SMTP SSL error

[marcmac]

Did you re-run the zmcertinstall command? It takes two options for the mta, cert file and key file:

zmcertinstall mta /opt/zimbra/ssl/ssl/server/smtpd.crt /opt/zimbra/ssl/ssl/ca/ca.key

[robroadie]

right....after much hacking and chopping around I've decided to begin again. ./install -u and I've started over again as the more I hacked the more things stopped working until I had no https and no IMAPs.

Thanks for all the support so far!

Will begin again and will post my results.

To outline what I am trying to achieve: I want to configure a mail/collaboration suite on a server and for it to support multiple virtual domains. I'd like each of these virtual domains to have SSL on their POP/IMAP/SMTP mail.

[robroadie]

Right, so I've got the server freshly installed and setup for one domain.

Here's what works:
IMAP with SSL from iMail client
https:// :7071 for admin

SMTP with Auth set in iMail fails with

Code:

Nov  8 23:02:27 mx postfix/smtpd[9327]: SSL_accept:error in SSLv3 read client certificate A
Nov  8 23:02:27 mx postfix/smtpd[9327]: SSL_accept error from i-195-137-88-40.freedom2surf.net[195.137.88.40]: -1
Nov  8 23:02:27 mx postfix/smtpd[9327]: lost connection after STARTTLS from i-195-137-88-40.freedom2surf.net[195.137.88.40]
Nov  8 23:02:27 mx postfix/smtpd[9327]: disconnect from i-195-137-88-40.freedom2surf.net[195.137.88.40]

after the key exchange

http AND https for normal mail access are not running (but nmap shows the ports as open from both localhost and from the external IP)

[marcmac]

Did postfix spit out any errors on startup regarding TLS?

[robroadie]

So, after a rebuild from scratch I have a working IMAP/POP/SMTP with SSL AUTH set of services.

Here's what I've done to make sure that it works:
My machine is currently on a private IP with ports forwarded through from the Real World (TM) by an IPCOP firewall. We are running a DNS server on a another machine on the LAN and Zimbra is using it for resolution of itself and other FQDNs. The /etc/hosts file has been modded:

Code:

127.0.0.1       localhost.localdomain   localhost
192.168.0.150   mx.networkassociations.org.uk mx

And during setup of Zimbra we setup the machine as mx.networkassociations.org.uk which has in turn created certificates that have a resovable FDQN matching that of the server connecting to.

The iMail cient complains that the certificate has not been signed by a known authority but after I have said that I accept the certificate then all is good.

And it works.

But!

My HTTP access is screwed - I've got HTTPS to :7071, but no HTTP or HTTP/S for email access......

Thoughts anyone?

[KevinH]

Quote:

Originally Posted by robroadie

My HTTP access is screwed - I've got HTTPS to :7071, but no HTTP or HTTP/S for email access......

What do you get in the browser? Are you going to port 80? Did you try port 7070? Check out /opt/zimbra/tomcat/logs/catalina.out for more info.

[robroadie]

Quote:

Originally Posted by KevinH

What do you get in the browser? Are you going to port 80? Did you try port 7070? Check out /opt/zimbra/tomcat/logs/catalina.out for more info.

I checked out the /opt/zimbra/tomcat/logs/catalina.out file and wasn't seeing anything when attempting to connect. I restarted the services and all was OK.

I'll write up more on my install and post it to these forums.

Thank you for your continued support.

[robroadie]

I'm posted some info on the firewall ports I have opened up here: http://www.zimbra.com/forums/showthr...=3332#post3332

[marcmac]

If you can get https on the admin interface (7071) then your certs are fine - can you telnet to port 443 or 7443 on the server?

If not, then you need to change the server's mode:

su - zimbra
zmtlsctl mixed (or https)

tomcat stop
tomcat start

mixed mode - https login, http session
https mode - all https, all the time

[robroadie]

Quote:

Originally Posted by marcmac

You need to change the server's mode:
su - zimbra
zmtlsctl mixed (or https)

tomcat stop
tomcat start

Modes: mixed mode - https login, http session
Modes: https mode - all https, all the time

Marcmac, thanks for your support. As I mentioned in my previous post I restarted the services all was fine. Your information on how to change the server mode is really useful. I thought I'd highlight it by replying.