SMTP SSL error

[robroadie]

Firstly, this is a great project - I have been looking for a solution like this for a while. I hope to use zimbra as the messaging platform component in a community toolset package I am building.

I've got the whole kit running on a dev server (FC3) inside a firewall. I have http access, users can logon via HTTP and send / receive email no problem. Remote clients (I'm using iMail) can connect with IMAP/S and read write their folders. All good.

I am trying to use Zimbra as SMTP server for remote clients. I am getting an SSL failure when clients connect.

Code:

Nov  8 17:10:11 mx postfix/smtpd[6234]: connect from MY IP
Nov  8 17:10:11 mx postfix/smtpd[6234]: setting up TLS connection from MY IP
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:before/accept initialization
Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (11 bytes => -1 (0xFFFFFFFF))
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv2/v3 read client hello A
Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (11 bytes => 11 (0xB))
Nov  8 17:10:11 mx postfix/smtpd[6234]: 0000 16 03 01 00 57 01 00 00|53 03 01                 ....W... S..
Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6EB] (81 bytes => -1 (0xFFFFFFFF))
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client hello B
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client hello B
Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6EB] (81 bytes => 81 (0x51))
Nov  8 17:10:11 mx postfix/smtpd[6234]: 0000 43 70 db f3 ef 31 79 9f|40 4a f7 6b db d0 1b 81  Cp...1y. @J.k....
Nov  8 17:10:11 mx postfix/smtpd[6234]: 0010 71 e9 31 3c 02 e2 c9 7e|4d 1a d9 ec ba f0 21 e5  q.1<...~ M.....!.
Nov  8 17:10:11 mx postfix/smtpd[6234]: 0020 00 00 2c 00 05 00 04 00|0a ff 83 00 09 ff 82 00  ..,..... ........
Nov  8 17:10:11 mx postfix/smtpd[6234]: 0030 03 00 08 00 06 ff 80 00|01 00 16 00 15 00 14 00  ........ ........
Nov  8 17:10:11 mx postfix/smtpd[6234]: 0040 13 00 12 00 11 00 18 00|1b 00 1a 00 17 00 19 01  ........ ........
Nov  8 17:10:11 mx postfix/smtpd[6234]: 0050 - <SPACES/NULLS>
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 read client hello B
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write server hello A
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write certificate A
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write server done A
Nov  8 17:10:11 mx postfix/smtpd[6234]: write to 088B5090 [088CD808] (684 bytes => 684 (0x2AC))

some data is exchanged....

Nov  8 17:10:11 mx postfix/smtpd[6234]: 02a9 - <SPACES/NULLS>
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 flush data
Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (5 bytes => -1 (0xFFFFFFFF))
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client certificate A
Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept error from MY IP: -1
Nov  8 17:10:11 mx postfix/smtpd[6234]: lost connection after STARTTLS MY IP
Nov  8 17:10:11 mx postfix/smtpd[6234]: disconnect from MY IP

I've been digging around the forms... for example yes, I am using the full user@server.com to connect. I've plans for multiple domains so I editted with the zmsaslauthdctl.

I think that the issue is that my certificate is for localhost.localdomain. I've tried to recreate my certs, but the script still gets localhost.localdomain from running hostname --fqdn. Maybe I should take that out?

Anyway - what thoughts do people have?

/rob

[marcmac]

That's almost certainly the problem. You can either edit the zmcreatecert script, and rebuild the certs - or set your hostname differently, then rerun the scripts...

[robroadie]

[zimbra@mx bin]$ hostname --fqdn
localhost.localdomain

[zimbra@mx bin]$ hostname
mx.networkassociations.org.uk

hummmm....I'll take off the --fqdn and see what happens.

Thanks for your input!

[robroadie]

I removed --fqdn from zmcreatecert and a cert mx.networkassociations.org.uk was created.

I figured I'd need to do the same to zmcertinstall. Which I have done.

now to zmcertinstall.....

Code:

[zimbra@mx bin]$ zmcertinstall
** Importing server cert

/opt/zimbra/bin/zmcertinstall: line 74: [: =: unary operator expected
cp: missing destination file
Try `cp --help' for more information.
[zimbra@mx bin]$ zmcertinstall mail
** Importing server cert

cp: missing destination file
Try `cp --help' for more information.
[zimbra@mx bin]$

I get an error on line 74 of zmcertinstall which is the line begining keytool in

Code:

importCert() {

    echo "** Importing server cert"
    echo

    if [ $APP = "mailbox" ]; then
        keytool -import -alias tomcat -keystore ${TOMCAT}/keystore \
            -trustcacerts -file ${CERTFILE} -storepass zimbra
    else
        cp -f $CERTFILE ${CONF}/smtpd.crt
        cp -f $KEYFILE ${CONF}/smtpd.key
    fi

}

[robroadie]

ok - this time I'll type the right command ;-)

Code:

[zimbra@mx bin]$ zmcertinstall mailbox
** Importing server cert

keytool error: java.lang.Exception: Failed to establish chain from reply
[zimbra@mx bin]$

[robroadie]

previously.....before I tried to recreate a host key the data exchanged between the server and the client referenced localhost.localdomain

Code:

Nov  8 17:44:05 mx postfix/smtpd[6234]: 0150 30 1c 06 03 55 04 03 13|15 6c 6f 63 61 6c 68 6f  0...U... .localho
Nov  8 17:44:05 mx postfix/smtpd[6234]: 0160 73 74 2e 6c 6f 63 61 6c|64 6f 6d 61 69 6e 30 81  st.local domain0.
Nov  8 17:44:05 mx postfix/smtpd[6234]: 0170 9f 30 0d 06 09 2a 86 48|86 f7 0d 01 01 01 05 00  .0...*.H ........

now I see mx.networkassociations.org.uk in the exchange.....

Code:

Nov  8 17:54:14 mx postfix/smtpd[23043]: 00c0 62 72 61 31 26 30 24 06|03 55 04 03 13 1d 6d 78  bra1&0$. .U....mx
Nov  8 17:54:14 mx postfix/smtpd[23043]: 00d0 2e 6e 65 74 77 6f 72 6b|61 73 73 6f 63 69 61 74  .network associat
Nov  8 17:54:14 mx postfix/smtpd[23043]: 00e0 69 6f 6e 73 2e 6f 72 67|2e 75 6b 30 1e 17 0d 30  ions.org .uk0...0

[marcmac]

The problem here is that your keystore has the old my_ca alias in it, and you want to recreate that.

keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

Should show a my_ca alias and a tomcat alias. Delete them both:

keytool -delete -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra -alias my_ca

keytool -delete -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra -alias tomcat

Then re-run the zmcreatecert and zmcertinstall commands.

[robroadie]

Quote:

Originally Posted by marcmac

The problem here is that your keystore has the old my_ca alias in it, and you want to recreate that.
keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
Should show a my_ca alias and a tomcat alias. Delete them both:

done. but it only displayed 1 entry - tomcat

Quote:

Originally Posted by marcmac

Then re-run the zmcreatecert and zmcertinstall commands.

right......

Code:

[zimbra@mx bin]$ zmcertinstall mta
** Importing server cert
cp: missing destination file
Try `cp --help' for more information.
[zimbra@mx bin]$ whoami
zimbra
[zimbra@mx bin]$ keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, 08-Nov-2005, keyEntry,
Certificate fingerprint (MD5):  printed....
[zimbra@mx bin]$

[marcmac]

Wrong keystore for the ca - that's in /opt/zimbra/java/jre/lib/security/cacerts...

keytool -list -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

keytool -delete -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias my_ca

[robroadie]

Quote:

Originally Posted by marcmac

Wrong keystore for the ca - that's in /opt/zimbra/java/jre/lib/security/cacerts...

keytool -list -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

keytool -delete -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias my_ca

this is where I'm at.....

Code:

Nov  8 19:02:12 mx zimbramon[18688]: 18688:info: start app postfix 
Nov  8 19:02:12 mx zimbramon[18688]: 18688:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused 
Nov  8 19:02:12 mx zimbramon[18688]: 18688:info: Starting child postfix: (20051108190212) 
Nov  8 19:02:26 mx postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.3/conf/main.cf
Nov  8 19:02:26 mx postfix/postfix-script: starting the Postfix mail system
Nov  8 19:02:26 mx zimbramon[18688]: 18688:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused 
Nov  8 19:02:26 mx postfix/master[20096]: daemon started -- version 2.2.3, configuration /opt/zimbra/postfix-2.2.3/conf
Nov  8 19:02:28 mx postfix/smtpd[20099]: initializing the server-side TLS engine
Nov  8 19:02:28 mx postfix/smtpd[20099]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
Nov  8 19:02:28 mx postfix/smtpd[20099]: warning: TLS library problem: 20099:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
Nov  8 19:02:28 mx postfix/smtpd[20099]: cannot load RSA certificate and key data
Nov  8 19:02:28 mx postfix/smtpd[20099]: connect from mx.networkassociations.org.uk[127.0.0.1]
Nov  8 19:02:28 mx zimbramon[18688]: 18688:info: Doing startup 
Nov  8 19:02:28 mx postfix/smtpd[20099]: disconnect from mx.networkassociations.org.uk[127.0.0.1]
Nov  8 19:02:29 mx zimbramon[20103]: 20103:info: Zimbra Monitor startup: 20103 
Nov  8 19:02:29 mx zimbramon[20103]: 20103:info: Process 6227 not found - removing /opt/zimbra/zimbramon/FIFO/zm.pid 
Nov  8 19:02:29 mx zimbramon[20117]: 20117:info: Status monitor startup 
Nov  8 19:02:29 mx zimbramon[20118]: 20118:info: Creating soap server on port 7777 
Nov  8 19:02:41 mx postfix/smtpd[20099]: connect from mx.networkassociations.org.uk[127.0.0.1]
Nov  8 19:02:41 mx postfix/smtpd[20099]: disconnect from mx.networkassociations.org.uk[127.0.0.1]