Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: SMTP SSL error

  1. #1
    robroadie's Avatar
    robroadie is offline Intermediate Member
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Question SMTP SSL error

    Firstly, this is a great project - I have been looking for a solution like this for a while. I hope to use zimbra as the messaging platform component in a community toolset package I am building.

    I've got the whole kit running on a dev server (FC3) inside a firewall. I have http access, users can logon via HTTP and send / receive email no problem. Remote clients (I'm using iMail) can connect with IMAP/S and read write their folders. All good.

    I am trying to use Zimbra as SMTP server for remote clients. I am getting an SSL failure when clients connect.

    Code:
    Nov  8 17:10:11 mx postfix/smtpd[6234]: connect from MY IP
    Nov  8 17:10:11 mx postfix/smtpd[6234]: setting up TLS connection from MY IP
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:before/accept initialization
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (11 bytes => -1 (0xFFFFFFFF))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv2/v3 read client hello A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (11 bytes => 11 (0xB))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0000 16 03 01 00 57 01 00 00|53 03 01                 ....W... S..
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6EB] (81 bytes => -1 (0xFFFFFFFF))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client hello B
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client hello B
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6EB] (81 bytes => 81 (0x51))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0000 43 70 db f3 ef 31 79 9f|40 4a f7 6b db d0 1b 81  Cp...1y. @J.k....
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0010 71 e9 31 3c 02 e2 c9 7e|4d 1a d9 ec ba f0 21 e5  q.1<...~ M.....!.
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0020 00 00 2c 00 05 00 04 00|0a ff 83 00 09 ff 82 00  ..,..... ........
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0030 03 00 08 00 06 ff 80 00|01 00 16 00 15 00 14 00  ........ ........
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0040 13 00 12 00 11 00 18 00|1b 00 1a 00 17 00 19 01  ........ ........
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0050 - <SPACES/NULLS>
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 read client hello B
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write server hello A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write certificate A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write server done A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: write to 088B5090 [088CD808] (684 bytes => 684 (0x2AC))
    
    some data is exchanged....
    
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 02a9 - <SPACES/NULLS>
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 flush data
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (5 bytes => -1 (0xFFFFFFFF))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client certificate A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept error from MY IP: -1
    Nov  8 17:10:11 mx postfix/smtpd[6234]: lost connection after STARTTLS MY IP
    Nov  8 17:10:11 mx postfix/smtpd[6234]: disconnect from MY IP
    I've been digging around the forms... for example yes, I am using the full user@server.com to connect. I've plans for multiple domains so I editted with the zmsaslauthdctl.

    I think that the issue is that my certificate is for localhost.localdomain. I've tried to recreate my certs, but the script still gets localhost.localdomain from running hostname --fqdn. Maybe I should take that out?

    Anyway - what thoughts do people have?

    /rob

  2. #2
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default cert hostname

    That's almost certainly the problem. You can either edit the zmcreatecert script, and rebuild the certs - or set your hostname differently, then rerun the scripts...

  3. #3
    robroadie's Avatar
    robroadie is offline Intermediate Member
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    [zimbra@mx bin]$ hostname --fqdn
    localhost.localdomain

    [zimbra@mx bin]$ hostname
    mx.networkassociations.org.uk

    hummmm....I'll take off the --fqdn and see what happens.

    Thanks for your input!

  4. #4
    robroadie's Avatar
    robroadie is offline Intermediate Member
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default hostname --fqdn

    I removed --fqdn from zmcreatecert and a cert mx.networkassociations.org.uk was created.

    I figured I'd need to do the same to zmcertinstall. Which I have done.

    now to zmcertinstall.....

    Code:
    [zimbra@mx bin]$ zmcertinstall
    ** Importing server cert
    
    /opt/zimbra/bin/zmcertinstall: line 74: [: =: unary operator expected
    cp: missing destination file
    Try `cp --help' for more information.
    [zimbra@mx bin]$ zmcertinstall mail
    ** Importing server cert
    
    cp: missing destination file
    Try `cp --help' for more information.
    [zimbra@mx bin]$
    I get an error on line 74 of zmcertinstall which is the line begining keytool in
    Code:
    importCert() {
    
        echo "** Importing server cert"
        echo
    
        if [ $APP = "mailbox" ]; then
            keytool -import -alias tomcat -keystore ${TOMCAT}/keystore \
                -trustcacerts -file ${CERTFILE} -storepass zimbra
        else
            cp -f $CERTFILE ${CONF}/smtpd.crt
            cp -f $KEYFILE ${CONF}/smtpd.key
        fi
    
    }
    Last edited by robroadie; 11-08-2005 at 10:48 AM.

  5. #5
    robroadie's Avatar
    robroadie is offline Intermediate Member
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    ok - this time I'll type the right command ;-)
    Code:
    [zimbra@mx bin]$ zmcertinstall mailbox
    ** Importing server cert
    
    keytool error: java.lang.Exception: Failed to establish chain from reply
    [zimbra@mx bin]$

  6. #6
    robroadie's Avatar
    robroadie is offline Intermediate Member
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    previously.....before I tried to recreate a host key the data exchanged between the server and the client referenced localhost.localdomain

    Code:
    Nov  8 17:44:05 mx postfix/smtpd[6234]: 0150 30 1c 06 03 55 04 03 13|15 6c 6f 63 61 6c 68 6f  0...U... .localho
    Nov  8 17:44:05 mx postfix/smtpd[6234]: 0160 73 74 2e 6c 6f 63 61 6c|64 6f 6d 61 69 6e 30 81  st.local domain0.
    Nov  8 17:44:05 mx postfix/smtpd[6234]: 0170 9f 30 0d 06 09 2a 86 48|86 f7 0d 01 01 01 05 00  .0...*.H ........
    now I see mx.networkassociations.org.uk in the exchange.....

    Code:
    Nov  8 17:54:14 mx postfix/smtpd[23043]: 00c0 62 72 61 31 26 30 24 06|03 55 04 03 13 1d 6d 78  bra1&0$. .U....mx
    Nov  8 17:54:14 mx postfix/smtpd[23043]: 00d0 2e 6e 65 74 77 6f 72 6b|61 73 73 6f 63 69 61 74  .network associat
    Nov  8 17:54:14 mx postfix/smtpd[23043]: 00e0 69 6f 6e 73 2e 6f 72 67|2e 75 6b 30 1e 17 0d 30  ions.org .uk0...0

  7. #7
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default Fun with certificates

    The problem here is that your keystore has the old my_ca alias in it, and you want to recreate that.

    keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    Should show a my_ca alias and a tomcat alias. Delete them both:

    keytool -delete -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra -alias my_ca

    keytool -delete -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra -alias tomcat

    Then re-run the zmcreatecert and zmcertinstall commands.

  8. #8
    robroadie's Avatar
    robroadie is offline Intermediate Member
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    The problem here is that your keystore has the old my_ca alias in it, and you want to recreate that.
    keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    Should show a my_ca alias and a tomcat alias. Delete them both:
    done. but it only displayed 1 entry - tomcat

    Quote Originally Posted by marcmac
    Then re-run the zmcreatecert and zmcertinstall commands.
    right......
    Code:
    [zimbra@mx bin]$ zmcertinstall mta
    ** Importing server cert
    cp: missing destination file
    Try `cp --help' for more information.
    [zimbra@mx bin]$ whoami
    zimbra
    [zimbra@mx bin]$ keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    tomcat, 08-Nov-2005, keyEntry,
    Certificate fingerprint (MD5):  printed....
    [zimbra@mx bin]$

  9. #9
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default I lied

    Wrong keystore for the ca - that's in /opt/zimbra/java/jre/lib/security/cacerts...

    keytool -list -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

    keytool -delete -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias my_ca

  10. #10
    robroadie's Avatar
    robroadie is offline Intermediate Member
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    Wrong keystore for the ca - that's in /opt/zimbra/java/jre/lib/security/cacerts...

    keytool -list -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

    keytool -delete -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias my_ca
    this is where I'm at.....

    Code:
    Nov  8 19:02:12 mx zimbramon[18688]: 18688:info: start app postfix 
    Nov  8 19:02:12 mx zimbramon[18688]: 18688:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused 
    Nov  8 19:02:12 mx zimbramon[18688]: 18688:info: Starting child postfix: (20051108190212) 
    Nov  8 19:02:26 mx postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.3/conf/main.cf
    Nov  8 19:02:26 mx postfix/postfix-script: starting the Postfix mail system
    Nov  8 19:02:26 mx zimbramon[18688]: 18688:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused 
    Nov  8 19:02:26 mx postfix/master[20096]: daemon started -- version 2.2.3, configuration /opt/zimbra/postfix-2.2.3/conf
    Nov  8 19:02:28 mx postfix/smtpd[20099]: initializing the server-side TLS engine
    Nov  8 19:02:28 mx postfix/smtpd[20099]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
    Nov  8 19:02:28 mx postfix/smtpd[20099]: warning: TLS library problem: 20099:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
    Nov  8 19:02:28 mx postfix/smtpd[20099]: cannot load RSA certificate and key data
    Nov  8 19:02:28 mx postfix/smtpd[20099]: connect from mx.networkassociations.org.uk[127.0.0.1]
    Nov  8 19:02:28 mx zimbramon[18688]: 18688:info: Doing startup 
    Nov  8 19:02:28 mx postfix/smtpd[20099]: disconnect from mx.networkassociations.org.uk[127.0.0.1]
    Nov  8 19:02:29 mx zimbramon[20103]: 20103:info: Zimbra Monitor startup: 20103 
    Nov  8 19:02:29 mx zimbramon[20103]: 20103:info: Process 6227 not found - removing /opt/zimbra/zimbramon/FIFO/zm.pid 
    Nov  8 19:02:29 mx zimbramon[20117]: 20117:info: Status monitor startup 
    Nov  8 19:02:29 mx zimbramon[20118]: 20118:info: Creating soap server on port 7777 
    Nov  8 19:02:41 mx postfix/smtpd[20099]: connect from mx.networkassociations.org.uk[127.0.0.1]
    Nov  8 19:02:41 mx postfix/smtpd[20099]: disconnect from mx.networkassociations.org.uk[127.0.0.1]

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 23
    Last Post: 01-24-2013, 03:44 PM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 01:01 PM
  5. Building native libraries on MacOS X
    By ajmas in forum Developers
    Replies: 3
    Last Post: 10-14-2005, 11:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •