[SOLVED] NE Migration: SMTP AUTH Failure

[markpr]

Following a migration from the Open Source Edition to the Network Edition I ran into a few problems. Currently some SOAP operations fail but my biggest problem is that SMTP AUTH is failing. I demonstrated the problem to Zimbra Support this morning and they are investigating.. but as we get closer to Monday morning can anyone offer any suggestions to help?

As I'm seeing other problems with SOAP could this be a SOAP communication problem rather than a SASL problem?

I have looked over the SMTP AUTH Wiki entry as well as the forum but it looks like everything should be fine for me.

Here's the log entry (below) plus some supporting info. Can anyone help? (note that TLS secure communication on it's own works fine, the only error is when sending outgoing emails using SMTP AUTH).

thanks - Mark

Sep 29 09:37:14 www postfix/smtpd[32292]: connect from unknown[x.x.x.x]
Sep 29 09:37:15 www postfix/smtpd[32292]: setting up TLS connection from unknown[x.x.x.x]
Sep 29 09:37:17 www postfix/smtpd[32292]: TLS connection established from unknown[x.x.x.x]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication failure: no secret in database
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL CRAM-MD5 authentication failed
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 29 09:37:24 www last message repeated 4 times
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication failure: Password verification failed
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL PLAIN authentication failed
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 29 09:37:24 www last message repeated 5 times
Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed

[zimbra@www log]$ zmprov -l gs mail.mydomain.com | grep Auth

zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: mail.mydomain.com
zimbraMtaAuthURL: https://mail.mydomain.com/service/soap/
zimbraMtaTlsAuthOnly: TRUE

[zimbra@www conf]$ grep sasl main.cf

broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtp_sasl_security_options =

[markpr]

A little about the migration....

SMTP AUTH was working fine prior to the migration. After the migration (following the WIKI entry for Zimbra 4.5.6 that I was using), SMTP AUTH failed I also lost all the Admin Extensions for the NE edition

I upgraded NE to 4.5.7 and this reintroduced the Admin extensions and correctly accepted my license key. However SMTP AUTH was still a problem.

An example of the SOAP error is when I go into NE Mail Queues in the ADMIN UI and this generates an error. Note that my mail server is mail.mydomain.com but my domain is mydomain.com. Is it correct that the Zimbra user here (who doesn't exist as a mail account) is constructed from zimbra@ (mail server hostname) or should it be zimbra@ (my domain). If it's the latter how do I change this... the Zimbra account is not a normal mail account.

Message: system failure: exception during auth {RemoteManager: mail.mydomain.com->zimbra@mail.mydomain.com:22}
Error code: service.FAILURE
Method: ZmCsfeCommand.prototype.invoke
Details:soap:Receiver

[phoenix]

You don't mention whether you've set this:

Code:

$ zmprov gs zimbra.domain.com | grep Mode
zimbraMailMode: mixed

[phoenix]

Also the zimbraMtaAuthURL doesn't match this with the port number 443 in there:

Code:

zimbraMtaAuthURL: https://zimbra.domain.com:443/service/soap/

[markpr]

Hi Bill,

I should have said that the mode is mixed and I had seen a posting where 443 in the URL seemed usual. However HTTPS implies 443 so I discounted this early on. Just in case, I tried adding 443 to the URL below but I receive a message that this URL can not be modified:

$ zmprov ms mail.mydomain.com zimbraMtaAuthURL https//mail.mydomain.com:443/service/soap/
ERROR: service.INVALID_REQUEST (invalid request: zimbraMtaAuthURL is immutable)

I think the URL is good though.. the question is whether anything is listening on it...

Mark

[phoenix]

Quote:

Originally Posted by markpr

I think the URL is good though.. the question is whether anything is listening on it...

The question then follows, can you telnet to mail.mydomain.com 443 and get any response. I see you've answered the support case so I'll leave you with that rather than have two of us asking you questions.

[markpr]

Hi Bill,

Just to let you know - I have fixed the Mail Queues problem so we can rule out SOAP as a fundamental issue (I needed to regen the ssh keys for the zimbra ssh user).

I can open in a browser https://mail.mydomain.com (I have the Zimbra Web client running fine, and I can try and open the AUTH URL but I get a message that HTTP GET METHOD is not allowed from Apache/Tomcat which makes sense. I can also connect via telnet mail.mydomain.com 443.

I'm really comfortable that this piece is working...and obviously my account login/pass works.

I think the problem is with SASL it's either not able to get the account information from the Zimbra Store or it's not able to negotiate a valid authentication method. I used to roll-my-own mailserver before Zimbra using Cyrus SASL, Postfix, Amavis, MySQL etc (one of the reasons I liked the Zimbra architecture so much) but now its' understanding how to debug these things inside of the Zimbra configuration and logging.

Mark

[markpr]

Bill,

Still working through this problem.. I haven't heard back yet from the support engineer but he works different hours I think (different timezone). Any help moving forward before Monday would be great...I have been debugging this as best I can without success. have checked forum/wiki entries and made sure everything obvious was OK (libraries, binaries etc are all from Zimbra).

I noticed here that the saslauthd_path was comment out (the mux does exist int his path and zimbra perms are correct). I tried uncommenting this and restarting but this made no difference:

/opt/zimbra/cyrus-sasl/lib/sasl2/smtpd.conf

log_level: 3
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
# saslauthd_path: /opt/zimbra/cyrus-sasl/state/mux


also this file looks good: /opt/zimbra/cyrus-sasl/etc/saslauthd.conf

zimbra_url: https://mail.mydomain.com/service/soap/
zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
zimbra_cert_check: off

Mark

[phoenix]

Let's start with the obvious, is the service running: zmsaslauthdctl status

[phoenix]

This is RHEL5 isn't it? You should have this file: /etc/ld.so.conf.d/zimbra.ld.conf - does it contain the same info as this:

Code:

/opt/zimbra/lib
/opt/zimbra/sleepycat/lib
/opt/zimbra/openldap/lib
/opt/zimbra/cyrus-sasl/lib

I asked earlier about this mode setting:

Code:

$ zmprov gs zimbra.domain.com | grep Mode
zimbraMailMode: mixed

what I meant to ask was - have you changed that mode since you've moved to this server?

One other thing you should rule out is file permission problems. Can you shutdown Zimbra and run the zmfixperms script then restart Zimbra.