Message: system failure: exception during auth {RemoteManager:

[Viper786]

Hello, I am running Zimbra 8.7.1 FOSS on Ubuntu 16.04. It has been running fine for a few weeks, I am sending/receiving emails as expected, however, today I noticed when trying to view Mail Queues, I get the following error:

Code: Select all

Message: system failure: exception during auth {RemoteManager: mail.MYDOMAINNAME.net->zimbra@mail.MYDOMAINNAME.net:22} Error code: service.FAILURE Method: [unknown] Details:soap:Receiver

(I have redacted my domain name from the error message.

Upon doing some research on this issue, I found: https://wiki.zimbra.com/wiki/Mail_Queue_Monitoring

Per the Wiki, I have tried to fix permissions, I have tried to regenerate/redeploy the ssh keys, however when I try to run the test SSH command: ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAINNAME.net it asks for a password (I am using my actual domain name, it is once again redacted for this post)

Per the wiki, I should not be prompted for a password so here's where my issue lies. I am running sshd on port 22, my Zimbra hostname matches my server's hostname.

While checking for my Zimbra account in /etc/shadow, it shows: zimbra:!:::::

Per the wiki, I ran usermod -U zimbra which gave the following message:

Code: Select all

usermod: unlocking the user's password would result in a passwordless account.
You should set a password with usermod -p to unlock this user's password.

I verified in my sshd_config that Pubkeyauthentication is set to yes

The wiki recommends disabling SELinux but I don't use SELinux (/etc/selinux/config does not exist)

Anyone have any ideas on what I am missing? It seems the issue is my SSH keys aren't working and running zmsshkeygen and zmupdateauthkeys as the zimbra user did not seem to help.

Any help is appreciated.

[rm-rf]

You did everything I'd recommend.

I'd double check ~/.ssh is 700 and owned by zimbra.zimbra. I'd also make sure all files inside .ssh are 600 and also owned by zimbra.zimbra.

Then I'd try running ssh -v -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAINNAME.net and also check /var/log/secure (or the Ubuntu equivalent). Pasting the ssh -v command here might be helpful if you can't figure it out from there.

[Viper786]

Thank you for the reply. I have been doing some more testing and installed a fresh ubuntu 14.04 with Zimbra 8.7.1 on a test server and I am having the same issue there as well. Looking at the Zimbra log, this is what happens right when this error pops up:

sshd[4836]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 [preauth]

and that message is repeated 4 more times.

When I run ssh -v -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAINNAME.net I get:

Code: Select all

zimbra@mail:/root$ ssh -v -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAIN.net
Warning: Identity file .ssh/zimbra_identity not accessible: Permission denied.
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to mail.MyDomain.net [2607:5300:60:5686::] port 22.
debug1: Connection established.
debug1: identity file /opt/zimbra/.ssh/id_rsa type -1
debug1: identity file /opt/zimbra/.ssh/id_rsa-cert type -1
debug1: identity file /opt/zimbra/.ssh/id_dsa type -1
debug1: identity file /opt/zimbra/.ssh/id_dsa-cert type -1
debug1: identity file /opt/zimbra/.ssh/id_ecdsa type -1
debug1: identity file /opt/zimbra/.ssh/id_ecdsa-cert type -1
debug1: identity file /opt/zimbra/.ssh/id_ed25519 type -1
debug1: identity file /opt/zimbra/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-128-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-128-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ED25519 6f:00:4a:b3:35:32:07:7a:31:a8:4d:53:db:ca:5d:b9
debug1: Host 'mail.MyDomain.net' is known and matches the ED25519 host key.
debug1: Found key in /opt/zimbra/.ssh/known_hosts:1
debug1: ssh_ed25519_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /opt/zimbra/.ssh/id_rsa
debug1: Trying private key: /opt/zimbra/.ssh/id_dsa
debug1: Trying private key: /opt/zimbra/.ssh/id_ecdsa
debug1: Trying private key: /opt/zimbra/.ssh/id_ed25519
debug1: Next authentication method: password
zimbra@mail.MyDomain.net's password:

and it asks for a password again.

Also ~/.ssh is 700 and owned by zimbra, the files within it are 644 and owned by zimbra. Should I update that to 600?

Anyone have any ideas on what I can try next?

[Viper786]

Any ideas on this?

[Viper786]

Finally figured this out. If anyone stumbles across this in the future, the way I resolved this issue was by going to /etc/ssh/sshd_config and commenting out the following line:

Code: Select all

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Once I commented that out, I reloaded SSH and I can now access my mail queues. I'm not sure what the ramifications of commenting that out is. Anyone know?

[adrastos2006]

I had the same issue and hunting around didn't help until I found your post about the editing of the sshd_config file.

That reminded me that I had locked down the sshd access to only 2 usernames on the system. I had also locked sshd server down to those in the sudo group.

So, I added the zimbra user to the users able to use the sshd server and added zimbra user to the sudo group. If I were you, I would uncomment the line you commented out in the sshd_config file and add make sure the user zimbra has access to sshd server.

Problem solved.

[ijk987]

You should do the following (at least in ZCS 8.7.11)
- set PubkeyAuthentication to Yes
- add zimbra@127.0.0.1 to allowed users
- add diffie-hellman-group-exchange-sha1 to KeyAlgorithms
- add hmac-sha1-96 to MACs

[BooksRUs]

I want to thank everyone who posts here, first of all. A lot of small problems have easily been fixed by simple searches of this forum.

I had a similar problem with being unable to view Queues on the Admin webpage. My fix was in between all of these. A while ago I locked the SSH to port 2201, instead of 22. Unfortunately, this change did NOT come forward with a recent update installed.

So this command:
> zmprov gs MAIL.DOMAIN.COM zimbraRemoteManagementPort

was returning 2201, as was the website (trying to use this port), but I noticed that at the top of the /etc/ssh/sshd_config had this line:
Port 22

So, all I needed to do was run:
> zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 22

To get Zimbra to use the correct port.

Thanks!