Zimbra

bjdraw · #1 (**permalink**) 06-29-2006, 02:34 PM

I am having a very odd issue and I believe it has something to do with the Zimbra server.

If I send a 3MB attachment to a receipient and that reciepient uses Outlook via IMAP or POP3 the attachment causes a timeout. With POP a few tries will eventually retrieve the attachment, but with IMAP it continues to fail.

I have two IMAP server running on the same VMWare server one is an Exchange 2003 FE server and the other is a Zimbra 3.1.4 on CentOS 4.3.

The Outlook 2003 client is connecting over the Internet (works fine via the LAN) when connecting to Zimbra it errors, I CC the same message to my Exchange server and Outlook has no trouble with it. Outlook is configured with two profiles one for Zimbra and one for Exchange. If I access the same Zimbra mailbox via HTTP the attachment downloads in ~5 seconds at a rate of ~750KB/s.

If I do a tcpdump on the Zimbra server everything looks normal except this.

Code:

15:59:09.844747 IP zimbra.dsm.net.imap > rrcs-67-78-21-74.se.biz.rr.com.2147: . 926489504:926490884(1380) ack 1082144614 win 5840
15:59:09.864039 IP rrcs-67-78-21-74.se.biz.rr.com.2147 > zimbra.dsm.net.imap: . ack 1380 win 65535 <nop,nop,sack sack 2 {1700630289:1700681349}{1700623389:1700628909} >
15:59:09.864091 IP zimbra.dsm.net > rrcs-67-78-21-74.se.biz.rr.com: icmp 68: host zimbra.dsm.net unreachable - admin prohibited

I am not sure what is causing the icmp 68 request, but I don't allow icmp in on my firewall.

Now for the weird part, if I connect to the Zimbra IMAP service on my MacBook Pro using the same Internet connection and Apple's Mail.app I am able to download the attachment without any problems.

The problem is of course that everyone uses Outlook and now they are forced to login to the web interface to download their attachments.

I haved searched through zimbra.log, but haven't found anything relavant.

Thanks in Advanced.

Ben

KevinH · #2 (**permalink**) 07-03-2006, 02:12 AM

Good post. What is the attachment? Can you post a bug and add the attachment to the bug report so we can replicate it in-house?

bjdraw · #3 (**permalink**) 07-03-2006, 08:46 AM

I have tried a few attachements all about 3MB (the size reported by the user). I tried both dmg and zip files as well as a PDF.

I attempted to upload an attachment to the bugzilla, but it errors.

Code:

DBD::mysql::st execute failed: MySQL server has gone away [for Statement "INSERT INTO attachments (bug_id, creation_ts, filename, description, mimetype, ispatch, isprivate, submitter_id, thedata) 
           VALUES (8753, '2006-07-03 09:39:08', 'macICA_OSX.dmg.zip', 'An example of an attacment that causes a timeout via POP or IMAP', 'application/x-zip-compressed', 0, 0, 586,  called at /var/www/bugzilla-2.16.6/attachment.cgi line 123

I have reported it to webmaster@zimbra.com

KevinH · #4 (**permalink**) 07-04-2006, 10:02 AM

If you can post the example file on an HTTP link then just add a URL to the comments of the bug that would also work.

bjdraw · #5 (**permalink**) 07-05-2006, 01:56 PM

I added a link to an example.

let me know if you need anything else.

This is really not helping my push for Open Source solutions at my company. We are almot 100% MS and I have been pushing open source solutions since I started here. This is the first one they have adopted and now they are blaming me for every problem we have.

Thanks again for all the help!

Ben

scottnelson · #6 (**permalink**) 07-05-2006, 04:01 PM

Are the clients using a VPN or coming in via dialup / PPPoE DSL?

Sounds like an firewall issue with icmp not being able to get though to the server to me really.
Many people block all icmp but "icmp-unreachables" are good and should not be blocked. There are several icmp subsets besides icmp-echo and icmp-echo-reply ( what the "PING" program uses )
such as "icmp-unreachable" that need to be opened up on the firewall(s).
http://www.iana.org/assignments/icmp-parameters

Path MTU Discovery (pmtud) needs "icmp-unreachable" open to the server.
ICMP from the client is trying to tell the server to fragment the packets but the server never receives them so keeps sending normal size packets.
So, you can either allow icmp-unreachables or change the mtu setting on the client(s).
With cheaper firewalls it's pretty much all or nothing sometimes so, lowering the mtu on the clients might be the only way if so.
As a test, try lowering the mtu on a single client
( One of them that hasn't been working ) to something like 1432 and see if that helps, then post back.

Scotty

bjdraw · #7 (**permalink**) 07-05-2006, 09:16 PM

Scotty,
Thanks for the suggestions.
There is no VPN or PPPoE/dialup on my test clients.

I verified that icmp was allowed in iptables on the zimbra server and I enabled icmp on my pix to that server. I am now able to ping the server zimbra.dsm.net from the client in question.

On that link you sent me there is no specific type for 68. Would you happen to know how to explecitly allow those packets on a Pix and/or iptables?

This seems like more of a work around than a solution, although either is good right now. I could understand if the Mac clients had the same problem.
Thanks again.

Ben

scottnelson · #8 (**permalink**) 07-05-2006, 10:43 PM

First thing is to troubleshoot and then when we know what it is, then figure out what to do at that point. ;-)

Can you disable IPTables to perform some testing with your outside client and then re-enable when done? See if you can download and upload with IPTables off.

Then, if that still doesn't work, put a rule in the PIX to temporarily allow all traffic from your outside test client IP Address to your server, see if that works.

If still no go, do both and then test.

68 isn't a code type, it's the icmp packet size for the reply that it's being admin-denied somewhere.
The tcpdump part that says:
zimbra.dsm.net unreachable - admin prohibited
is why I brought up icmp-unreachable theory.
admin-prohibited means it is either being blocked at the firewall(s) by rule or a builtin/external IDS somewhere or IDS setting on the pix, or something is blocking the icmp-unreachable message in which case, the "please fragment" icmp message isn't getting to the server.
If it's one or both of the firewalls, the above tests should either prove or eliminate them as suspects.
Also, by it working locally on the lan and not over the Internet also lends creadance to a firewall or networking issue somewhere.
Could I still be wrong? <shrug> Yup, but at least we'll know if it's a firewall(s) issue at your site or not.
Since it works locally though, unless you have some extensive rules in iptables, the issue is probably not going to be there but it's good to be sure anyway.

:-)

Scotty