IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
brcp40
Posts: 5
Joined: Sat Sep 13, 2014 1:40 am

IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by brcp40 »

I have recently updated from 8.7.11 to 8.8.5, FOSS, running on CentOS 6 64-bit. There are a total of about 15 mailboxes on the system, with only 6 of them heavily used.

Since the upgrade I have had multiple issues that I have been trying to isolate. One is that a couple of my mailboxes seem to get locked up as far as IMAP access goes. Messages such as the following are displayed in mailbox.log, while nothing shows in the zmmailboxd.out log:

2018-01-03 08:30:55,032 INFO [ImapSSLServer-245] [ip=x.x.x.x;] imap - dropping connection for user xxx@xxx.net (LOGOUT)
2018-01-03 08:31:08,829 ERROR [Timer-Zimbra] [] mailbox - Failed to lock mailbox
Write Lock Owner - ImapSSLServer-185 prio=5 id=4250 state=TERMINATED

com.zimbra.cs.mailbox.MailboxLock$LockFailedException: timeout
at com.zimbra.cs.mailbox.MailboxLock.lock(MailboxLock.java:211)
at com.zimbra.cs.mailbox.Mailbox.lock(Mailbox.java:10411)
at com.zimbra.cs.imap.ImapListener.unload(ImapListener.java:580)
at com.zimbra.cs.imap.ImapSessionManager$SessionSerializerTask.run(ImapSessionManager.java:195)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)

The only way I have found to restore access to the mailbox is to restart the mailbox service.


The second problem is that there seems to be an issue with LDAP TLS connections, at least those that originate from opendkim. Under 8.7.x, I ran with DKIM enabled without any issues. Since the upgrade, I get the following error when starting up with DKIM enabled:

opendkim: /opt/zimbra/conf/opendkim.conf: ldap://xxx.xxx.net:389/?DKIMSelector?sub?(DKIMIdentity=$d): dkimf_db_open(): Connect error
Failed to start opendkim: 0

If I edit /opt/zimbra/conf/opendkim.conf and change the LDAPUseTLS value from 1 to 0, the process starts without an issue. Looking at my backups from 8.7.x, the LDAPUseTLS value was always 1, so I don't think it's an appropriate solution to just disable TLS when it worked previously.

I have re-installed my commercial SSL certificate just in case. It passes all tests, and the same cert is installed for web and IMAP access and works without any issues there.

I am also able to connect to ldap with TLS enabled and browse the directory without any issues, so it does not seem to be a problem with LDAP itself.


For the time being I have restored mail flow by disabling DKIM in the admin interface and then restarting services.


Lastly, when running zmcontrol start, mailbox shows as "Failed" even though no failures are indicated in mailbox.log or zmmailboxd.out -- and all functions of the mailbox service seem to work fine. Webmail works, IMAP works, mail delivery works.
mntwinsfan
Posts: 8
Joined: Tue Jan 02, 2018 12:15 am

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by mntwinsfan »

Your first problem appears to be the exact same one I am having (viewtopic.php?f=13&t=63339). For those users whose accounts get locked, are they having trouble logging into the web mail as well?
nikonaum
Posts: 6
Joined: Wed Jan 03, 2018 6:48 pm

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by nikonaum »

Out of curiosity, Do the owners of the failing mailboxes use DAVdroid or K-9 mail client or some other software for email and calendar/task sync?
brcp40
Posts: 5
Joined: Sat Sep 13, 2014 1:40 am

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by brcp40 »

mntwinsfan wrote:Your first problem appears to be the exact same one I am having (viewtopic.php?f=13&t=63339). For those users whose accounts get locked, are they having trouble logging into the web mail as well?
Yes, users who have the lock issue are unable to access webmail. POP works fine. Other users are able to access both IMAP and Webmail without issue, so it does not appear to be a server-wide issue or an issue relating to maxing out IMAP threads (which seem to be the only other instances of this that I've seen with any sort of answers supplied).

nikonaum wrote:Out of curiosity, Do the owners of the failing mailboxes use DAVdroid or K-9 mail client or some other software for email and calendar/task sync?
One account uses iPhone Mail + Thunderbird or Webmail. The other uses iPhone/iPad Mail only, via IMAP. Obviously the common thread here so far seems to be the use of the iOS mail client, but I have two other users on the server with iOS devices who are not experiencing the issue (yet, anyway).




I did resolve my mailboxd "failed" error which was due to a missing /opt/zimbra/.platform file. That was inadvertently removed during my tinkering to try and resolve these issues. I put it back in place and that error is now gone. (Interestingly enough, the error message that tipped me off to it only shows up when running zmmailboxdctl and not when using zmcontrol.
mntwinsfan
Posts: 8
Joined: Tue Jan 02, 2018 12:15 am

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by mntwinsfan »

Obviously the common thread here so far seems to be the use of the iOS mail client, but I have two other users on the server with iOS devices who are not experiencing the issue (yet, anyway).
Same goes for me. All the users impacted are iPhone users but not all of my iPhone users are having trouble, just select ones.
nikonaum
Posts: 6
Joined: Wed Jan 03, 2018 6:48 pm

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by nikonaum »

Are You using NGINX proxy for IMAP? Is NIO for IMAP enabled? What is the output of this command: zmprov getConfig zimbraImapMaxRequestSize ?
brcp40
Posts: 5
Joined: Sat Sep 13, 2014 1:40 am

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by brcp40 »

nikonaum wrote:Are You using NGINX proxy for IMAP? Is NIO for IMAP enabled? What is the output of this command: zmprov getConfig zimbraImapMaxRequestSize ?
No proxy.

NIO is not enabled:

Code: Select all

$ zmlocalconfig|grep nio_imap_enabled
nio_imap_enabled = false

Code: Select all

$ zmprov getConfig zimbraImapMaxRequestSize
zimbraImapMaxRequestSize: 10240
phoenix
Ambassador
Ambassador
Posts: 27262
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by phoenix »

brcp40 wrote:No proxy.
The proxy is a required component from 8.8.x onwards: https://wiki.zimbra.com/wiki/Zimbra_Nex ... _Upgrading
brcp40 wrote:NIO is not enabled
Any particular reason for that?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Klug
Ambassador
Ambassador
Posts: 2741
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by Klug »

Was you initial setup 8.7.11 or was it an older version, upgraded to 8.7.x?

NIO should be enabled.
https://wiki.zimbra.com/wiki/IMAP_NIO
nikonaum
Posts: 6
Joined: Wed Jan 03, 2018 6:48 pm

Re: IMAP locking, LDAP TLS/OpenDKIM issues after 8.7 to 8.8 upgrade

Post by nikonaum »

I didn't have PROXY for IMAP and POP3 enabled, neither, nor NIO. Cause I tend to be an early adopter, every time there is a new ZMC version I rush to install it. And at one of the updates the NGINx PROXY and Memcached were mandatory. I enabled the proxy just for webmail not for IMAP, cause I didn't have enough time to set it up.
But NIO, I didn't play with NIO options and It is disabled on my machine.
So after enabling NIO and proxy for IMAP there are no problems in my box. I increased the IMAP fetch size to 1,5MB from the original 10KB. So far so good!
Post Reply