External account's passwords vanishing after ZCS reboot

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

External account's passwords vanishing after ZCS reboot

Post by Labsy »

Hi,

After migration to ZCS 8.8.6 + patch I have issues with Webmail users, who have configured retreival of external mail into their mailbox.
Those external account's passwords vanish after ZCS server is rebooted. For all users with external retreival configured.

I've run already zmfixperms -extended, but no joy.

Any idea?
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: External account's passwords vanishing after ZCS reboot

Post by msquadrat »

What do you mean with "vanish"? I don't think the passwords disappear from the LDAP or do they? You can check by calling

Code: Select all

zmprov -l gds $account
With the -l switch it will show you an obfuscated value for the attribute zimbraDataSourcePassword which is normally filtered out.
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

Re: External account's passwords vanishing after ZCS reboot

Post by Labsy »

Hmmm...weird. Seems like password is there, but password hash is different:
- BEFORE I changed it, right after reboot, wrong:
zimbraDataSourcePassword: Af+auscjdbSg1Y36Vw82gNfcH1cB/CZBFy3TYvydDliH
- AFTER I changed it to correct pass:
zimbraDataSourcePassword: AQZAIvxwFWI42kL7JMdlzdJWnvM20dwheJVwpTDQlL2g
- and WEIRD...some 15 minutes later, when I did not change anything:
zimbraDataSourcePassword: Ac0hhq8lnneU44az7BFV1fbiydVlEM5uAApNu/KHBqKK

Where did the wrong one came from?
And how did it change by itself after 15 minutes?
I seems like until I reboot the box, password is correct, then after reboot it changes to something incorrect.

BTW...this box was migrated from Ubuntu 12.04 --> 14.04 and from ZCS 8.0.9 to 8.8.6 recently. Before migration I never had problems.
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: External account's passwords vanishing after ZCS reboot

Post by msquadrat »

I had a quick peek at the code and it looks like the password is AES-encrypted; the key is a salted MD5 sum of the data source id. The value is base64 encoded, the first byte is the constant version 1 followed by 16 bytes of salt and then finally the encrypted password. The salt is randomly generated whenever the value is changed. What does this mean? To have a different value whenever the password is changed is totally normal.

But to have something™ change the password again 15 minutes later is odd. There should be a ChangeDataSourceRequest logged in mailbox.log when this happens.
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

Re: External account's passwords vanishing after ZCS reboot

Post by Labsy »

Weird...it seems then that stored password does not change after all, but something else prevents access to external account.
In my case, both the original user and "external" account are on same Zimbra server. So it is internal retreival.

So, as user "A" I go to PREFERENCES --> ACCOUNTS --> select the "external" account and fill in the password.
Click on TEST = Success!
Does not matter, whether I select SSL port 993 or plain 143, works both wasy.
Select SAVE and another test goes on = Success.

I check the password hash and make a not on it.

But right after if I checl the external account's INBOX (from the "A" user's Webmail), I get error:
system failure: Folder sync failed, system failure: Synchronization of folder '/External box/INBOX' failed, system failure: Server returned no response for UID FETCH 1659 BODY.PEEK[]

And if I check password hash, it is NOT changed.

Even if I DELETE external account and recreate it after 15 minutes or so, I get the same error. TEST passes OK, but as soon as I SAVE, I get ERROR.
And it's the same for external accounts on this Zimbra server, or some 3rd party external account - does not work anymore after upgrade.

What a mess after migration/upgrade...Yeah :/



....***EDIT***
Actually, it seems like the issue occurs only with IMAP External account.
POP3 does not have problems.

And now it looks to me that I have some IMAP-related problems on server, possibly related to my other problem described here:
SSL_write failed SSL: 32: Broken pipe while proxying
viewtopic.php?f=15&t=63658
Post Reply