Unable to send mail after upgrading to 5.0.0 (LDAP TLS trouble)
I decided to upgrade from 4.5.9 to 5.0.0 on OpenSuSE 10.0 yesterday. I ended up staying up all night, getting to bed at 10am. This post is an attempt to save someone else from the same fate.
The install seemed to go well, except that it got a bit hung up on starting LDAP. I managed to get it to finish and everything looked great. Then I tried to send an email. Trying to send it from Outlook failed with a very long delay. Trying to send through the web interface caused my browser to hang, requiring a kill on both Firefox and IE7. Finally I tried a manual SMTP session using telnet. It went like this:
1. telnet localhost 25 (received 220)
2. helo test.com (received 250)
3. mail from: me@me.com
At this point, I got no response. This didn't look good.
After long hours of struggle and searching, I finally found an article about postfix hanging after "mail from" when using a mysql backend. It warned that using mysql or ldap at this point was probably a bad idea since they could potentially fail, causing exactly the problem I saw.
Ultimately I determined that the problem was solved by changing the ldap scripts to not start TLS. Initially I did this directly in the conf/ldap-*.cf files but it turns out that you need to change libexec/zmmtainit instead. Open the file and look for:
Code:
if [ "$num" == 5 ]; then
STARTTLS="no"
else
STARTTLS="yes"
fi
All I had to do was swap the yes and the no like this:
Code:
if [ "$num" == 5 ]; then
STARTTLS="yes"
else
STARTTLS="no"
fi
Actually, I sort of wonder if this is not correct anyway. Looking at the script, it is checking to see how much of the URL matches "ldaps". If 5 characters match, it means that the URL starts with ldaps:// rather than ldap://. Shouldn't we only be starting TLS in the "ldaps" case anyway?
Oh, and in case you read the post about expired LDAP certs causing delivery problems, that was not my problem. I replaced the certs and verified that they were good but still no dice. My LDAP is not externally visible anyway so I don't need TLS.
Anyway, if 4.5 worked fine (it didn't do the TLS stuff on LDAP) and after the upgrade you can't send mail, try this change and see if it saves you.
Cheers,
