Hello all,
I have recently upgraded my Zimbra Open Source server to the 7.x versions, and am having some issues.
When I attempt to authenticate to the SMTP server to send outgoing mail, my credentials are rejected. The following appears in /var/log/zimbra.log:
Apr 27 00:45:08 hostname postfix/smtpd[6366]: Anonymous TLS connection established from unknown[**my.ip**]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Apr 27 00:45:08 hostname saslauthd[2976]: rel_accept_lock : released accept lock
Apr 27 00:45:08 hostname saslauthd[2973]: get_accept_lock : acquired accept lock
Apr 27 00:45:08 hostname saslauthd[2976]: zmauth: authenticating against elected url 'https://mail.hostname.com:7071/service/ ... dmin/soap/' ...
Apr 27 00:45:08 hostname saslauthd[2976]: authentication against url 'https://mail.hostname.com:7071/service/ ... dmin/soap/' caused error 'curl_easy_perform: error(35): Unknown SSL protocol error in connection to mail.hostname.com:7071 '
Apr 27 00:45:08 hostname saslauthd[2976]: url 'https://mail.hostname.com:7071/service/ ... dmin/soap/' will not be used for (at least) 600 seconds
Apr 27 00:45:08 hostname saslauthd[2976]: Authentication cycle re-elected url https://mail.hostname.com:7071/service/ ... dmin/soap/, giving up ...
Apr 27 00:45:08 hostname saslauthd[2976]: auth_zimbra: user@hostname.com auth failed: curl_easy_perform: error(35): Unknown SSL protocol error in connection to mail.hostname.com:7071
Apr 27 00:45:08 hostname saslauthd[2976]: do_auth : auth failure: [user=user@hostname.com] [service=smtp] [realm=hostname.com] [mech=zimbra] [reason=Unknown]
Apr 27 00:45:08 hostname saslauthd[2976]: do_request : response: NO
Apr 27 00:45:08 hostname postfix/smtpd[6366]: warning: SASL authentication failure: Password verification failed
Apr 27 00:45:08 hostname postfix/smtpd[6366]: warning: unknown[**my.ip**]: SASL PLAIN authentication failed: authentication failure
It appears to me that curl is failing to connect to https://mail.hostname.com:7071 to complete the auth because of an SSL error. Is this because of my using a self signed certificate? I have never had this issue before, and it seems to have coincided with the 7.x upgrade. Anyone else having a similar issue?
SASL Auth fails for outgoing SMTP because of Unknown SSL Error?
-
- Posts: 14
- Joined: Sat Sep 13, 2014 1:12 am
-
- Posts: 14
- Joined: Sat Sep 13, 2014 1:12 am
SASL Auth fails for outgoing SMTP because of Unknown SSL Error?
Still haven't found any solutions to this issue... since this is a smaller email system my users have been content to use the web interface for now, which has no authentication issues at all...
It appears as though libcurl is not recognizing the validity of my certificate because it isn't being supplied with the correct CA certs. Where is this configured in Zimbra?
If I use command-line curl to access https://mail.hostname.com:7071/service/admin/soap/ , it will fail. But if I use:
curl --cacert /opt/zimbra/conf/ca/ca.pem -vv -3
it">https://mail.hostname.com:7071
it works perfectly. How can I inform SASLAUTHD to use this ca cert?
It appears as though libcurl is not recognizing the validity of my certificate because it isn't being supplied with the correct CA certs. Where is this configured in Zimbra?
If I use command-line curl to access https://mail.hostname.com:7071/service/admin/soap/ , it will fail. But if I use:
curl --cacert /opt/zimbra/conf/ca/ca.pem -vv -3
it">https://mail.hostname.com:7071
it works perfectly. How can I inform SASLAUTHD to use this ca cert?
-
- Posts: 14
- Joined: Sat Sep 13, 2014 1:12 am
SASL Auth fails for outgoing SMTP because of Unknown SSL Error?
Okay, I think I've isolated the issue. It looks like a bug in the version of curl (and thus libcurl) in my installation:
CURL distributed with my system (Ubuntu 10.04)
root@hostname:/# curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071">https://mail.hostname.com:7071
* About to connect() to mail.hostname.com port 7071 (#0)
* Trying 206.221.217.246... connected
* Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
* successfully set certificate verify locations:
* CAfile: /opt/zimbra/conf/ca/ca.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=US; ST=TX; O=hostname; OU=Zimbra Collaboration Suite; CN=*.hostname.com
* start date: 2011-06-18 03:11:20 GMT
* expire date: 2021-06-15 03:11:20 GMT
* common name: *.hostname.com (matched)
* issuer: C=US; ST=N/A; L=N/A; O=Zimbra Collaboration Suite; OU=Zimbra Collaboration Suite; CN=mail.hostname.com
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: mail.hostname.com:7071
> Accept: */*
>
https://mail.hostname.com:7071">https://mail.hostname.com:7071/zimbraAdmin
* Connection #0 to host mail.hostname.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Works fine. Now, using the CURL included with zimbra:
root@hostname:/# /opt/zimbra/curl/bin/curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071">https://mail.hostname.com:7071
* About to connect() to mail.hostname.com port 7071 (#0)
* Trying 206.221.217.246... connected
* Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
* successfully set certificate verify locations:
* CAfile: /opt/zimbra/conf/ca/ca.pem
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to mail.hostname.com:7071
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to mail.hostname.com:7071
Immediate failure due to unknown protocol error?
root@hostname:/# curl --version
curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
root@hostname:/# /opt/zimbra/curl/bin/curl --version
curl 7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/1.0.0d zlib/1.2.3.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
As you can see, when I use the version of curl included with my OS, it has no issues connecting. But when I use the version of curl included with Zimbra... it immediately chokes and dies, claiming an unknown SSL error.
I don't have a particularly exotic installation, standard settings all throughout, so I don't really understand how I could have what seems to be a bad version of curl but nobody else has reported the issue? The only difference between the two commands is the version of curl used, so I don't really understand what else could be the problem?
Edit: Well, I guess OpenSSL could be the problem too...?
CURL distributed with my system (Ubuntu 10.04)
root@hostname:/# curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071">https://mail.hostname.com:7071
* About to connect() to mail.hostname.com port 7071 (#0)
* Trying 206.221.217.246... connected
* Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
* successfully set certificate verify locations:
* CAfile: /opt/zimbra/conf/ca/ca.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=US; ST=TX; O=hostname; OU=Zimbra Collaboration Suite; CN=*.hostname.com
* start date: 2011-06-18 03:11:20 GMT
* expire date: 2021-06-15 03:11:20 GMT
* common name: *.hostname.com (matched)
* issuer: C=US; ST=N/A; L=N/A; O=Zimbra Collaboration Suite; OU=Zimbra Collaboration Suite; CN=mail.hostname.com
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: mail.hostname.com:7071
> Accept: */*
>
https://mail.hostname.com:7071">https://mail.hostname.com:7071/zimbraAdmin
* Connection #0 to host mail.hostname.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Works fine. Now, using the CURL included with zimbra:
root@hostname:/# /opt/zimbra/curl/bin/curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071">https://mail.hostname.com:7071
* About to connect() to mail.hostname.com port 7071 (#0)
* Trying 206.221.217.246... connected
* Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
* successfully set certificate verify locations:
* CAfile: /opt/zimbra/conf/ca/ca.pem
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to mail.hostname.com:7071
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to mail.hostname.com:7071
Immediate failure due to unknown protocol error?
root@hostname:/# curl --version
curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
root@hostname:/# /opt/zimbra/curl/bin/curl --version
curl 7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/1.0.0d zlib/1.2.3.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
As you can see, when I use the version of curl included with my OS, it has no issues connecting. But when I use the version of curl included with Zimbra... it immediately chokes and dies, claiming an unknown SSL error.
I don't have a particularly exotic installation, standard settings all throughout, so I don't really understand how I could have what seems to be a bad version of curl but nobody else has reported the issue? The only difference between the two commands is the version of curl used, so I don't really understand what else could be the problem?
Edit: Well, I guess OpenSSL could be the problem too...?
-
- Zimbra Alumni
- Posts: 55
- Joined: Fri Sep 12, 2014 10:18 pm
SASL Auth fails for outgoing SMTP because of Unknown SSL Error?
Can you post the output of these commands?
ls -l /opt/zimbra/cyrus-sasl/etc/
cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf.in
ls -l /opt/zimbra/cyrus-sasl/etc/
cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf.in