[SOLVED] After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
baena
Posts: 6
Joined: Fri Jul 22, 2016 3:47 am

[SOLVED] After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Post by baena »

I upgraded v8.6 -> 8.7.0_GA 1659.UBUNTU14_64.20160628202701

No errors during the upgrade.

After the upgrade,

Admin UI is up
WebMail UI is up
inbound mail is relivered/received
outbound mail works, from both WebMail & from attached desktop clients

There' no more IMAP access from any clients.

My client's Thunderbird.

IMAP login never completes. All I see in Tbird is "Sending login information ..."

There's no error in Zimbra's mailbox.log or zimbra.log.

All accounts are configured as they always were:

Code: Select all

IMAP:993
SSL/TLS
Normal Password
I've also tried

Code: Select all

IMAP:143
StartTLS
Normal Password
No change in behavior.

Same no-login problem with my usual Android clients that were working prior to the upgrade.


Current zmprov imap configs are

Code: Select all

zmprov gs `zmhostname` | grep -i imap
	zimbraAdminImapImportNumThreads: 20
	zimbraImapBindOnStartup: TRUE
	zimbraImapBindPort: 7143
	zimbraImapCleartextLoginEnabled: TRUE
	zimbraImapDisplayMailFoldersOnly: TRUE
	zimbraImapExposeVersionOnBanner: FALSE
	zimbraImapInactiveSessionCacheMaxDiskSize: 10737418240
	zimbraImapMaxConnections: 200
	zimbraImapMaxRequestSize: 10240
	zimbraImapNumThreads: 500
	zimbraImapProxyBindPort: 143
	zimbraImapSSLBindOnStartup: TRUE
	zimbraImapSSLBindPort: 7993
	zimbraImapSSLProxyBindPort: 993
	zimbraImapSSLServerEnabled: TRUE
	zimbraImapSaslGssapiEnabled: FALSE
	zimbraImapServerEnabled: TRUE
	zimbraImapShutdownGraceSeconds: 10
	zimbraReverseProxyImapEnabledCapability: ACL
	zimbraReverseProxyImapEnabledCapability: BINARY
	zimbraReverseProxyImapEnabledCapability: CATENATE
	zimbraReverseProxyImapEnabledCapability: CHILDREN
	zimbraReverseProxyImapEnabledCapability: CONDSTORE
	zimbraReverseProxyImapEnabledCapability: ENABLE
	zimbraReverseProxyImapEnabledCapability: ESEARCH
	zimbraReverseProxyImapEnabledCapability: ESORT
	zimbraReverseProxyImapEnabledCapability: I18NLEVEL=1
	zimbraReverseProxyImapEnabledCapability: ID
	zimbraReverseProxyImapEnabledCapability: IDLE
	zimbraReverseProxyImapEnabledCapability: IMAP4rev1
	zimbraReverseProxyImapEnabledCapability: LIST-EXTENDED
	zimbraReverseProxyImapEnabledCapability: LIST-STATUS
	zimbraReverseProxyImapEnabledCapability: LITERAL+
	zimbraReverseProxyImapEnabledCapability: MULTIAPPEND
	zimbraReverseProxyImapEnabledCapability: NAMESPACE
	zimbraReverseProxyImapEnabledCapability: QRESYNC
	zimbraReverseProxyImapEnabledCapability: QUOTA
	zimbraReverseProxyImapEnabledCapability: RIGHTS=ektx
	zimbraReverseProxyImapEnabledCapability: SASL-IR
	zimbraReverseProxyImapEnabledCapability: SEARCHRES
	zimbraReverseProxyImapEnabledCapability: SORT
	zimbraReverseProxyImapEnabledCapability: THREAD=ORDEREDSUBJECT
	zimbraReverseProxyImapEnabledCapability: UIDPLUS
	zimbraReverseProxyImapEnabledCapability: UNSELECT
	zimbraReverseProxyImapEnabledCapability: WITHIN
	zimbraReverseProxyImapEnabledCapability: XLIST
	zimbraReverseProxyImapExposeVersionOnBanner: FALSE
	zimbraReverseProxyImapSaslGssapiEnabled: FALSE
	zimbraReverseProxyImapSaslPlainEnabled: TRUE
	zimbraReverseProxyImapStartTlsMode: off
	zimbraReverseProxyMailImapEnabled: TRUE
	zimbraReverseProxyMailImapsEnabled: TRUE
	zimbraStatThreadNamePrefix: ImapSSLServer
	zimbraStatThreadNamePrefix: ImapServer
I've seen some other IMAP issues showing up already. Nothing so far exactly the same.

Is this a known issue?

What additional debug info is helpful?
Last edited by baena on Fri Jul 22, 2016 5:42 pm, edited 1 time in total.
User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 313
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Re: After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Post by tonster »

What errors or messages are notable in the logs?
baena
Posts: 6
Joined: Fri Jul 22, 2016 3:47 am

Re: After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Post by baena »

tonster wrote:What errors or messages are notable in the logs?
Like I mentioned above
There's no error in Zimbra's mailbox.log or zimbra.log.
That's with the Imap proxy in place.

As a test, I disabled the IMAP proxy with

Code: Select all

zmprov ms `zmhostname` zimbraImapBindPort         '143'
zmprov ms `zmhostname` zimbraImapSSLBindPort      '993'
zmprov ms `zmhostname` zimbraPop3BindPort         '110'
zmprov ms `zmhostname` zimbraPop3SSLBindPort      '995'

zmprov ms `zmhostname` zimbraImapProxyBindPort    '7143'
zmprov ms `zmhostname` zimbraImapSSLProxyBindPort '7993'
zmprov ms `zmhostname` zimbraPop3ProxyBindPort    '7110'
zmprov ms `zmhostname` zimbraPop3SSLProxyBindPort '7995'

zmprov ms `zmhostname` zimbraImapSSLServerEnabled          TRUE
zmprov ms `zmhostname` zimbraImapServerEnabled             TRUE
zmprov ms `zmhostname` zimbraImapSaslGssapiEnabled         FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailEnabled       FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapEnabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapsEnabled  FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3Enabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3sEnabled  FALSE

zmprov ms `zmhostname` zimbraReverseProxyMailEnabled       FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapEnabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapsEnabled  FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3Enabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3sEnabled  FALSE
restarted

Code: Select all

zmproxyctl restart
Now on a `telnet` to the ImapSSL port (no proxy), the connection's immediately closed

Code: Select all

telnet ##.##.##.14 993
	Trying ##.##.##.14...
	Connected to ##.##.##.14.
	Escape character is '^]'.
	Connection closed by foreign host.
I see in mailbox log

Code: Select all

==> mailbox.log <==
2016-07-21 23:04:32,092 WARN  [NioProcessor-3] [] DefaultExceptionMonitor - Unexpected exception.
org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd(): ssl:ZimbraSslFilter in (0x00000086: nio socket, server, /##.##.##.22:35162 => /##.##.##.14:993)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:279)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:174)
        at org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:452)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor.addNow(AbstractPollingIoProcessor.java:530)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor.handleNewSessions(AbstractPollingIoProcessor.java:503)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:68)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1133)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: TLSv1.1, TLSv1.2
        at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
        at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
        at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
        at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2081)
        at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:170)
        at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:417)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:277)
        ... 10 more
and in config

Code: Select all

zmprov -l gs `zmhostname` | grep TLSv
	zimbraMailboxdSSLProtocols: TLSv1.1, TLSv1.2
	zimbraReverseProxySSLProtocols: TLSv1
	zimbraReverseProxySSLProtocols: TLSv1.1
	zimbraReverseProxySSLProtocols: TLSv1.2
a telnet to imap is fine

Code: Select all

telnet ##.##.##.14 143
	Trying ##.##.##.14...
	Connected to ##.##.##.14.
	Escape character is '^]'.
	* OK mx.example.com Zimbra IMAP4rev1 server ready
This

Code: Select all

Caused by: java.lang.IllegalArgumentException: TLSv1.1, TLSv1.2
looks like an obvious problem. Possibly happens when the proxy's in place, but my logging's not setup right to see it in that case.
baena
Posts: 6
Joined: Fri Jul 22, 2016 3:47 am

Re: After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Post by baena »

( :?: On a SINGLE server, is it required or recommended to access IMAP via proxy? Or to disable the proxy for IMAP and access directly? )

Starting with the reported error

Code: Select all

Caused by: java.lang.IllegalArgumentException: TLSv1.1, TLSv1.2
and the config result

Code: Select all

zmprov gs `zmhostname` zimbraMailboxdSSLProtocols
	zimbraMailboxdSSLProtocols: TLSv1.1, TLSv1.2
the defaults are

Code: Select all

zmprov desc -a zimbraMailboxdSSLProtocols
	zimbraMailboxdSSLProtocols
	    List of SSL/TLS protocols (as documented by SunJSSE Provider Protocols
	    and used in setEnabledProtocols) to be enabled in Jetty for HTTPS,
	    IMAPS, POP3S, and STARTTLS (including LMTP)

	               type : string
	              value : 
	           callback : 
	          immutable : false
	        cardinality : multi
	         requiredIn : 
	         optionalIn : server,globalConfig
	              flags : serverInherited
	           defaults : TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello
	                min : 
	                max : 
	                 id : 1657
	    requiresRestart : mailbox
	              since : 8.6.0
	    deprecatedSince : 
resetting to defaults

Code: Select all

zmprov ms `hostname` zimbraMailboxdSSLProtocols ''
zmprov mcf           zimbraMailboxdSSLProtocols ''
zmprov mcf  zimbraMailboxdSSLProtocols 'TLSv1'
zmprov mcf +zimbraMailboxdSSLProtocols 'TLSv1.1'
zmprov mcf +zimbraMailboxdSSLProtocols 'TLSv1.2'
zmprov mcf +zimbraMailboxdSSLProtocols 'SSLv2Hello'
zmprov gcf  zimbraMailboxdSSLProtocols
	zimbraMailboxdSSLProtocols: TLSv1
	zimbraMailboxdSSLProtocols: TLSv1.1
	zimbraMailboxdSSLProtocols: TLSv1.2
	zimbraMailboxdSSLProtocols: SSLv2Hello
then

Code: Select all

zmproxyctl restart
zmmailboxdctl restart
client connections are now working again -- to non-proxy port 993
Post Reply