Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: [SOLVED] NE Migration: SMTP AUTH Failure

  1. #1
    markpr is offline Active Member
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default [SOLVED] NE Migration: SMTP AUTH Failure

    Following a migration from the Open Source Edition to the Network Edition I ran into a few problems. Currently some SOAP operations fail but my biggest problem is that SMTP AUTH is failing. I demonstrated the problem to Zimbra Support this morning and they are investigating.. but as we get closer to Monday morning can anyone offer any suggestions to help?

    As I'm seeing other problems with SOAP could this be a SOAP communication problem rather than a SASL problem?

    I have looked over the SMTP AUTH Wiki entry as well as the forum but it looks like everything should be fine for me.

    Here's the log entry (below) plus some supporting info. Can anyone help? (note that TLS secure communication on it's own works fine, the only error is when sending outgoing emails using SMTP AUTH).

    thanks - Mark

    Sep 29 09:37:14 www postfix/smtpd[32292]: connect from unknown[x.x.x.x]
    Sep 29 09:37:15 www postfix/smtpd[32292]: setting up TLS connection from unknown[x.x.x.x]
    Sep 29 09:37:17 www postfix/smtpd[32292]: TLS connection established from unknown[x.x.x.x]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication failure: no secret in database
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL CRAM-MD5 authentication failed
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www last message repeated 4 times
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication failure: Password verification failed
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL PLAIN authentication failed
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www last message repeated 5 times
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed

    [zimbra@www log]$ zmprov -l gs mail.mydomain.com | grep Auth

    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: mail.mydomain.com
    zimbraMtaAuthURL: https://mail.mydomain.com/service/soap/
    zimbraMtaTlsAuthOnly: TRUE

    [zimbra@www conf]$ grep sasl main.cf

    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, permit
    smtpd_sasl_auth_enable = yes
    smtp_sasl_security_options =

  2. #2
    markpr is offline Active Member
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    A little about the migration....

    SMTP AUTH was working fine prior to the migration. After the migration (following the WIKI entry for Zimbra 4.5.6 that I was using), SMTP AUTH failed I also lost all the Admin Extensions for the NE edition

    I upgraded NE to 4.5.7 and this reintroduced the Admin extensions and correctly accepted my license key. However SMTP AUTH was still a problem.

    An example of the SOAP error is when I go into NE Mail Queues in the ADMIN UI and this generates an error. Note that my mail server is mail.mydomain.com but my domain is mydomain.com. Is it correct that the Zimbra user here (who doesn't exist as a mail account) is constructed from zimbra@ (mail server hostname) or should it be zimbra@ (my domain). If it's the latter how do I change this... the Zimbra account is not a normal mail account.

    Message: system failure: exception during auth {RemoteManager: mail.mydomain.com->zimbra@mail.mydomain.com:22}
    Error code: service.FAILURE
    Method: ZmCsfeCommand.prototype.invoke
    Details:soap:Receiver

  3. #3
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    You don't mention whether you've set this:
    Code:
    $ zmprov gs zimbra.domain.com | grep Mode
    zimbraMailMode: mixed
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    Also the zimbraMtaAuthURL doesn't match this with the port number 443 in there:

    Code:
    zimbraMtaAuthURL: https://zimbra.domain.com:443/service/soap/
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    markpr is offline Active Member
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    Hi Bill,

    I should have said that the mode is mixed and I had seen a posting where 443 in the URL seemed usual. However HTTPS implies 443 so I discounted this early on. Just in case, I tried adding 443 to the URL below but I receive a message that this URL can not be modified:

    $ zmprov ms mail.mydomain.com zimbraMtaAuthURL https//mail.mydomain.com:443/service/soap/
    ERROR: service.INVALID_REQUEST (invalid request: zimbraMtaAuthURL is immutable)

    I think the URL is good though.. the question is whether anything is listening on it...

    Mark

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    Quote Originally Posted by markpr View Post
    I think the URL is good though.. the question is whether anything is listening on it...
    The question then follows, can you telnet to mail.mydomain.com 443 and get any response. I see you've answered the support case so I'll leave you with that rather than have two of us asking you questions.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    markpr is offline Active Member
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    Hi Bill,

    Just to let you know - I have fixed the Mail Queues problem so we can rule out SOAP as a fundamental issue (I needed to regen the ssh keys for the zimbra ssh user).

    I can open in a browser https://mail.mydomain.com (I have the Zimbra Web client running fine, and I can try and open the AUTH URL but I get a message that HTTP GET METHOD is not allowed from Apache/Tomcat which makes sense. I can also connect via telnet mail.mydomain.com 443.

    I'm really comfortable that this piece is working...and obviously my account login/pass works.

    I think the problem is with SASL it's either not able to get the account information from the Zimbra Store or it's not able to negotiate a valid authentication method. I used to roll-my-own mailserver before Zimbra using Cyrus SASL, Postfix, Amavis, MySQL etc (one of the reasons I liked the Zimbra architecture so much) but now its' understanding how to debug these things inside of the Zimbra configuration and logging.

    Mark
    Last edited by markpr; 09-30-2007 at 10:43 AM.

  8. #8
    markpr is offline Active Member
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    Bill,

    Still working through this problem.. I haven't heard back yet from the support engineer but he works different hours I think (different timezone). Any help moving forward before Monday would be great...I have been debugging this as best I can without success. have checked forum/wiki entries and made sure everything obvious was OK (libraries, binaries etc are all from Zimbra).

    I noticed here that the saslauthd_path was comment out (the mux does exist int his path and zimbra perms are correct). I tried uncommenting this and restarting but this made no difference:

    /opt/zimbra/cyrus-sasl/lib/sasl2/smtpd.conf

    log_level: 3
    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN
    # saslauthd_path: /opt/zimbra/cyrus-sasl/state/mux


    also this file looks good: /opt/zimbra/cyrus-sasl/etc/saslauthd.conf

    zimbra_url: https://mail.mydomain.com/service/soap/
    zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
    zimbra_cert_check: off

    Mark

  9. #9
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    Let's start with the obvious, is the service running: zmsaslauthdctl status
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    This is RHEL5 isn't it? You should have this file: /etc/ld.so.conf.d/zimbra.ld.conf - does it contain the same info as this:

    Code:
    /opt/zimbra/lib
    /opt/zimbra/sleepycat/lib
    /opt/zimbra/openldap/lib
    /opt/zimbra/cyrus-sasl/lib
    I asked earlier about this mode setting:

    Code:
    $ zmprov gs zimbra.domain.com | grep Mode
    zimbraMailMode: mixed
    what I meant to ask was - have you changed that mode since you've moved to this server?

    One other thing you should rule out is file permission problems. Can you shutdown Zimbra and run the zmfixperms script then restart Zimbra.
    Last edited by phoenix; 09-30-2007 at 12:55 PM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  2. SMTP Auth error 535
    By FloydWilliams in forum Administrators
    Replies: 0
    Last Post: 01-04-2007, 02:33 PM
  3. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM
  4. SMTP Auth Failing?
    By mikea in forum Administrators
    Replies: 15
    Last Post: 01-03-2006, 10:39 AM
  5. SMTP SASL authentication failure
    By igeorg in forum Developers
    Replies: 5
    Last Post: 10-10-2005, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •