Users get access to another users mail!

[Hatrix]

Hello Mailinglist,

I have the following problem:
Users get while working in the mail webclient another users session!

We had like 4 or 5 incidents in the last few month (so, the rate is very low, but could be higher as it is possible that not everyone reports these kinds of incidents and after you close and reopen your browser all is normal anyway).

The Zimbra solution is in place from January until know, the incidents first appeard (or where first reported) 3 or 4 month ago, we checked and could not find anything which could possible correlate to this problem in this timeframe (e.g. installations of other proxy, upgrades, etc.)


I have at least a more detailed report from one User:

The User has several emails in his Inbox.
He clicks on one of them, then an error messages appears.
-> It did not look like a windows error message
-> The User did not remember what the message said (philosophical issue)
-> There was a link in this errormessage which the user clicked
Then he was suddenly in the Inbox of another user.

The User called the internal IT department which tried to investigate
-> After browser stop and start everything worked, so no possible cookie stuff problem
-> The wrongly displayed Users never was connected on this machine
-> A basic log file analysis on the proxy and mail server reveiled not much

Server Setup:

All Users connect directly to the Proxy Server
-> apache on x86_64 bit linux, redhat enterprise linux server 5.3 tikanga
-> The system is prepared to do loadbalancing between the zimbra's, but currently only one zimbra is in production
-> Serves as a proxy for other systems as well, partly configured as:

Proxy modules
LoadModule proxy_module /etc/httpd/modules/mod_proxy.so
LoadModule proxy_connect_module /etc/httpd/modules/mod_proxy_connect.so
LoadModule proxy_ftp_module /etc/httpd/modules/mod_proxy_ftp.so
LoadModule proxy_http_module /etc/httpd/modules/mod_proxy_http.so
LoadModule proxy_ajp_module /etc/httpd/modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module /etc/httpd/modules/mod_proxy_balancer.so

Zimbra configuration in Apache:
<VirtualHost *:80>
ServerAdmin sistema@DOMAIN.net
ServerName webmail.DOMAIN.net
ServerAlias correu.DOMAIN.net

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://webmail.DOMAIN.net
</VirtualHost>

<VirtualHost *:443>
ServerAdmin sistema@DOMAIN.net
ServerName webmail.DOMAIN.net
ServerAlias correu.DOMAIN.net
SSLProxyEngine On
ErrorLog /var/log/httpd/defecte-error_log
CustomLog /var/log/httpd/defecte-access_log combined

<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/wildcard.DOMAIN.net.crt
SSLCertificateKeyFile /etc/httpd/ssl/wildcard.DOMAIN.net.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>

ProxyPass / http://ZIMBRA-IP1/
ProxyPassReverse / http://ZIMBRA-IP1/
</VirtualHost>

I do not see anything special in the setup, but I as well am new to zimbra, is there another/better way to proxy?
Where could the problem otherwise be originiated?
Better use ajp for proxying?

Thanks for your time and help
best
Ray

[uxbod]

It would be helpful if you were to update your profile with the following information

Code:

su - zimbra
zmcontrol -v

[Hatrix]

Quote:

Originally Posted by uxbod

It would be helpful if you were to update your profile with the following information

Code:

su - zimbra
zmcontrol -v

Thanks for the Hint, Done!
best

[Bill Brock]

I've had the same issue running two different proxies. Turning off the proxy's cache fixed the problem.

[Hatrix]

Hi Bill,

Thanks for answering, but we do not use caches in our proxy solution, it's just proxying the request to the zimbra server ...

[Bill Brock]

Not sure about your setup but I've never used a proxy that didn't use a cacheing scheme of some kind.

[Hatrix]

Quote:

Originally Posted by Bill Brock

Not sure about your setup but I've never used a proxy that didn't use a cacheing scheme of some kind.

We use apache as a Reverse Proxy.

I did right now some research, mod_proxy in apache is able to use caching, however, it needs mod_cache (and/or mod_mem_cache, mod_disk_cache) to work.

This modules are not loaded in our Apache process, i checked again and this is the full output of static and loaded modules in the apachae:

Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_default_module (shared)
authz_user_module (shared)
authn_dbm_module (shared)
autoindex_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
include_module (shared)
log_config_module (shared)
mime_module (shared)
negotiation_module (shared)
setenvif_module (shared)
ssl_module (shared)
suexec_module (shared)
userdir_module (shared)
php5_module (shared)
proxy_module (shared)
proxy_connect_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_ajp_module (shared)
rewrite_module (shared)
proxy_balancer_module (shared)
Syntax OK

So, no, we do not have any caching active at this side ...

[Bill Brock]

Just wondering if you had resolved this and if so, how?

Is it proper to have your IfModule mod_ssl.c directives nested inside your Virtualhost *443 directive?

[Hatrix]

Quote:

Originally Posted by Bill Brock

Just wondering if you had resolved this and if so, how?

Is it proper to have your IfModule mod_ssl.c directives nested inside your Virtualhost *443 directive?

Hello,

thanks for following up, I have to say, no, nobody seems to experience the same problems, but we have to come to the bottom of this, I am thinking of buying support from Zimbra if noone else can help me, because we can not let this go on, it's a big problem which does not have to happen in an email solution.

As we have only this mod_proxy and go directly to the zimbra port 80 i am not sure HOW this can happen at all ...

your other question, regarding the nested ifModule, it is working fine in this installation, but I have to say I am not the guy who installed it, just right now there to fix this stuff ...

thanks and best

[Bill Brock]

Here is a link to a site where the issue is similar to yours. I notice you are running ajp. Apache maybe handing off some work to Tomcat which my possibly be cacheing.

Since you are having the exact same issue I was having I just keep going back to some kind of cache. I don't mean to be a pain in the touche.

Apache/Tomcat error - wrong pages being delivered - Stack Overflow