SASL Auth fails for outgoing SMTP because of Unknown SSL Error?

**Apple_Eater** · 04-27-2011, 12:55 AM

Hello all,
I have recently upgraded my Zimbra Open Source server to the 7.x versions, and am having some issues.

When I attempt to authenticate to the SMTP server to send outgoing mail, my credentials are rejected. The following appears in /var/log/zimbra.log:

Code:

Apr 27 00:45:08 hostname postfix/smtpd[6366]: Anonymous TLS connection established from unknown[**my.ip**]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Apr 27 00:45:08 hostname saslauthd[2976]: rel_accept_lock : released accept lock
Apr 27 00:45:08 hostname saslauthd[2973]: get_accept_lock : acquired accept lock
Apr 27 00:45:08 hostname saslauthd[2976]: zmauth: authenticating against elected url 'https://mail.hostname.com:7071/service/admin/soap/' ...
Apr 27 00:45:08 hostname saslauthd[2976]: authentication against url 'https://mail.hostname.com:7071/service/admin/soap/' caused error 'curl_easy_perform: error(35): Unknown SSL protocol error in connection to mail.hostname.com:7071 '
Apr 27 00:45:08 hostname saslauthd[2976]: url 'https://mail.hostname.com:7071/service/admin/soap/' will not be used for (at least) 600 seconds
Apr 27 00:45:08 hostname saslauthd[2976]: Authentication cycle re-elected url https://mail.hostname.com:7071/service/admin/soap/, giving up ...
Apr 27 00:45:08 hostname saslauthd[2976]: auth_zimbra: user@hostname.com auth failed: curl_easy_perform: error(35): Unknown SSL protocol error in connection to mail.hostname.com:7071
Apr 27 00:45:08 hostname saslauthd[2976]: do_auth         : auth failure: [user=user@hostname.com] [service=smtp] [realm=hostname.com] [mech=zimbra] [reason=Unknown]
Apr 27 00:45:08 hostname saslauthd[2976]: do_request      : response: NO
Apr 27 00:45:08 hostname postfix/smtpd[6366]: warning: SASL authentication failure: Password verification failed
Apr 27 00:45:08 hostname postfix/smtpd[6366]: warning: unknown[**my.ip**]: SASL PLAIN authentication failed: authentication failure

It appears to me that curl is failing to connect to https://mail.hostname.com:7071 to complete the auth because of an SSL error. Is this because of my using a self signed certificate? I have never had this issue before, and it seems to have coincided with the 7.x upgrade. Anyone else having a similar issue?

**Apple_Eater** · 06-17-2011, 07:02 PM

Still haven't found any solutions to this issue... since this is a smaller email system my users have been content to use the web interface for now, which has no authentication issues at all...

It appears as though libcurl is not recognizing the validity of my certificate because it isn't being supplied with the correct CA certs. Where is this configured in Zimbra?

If I use command-line curl to access https://mail.hostname.com:7071/service/admin/soap/ , it will fail. But if I use:
curl --cacert /opt/zimbra/conf/ca/ca.pem -vv -3 https://mail.hostname.com:7071

it works perfectly. How can I inform SASLAUTHD to use this ca cert?

**Apple_Eater** · 06-17-2011, 09:05 PM

Okay, I think I've isolated the issue. It looks like a bug in the version of curl (and thus libcurl) in my installation:

Code:

CURL distributed with my system (Ubuntu 10.04)

root@hostname:/# curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071
* About to connect() to mail.hostname.com port 7071 (#0)
*   Trying 206.221.217.246... connected
* Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/zimbra/conf/ca/ca.pem
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: C=US; ST=TX; O=hostname; OU=Zimbra Collaboration Suite; CN=*.hostname.com
*        start date: 2011-06-18 03:11:20 GMT
*        expire date: 2021-06-15 03:11:20 GMT
*        common name: *.hostname.com (matched)
*        issuer: C=US; ST=N/A; L=N/A; O=Zimbra Collaboration Suite; OU=Zimbra Collaboration Suite; CN=mail.hostname.com
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: mail.hostname.com:7071
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Sat, 18 Jun 2011 03:59:09 GMT
< Expires: Tue, 24 Jan 2000 20:46:50 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Location: https://mail.hostname.com:7071/zimbraAdmin
< Content-Length: 0
<
* Connection #0 to host mail.hostname.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Works fine. Now, using the CURL included with zimbra:


root@hostname:/# /opt/zimbra/curl/bin/curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071
* About to connect() to mail.hostname.com port 7071 (#0)
*   Trying 206.221.217.246... connected
* Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/zimbra/conf/ca/ca.pem
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to mail.hostname.com:7071
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to mail.hostname.com:7071

Immediate failure due to unknown protocol error?

root@hostname:/# curl --version
curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
root@hostname:/# /opt/zimbra/curl/bin/curl --version
curl 7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/1.0.0d zlib/1.2.3.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz

As you can see, when I use the version of curl included with my OS, it has no issues connecting. But when I use the version of curl included with Zimbra... it immediately chokes and dies, claiming an unknown SSL error.

I don't have a particularly exotic installation, standard settings all throughout, so I don't really understand how I could have what seems to be a bad version of curl but nobody else has reported the issue? The only difference between the two commands is the version of curl used, so I don't really understand what else could be the problem?

Edit: Well, I guess OpenSSL could be the problem too...?

**Ramadan Mansoura** · 05-17-2012, 05:36 PM

Can you post the output of these commands?

ls -l /opt/zimbra/cyrus-sasl/etc/
cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf.in

Zimbra

Thread: SASL Auth fails for outgoing SMTP because of Unknown SSL Error?

LinkBack

Thread Tools

Search Thread

Display

SASL Auth fails for outgoing SMTP because of Unknown SSL Error?

Thread Information

Users Browsing this Thread

Similar Threads

[SOLVED] Zimbra 7 nach Upgrade: Database Integrity check report

[SOLVED] Database errors found after migration to 7.0.0

[SOLVED] New zcs 7 install : database errors founds

Zimbra fails after working for 2 weeks

M3 problem with shares

Posting Permissions