[SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure

[JHill]

Had the same issue with upgrade from 5.0.0GA to 5.0.1 today. Solved it by setting start_tls = no in the ldap-*.conf files.

[blaze]

Just adding my £2 to the pile: I have experienced the same issue with both 5.0 and 5.0.1. At present the only fix that works is to turn tls off via the config files. Really hope there is a resolution for this soon, as we are hoping to upgrade all of our servers, and a number of our clients are security crazy!

Regards,
Gary

[jmiles]

Quote:

Originally Posted by JHill

Had the same issue with upgrade from 5.0.0GA to 5.0.1 today. Solved it by setting start_tls = no in the ldap-*.conf files.

I'll add my "me too" post to this thread as well. After upgrading from 4.5.10 NE to 5.0.1 NE I hit the same problem. I tried installing my commercial cert both from the Admin console as well as via zmcertmgr but postfix still barks. Changing the start_tls value to no in the ldap config files fixed it for now but I'd like to see it fixed via a patch or upgrade.

[brwatters]

I sure hope Zimbra comes out with 5.02 soon to address this issue as well as I hate having a hack in a production server.

BRW

[quanah]

Quote:

Originally Posted by brwatters

I sure hope Zimbra comes out with 5.02 soon to address this issue

The issue will indeed be addressed in 5.0.2, and was due to a bug in postfix which we've patched around.

--Quanah

[mmorse]

This looks like the fixed Bug 23922 - 4.x.x to 5.0.x upgrades with existing commercial certs may fail. (allow startTLS to succeed even if CA cert chain is missing)
-There was also a postfix bug as well.

[JHill]

In 5.0.2, we're still unable to receive mail with start_tls = yes in ldap-*.cf files. Here's the config:

Quote:

server_host = ldap://mail.domain.com:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=% s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus =enabled))
result_attribute = zimbraMailCanonicalAddress,zimbraMailCatchAllCanon icalAddress
version = 3
start_tls = no
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = pass
timeout = 30

[quanah]

Quote:

Originally Posted by JHill

In 5.0.2, we're still unable to receive mail with start_tls = yes in ldap-*.cf files. Here's the config:

Showing the config isn't very useful, unfortunately. What would be useful is to know if you can get

Code:

ldapsearch -x -ZZ -h mail.domain.com

as the Zimbra user to work. If not, what errors it shows.

[JHill]

Quote:

Originally Posted by quanah

Showing the config isn't very useful, unfortunately. What would be useful is to know if you can get

Code:

ldapsearch -x -ZZ -h mail.domain.com

as the Zimbra user to work. If not, what errors it shows.

That worked fine, same ldapsearch results with start_tls set to yes and no.

Here are the errors from zimbra.log:

Quote:

Feb 10 23:59:39 zimbra postfix/trivial-rewrite[24096]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Feb 10 23:59:39 zimbra last message repeated 2 times
Feb 10 23:59:39 zimbra postfix/trivial-rewrite[24096]: fatal: ldap://opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem

[fultonj]

What is the absolute path of the above config file?

On 02-10-2008, 08:32 AM jhill provided a sample config to set start_tls = no. I can't find any such file to set this value for. I'm having the same problem and I'd like to use the same fix.

find doesn't seem to return what I need so do I create this file? If so where?

find /opt/zimbra -exec grep -q "start_tls" '{}' \; -print