ZCS 4.5.10 upgrade to ZCS 5.0.0

[socate]

Hi all,

I use Open SuSe 10.3 as a Server for ZCS mail service; until two days ago I use ZCS 4.5.10 with success with no issues - everything was OK!

I make the upgrade to 5.0.0 - the upgrade process run OK, the server start but now the POP3/POP3S works only when Enable Clear Text Login option is checked.
The "TLS Authentification only" option is unchecked in Global options and Servers; I read that this issue was corrected since version 4.

Someone have the same issues?

A question for experts: what effect have the option "Enable clear text login" option to server security? I don't find a page where to be explaned...

Thanks

[dwmtractor]

I'm gonna guess that you have an SSL certificate that is different from the old server (got re-generated in the upgrade) and your clients still have the old cert. in their stores. You might need to delete the old certs from your clients and re-install the new ones.

I'm presuming, of course, that you can log into the web client just fine, it is only your external clients that aren't working; otherwise you'd be having a lot more login troubles than just clear text.

And since clear text means that anyone who packet-sniffs your email anywhere in the network path gets not only the mail stream itself, but also your passwords and user ids, I don't think it's a really wise configuration.

Cheers,

Dan

[socate]

"You might need to delete the old certs from your clients and re-install the new ones."

How I do this? Stupid question but I don't know!

And in webmail everything seems fine! No issues!

Thks for tips!

If I uncheck the option Clear text loging in POP section, again the same issue; I try to use also POP3S but the same...
------------
new add
------------
I just take a closer look to webUI on Certificates section and there is only one certificate and is valid since I install for first time Zimbra on November 12'th 2007. I try to install a new certificate and I receive an error.
What I need to do?

[socate]

I just update to the version 5.0.1 but the error persist; someone know how to downgrade back to 4.5.10 without lossing informations and settings?

[dwmtractor]

Quote:

Originally Posted by socate

"You might need to delete the old certs from your clients and re-install the new ones."

How I do this? Stupid question but I don't know!

No, not a stupid question at all. Each browser stores SSL certificates in its own place. I described this in detail on this post.

[socate]

Hi,

Like I told before, I don't have issues with webmail! Works fine! My problems are regarding POP3 access - because many of our colegues use Blackbarry services so they need POP3 access! In previous version (4.5.10) all setting work normal - it was not necesary to check option "Clear text password". I really don't want to use this option anymore because the risk is too big! I don't know when someone will attack the server.

Anyway, I don't know if this is a real bug or someone miss some setting from previous version!

I really hope that this error will be repaired soon.

Regarding Security Certificates I see that IE7 don't import him so all the time he ask me if I want to load him...

[dwmtractor]

I don't have a Blackberry so I can't check the specific settings, but if Blackberries can use SSL (which they must since you used it before) they, too, may need the SSL certificates cleared out and refreshed. I can't tell you how to do that because I've never used one, but all SSL connections require a valid SSL certificate, and if your certificate has changed, devices that used to connect may not give offer you the opportunity to import the changed certificate till you clear out the old one.

I've only looked at IE7 on Vista since I'm keeping it off of my network machines, but on the one instance where I did use it, importing the certificate was a royal pain that involved importing the Zimbra certificate authority (from your own Zimbra server) to the root certification authorities. It's not in the same place it was for IE6 and before. Microsoft details the security "enhancements" to IE7 here. The relevant portion:

Quote:

If the certificate was not signed by a trusted certification authority, you can add the certification authority if you trust the authority. Trusting a malicious certification authority will put your computer at risk, so use discretion. To add a Trusted certification authority, continue navigation from the Certificate Error page, and then click the Certificate Error button in the Internet Explorer address bar. Click the View Details link. On the Certification Path tab, select the root certificate and click the View Certificate button. On the General tab, click Install Certificate.

It's a pain, but it does work. Once you have approved the certification authority, the certificate will be accepted.

Cheers,

Dan

[socate]

Quote:

Originally Posted by dwmtractor

I don't have a Blackberry so I can't check the specific settings, but if Blackberries can use SSL (which they must since you used it before) they, too, may need the SSL certificates cleared out and refreshed. I can't tell you how to do that because I've never used one, but all SSL connections require a valid SSL certificate, and if your certificate has changed, devices that used to connect may not give offer you the opportunity to import the changed certificate till you clear out the old one.

OK, Blackberry it's a service offer by our Mobile Provider (Vodafone) and the process is this: Vodafone check the message from our server and after that the messages will be delivered on our mobile devices! If Vodafone can't verify e-mail (via POP3 or POP3S) I don't receive any email on mobile device! This is Blackbarry service!

The problem is somewere inside Zimbra because I install a new Windows into a VM and the same issue!

[socate]

Hi again!

I make again a simple test on the same server/same OS!

What I do:

1) Backup last version
2) uninstall Actual Version (5.0.1)
3) install again 4.5.10

On clean install I discover that this issue still exist! Can't connect via POP3

I go forward and I restore the last backup maded on 4.5.10! I repair permisions, all process started after another upgrade (another install of 4.5.10) and now Everything it's OK!

Maybe it's something in Postfix? Why the clean install don't work from begining?

[socate]

What I discover:

I make some test as I write before; on version 4.5.10 the TLS error are depending on SMTP Proxy - this service from default is not running! After enable this process everything it's fine.
Now, on this version we use Postfix version 2.2.9; since 2.3.0, postfix include TLS (as version1 - TLSv1) protocos as a standard insteed SSLv3. Now, the ZCS 5.0.x use direct Postfix v 2.4.3 and this is the issue.

I try different combinations of SMTP_TLS options (from The Postfix Home Page) but with no success. Maybe someone, with more expirience" can help us! We can not use anymore 'Clear Text login" option - for security reasons!