new 8.8.12. Webmail seems to have no problem, but IMAP has a strange behaviour.
- Users of mailboxes on old 8.0.6 server, accessed in imap via proxy (8.8.12) have no problem with any imap client.
- Users of mailboxes on new 8.8.12 server, accessed in imap via the same proxy on the same machine (8.8.12) cannot login with MOST imap client
What means most imap clients? Some works and some don't!

Test from outside have been conducted:
X - via gmail app (android): cannot login, says a generic "server error"
X - via bluemail app (android): cannot login, "3010 - BAD, maximum size exceeded" (we elevated the imapmaxmessagesize to 100MB but the response is always the same)
X - via telnet on 143: "a1 LOGIN username@domain password" command fails with "BAD, maximum size exceeded"
V - via Thunderbird on Windows 7 and 10: works FLAWLESSY
V - via curl, with the command "curl -k imap://username%40domain:password@mailserver/" works perfectly too.

Every test (except telnet) has been conducted in cleartext, STARTTLS and SSL, the outcome is the same.

Test from inside have been conducted:
X - via telnet on 143 (proxy port): "a1 LOGIN username@domain password" command fails with "BAD, maximum size exceeded"
V - via telnet on 7143 (mailstore port): "a1 LOGIN username@domain password" command succeds with "a1 OK [CAPABILITY IMAP4rev1 ACL BINARY....."
It seems a problem related on the proxy-mailstore communication on the same vm. But there is no problem between the proxy (8.8.12) and the old ancient mailstore (8.0.8)
The SSL options seems to be OK
The certificates are commercial and valid.

We created a test account on the 8.0.8 vm and it accessed with no problem via imap through the proxy.
We created a test account on the 8.8.12 vm and it gives the problem immediately.
Doesn't seems related to the account or to some account attribute changed during the migration.

On audit.log, mailbox.log, zmmailboxd.out there is no trace of the event. The only event recorded is on the nginx.log:
2019/06/18 11:32:47 [info] 5796#0: *8264 upstream sent invalid response: "a1 BAD maximum literal size exceeded" while reading response from upstream, client: 127.0.0.1:46208, server: 0.0.0.0:143, login: "USERNAME@DOMAIN.TLD", upstream: XX.X.XX.XXX:7143 (127.0.0.1:46208->127.0.0.1:143) <=> (XX.X.XX.XXX:53562->XX.X.XX.XXX:7143)

The ZCS 8.8.12 is up to the latest patch
There are no filters or content inspection appliances or similar between the zimbra server and the internet. The 143 port is natted directly thru firewall.

The only test that has not been tried is an exorcism, but we are organizing for that.
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Weird Imap proxy behaviour during rolling upgrade

Post by DualBoot »

Hello,

maybe I can help for exorcism, I can provide a chicken, virgin is too difficult :p
Well more seriously , did you whitelisted your new Ip proxy ?

:twisted:
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Weird Imap proxy behaviour during rolling upgrade

Post by gabrieles »

DualBoot wrote: did you whitelisted your new Ip proxy ?
Yes, both in zimbraHttpThrottleSafeIPs and in zimbraMailTrustedIP. Set up in global config and inherited by both servers.
7224jobe
Outstanding Member
Outstanding Member
Posts: 283
Joined: Sat Sep 13, 2014 1:55 am
ZCS/ZD Version: 8.8.15_FOSS Patch38

Re: Weird Imap proxy behaviour during rolling upgrade

Post by 7224jobe »

Since the parameters normally involved in these problems (zimbraFileUploadMaxSize, zimbraImapMaxRequestSize,zimbraMailContentMaxSize, zimbraMtaMaxMessageSize) are configurable either at globalConfig or server level, did you check that the parameters did correctly propagate to the new server, too?
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Weird Imap proxy behaviour during rolling upgrade

Post by gabrieles »

7224jobe wrote:did you check that the parameters did correctly propagate to the new server, too?
Yes, the parameters are correctly propagated.
I've even set the zimbraImapMaxRequestSize from the default 10kb to 100mb just for trying
I receive the error "maximum size exceeded" in response to the login command:

Code: Select all

# telnet mail.example.com 143
Trying 93.33.225.233...
Connected to mail.example.com.
Escape character is '^]'.
* OK IMAP4rev1 proxy server ready
A1 LOGIN username@example.com password
A1 BAD maximum literal size exceeded
* BYE IMAP server terminating connection
Connection closed by foreign host.
Post Reply