Zimbra 6.0.5: GetAllMTAAuthUrls returns 7071-ports

[ploeger]

Hi everyone!

When I do a zmprov gamau I get:

https://<host1>:7071/service/admin/soap/ https://<host2>:7071/service/admin/soap/

(<host1> and <host2> are replaced with our hostnames)

This breaks my whole sasl configuration. I had to manually set the hosts in the conf.in-file.

Can somebody tell me, why he thinks, that he's supposed to go to the admin-services on 7071?

Thanks in advance.

Kind regards

Dennis

[LMStone]

Hi Dennis,

I see you are new to the Forums; welcome! Please update your profile with the output of zmcontrol -v.

To your question, perhaps I am misunderstanding it, but Zimbra's intention and design is to have the Admin Console accessible only via https on port 7071.

All the best,
Mark

[ploeger]

Hi Mark!

I've been around the forums for some while, but haven actually posted it. But you're right, I've updated my profile.

Quote:

Originally Posted by LMStone

To your question, perhaps I am misunderstanding it, but Zimbra's intention and design is to have the Admin Console accessible only via https on port 7071.

I think, you misunderstand it. I know, that the admin console is only accessible via https. The problem is, that that connection is wrong for the MTA auth-urls (or at least it's not working here).

It should be http://<host1>:80/service/soap (or https://<host1>:443/service/soap when using https), not :7071...

When I manually edit the saslauthd.conf.in and put the right urls in it, saslauth works, with the :7071-connection it doesn't work.

My question is, where Zimbra get's that information to return when doing a zmprov gamau.

Thanks.

Kind regards
Dennis

[LMStone]

On our hosting farm, running zmprov gamua generates a list of all of the servers, separated by spaces, in the same format you show:

Code:

https://<server1_fqdn>:7071/service/admin/soap/ https://<server1_fqdn>:7071/service/admin/soap/ https://<server2_fqdn>:7071/service/admin/soap/ https://<server3_fqdn>:7071/service/admin/soap/ https://<server4_fqdn>:7071/service/admin/soap/ https://<server5_fqdn>:7071/service/admin/soap/ https://<server6_fqdn>:7071/service/admin/soap/ https://<server7_fqdn>:7071/service/admin/soap/

Not sure why that breaks things on your end, but at least I can confirm that what you are seeing is correct.

Hope that helps,
Mark

[ploeger]

Quote:

Originally Posted by LMStone

Not sure why that breaks things on your end, but at least I can confirm that what you are seeing is correct.

That is strange. When I set up the system using the 7071-ports for saslauthd, nobody can do smtp-auth. In the logs all authenticate requests get an error 403...

Can you imagine what's wrong here? How can I debug that further?

Thanks.

Kind regards
Dennis

[LMStone]

Quote:

Originally Posted by ploeger

When I set up the system using the 7071-ports for saslauthd, nobody can do smtp-auth.

What do mean by this? There's no end-user setup of saslauthd required.

Sorry to answer a question with a question, but to help I need to understand better exactly what you have done here.

All the best,
Mark

[ploeger]

Quote:

Originally Posted by LMStone

What do mean by this? There's no end-user setup of saslauthd required.

To clarify:

Zimbra automatically writes saslauthd.conf using the admin-ports like said earlier. When I use this configuration, I see 403-errors in the logs whenever a user tries to do smtp-auth.

When I manually rewrite saslauthd.conf.in to use port 80 and use that config, everything works fine.

You said, that in your configuration, the admin-ports are written in the saslauthd.conf and everything works fine.

I don't understand, why it doesn't work on my side.

Kind regards
Dennis

[LMStone]

So let's start from the beginning...

Did smtp_auth ever work on this server?

Is the server more than a year old?

In the admin console under the MTA tab for this server's configuration, are "Enable authentication" and "TLS authentication only" both checked?

Have you changed anything in the underlying operating system or with Zimbra's default install?

Please also post a log file snippet showing authentication failing.

Mark

[quanah]

Going to the admin port in this case is the correct behavior. Did you block off access to port 7071? It is done to ensure that an https encrypted connection is always made.