[SOLVED] ZCS 7.1.1 broken SMTP Auth

[flsimbeck]

In installed the 7.1.1 update and all was good, until I tried to send a email. Outbound SMTP Auth was broken. I went thrugh and checked the configuration and the only thing I noticed is:

zmlocalconfig -x postfix_smtp_sasl_security_options
returned noanonymous
but
postconf -x smtp_sasl_security_options
returned noplaintext, noanonymous
This was after I tried to re-apply the zmlocalconfg and a restart of Zimbra

I never did get It working, I had to restore the backup I made before the upgrade, after the restore, the above match with noanonymous.

The /var/log/zimbra.log contained this error:

Code:

Jun  2 19:59:54 mail postfix/smtp[836]: certificate verification failed for outbound.mailhop.org[204.13.248.72]:10025: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Jun  2 19:59:54 mail postfix/smtp[836]: 39105318055: to=, relay=outbound.mailhop.org[204.13.248.72]:10025, delay=1.1, delays=0.01/0.02/0.97/0.07, dsn=5.0.0, status=bounced (host outbound.mailhop.org[204.13.248.72] said: 550 You must authenticate to use MailHop Outbound (in reply to MAIL FROM command))

The above first entry looks like postfix rejected the CA certificate for Equifax and then bouced the message.

After the restore, all still works, so I'm thinking there was a change in 7.1.1 that broke this.

I'd like to re-apply the update, but how do I fix this? or is it a bug.

[BarBaar]

I might have the same issue. I noticed zmconfigd appears not to be running in the Admin-console. But the zmconfigd.log doesn not show anything strange.

It looks like zmconfigd does not rewrite /opt/zimbra/postfix/conf/main.cf correctly.

Anyone can confirm this?

[flsimbeck]

Quote:

Originally Posted by BarBaar

I might have the same issue. I noticed zmconfigd appears not to be running in the Admin-console. But the zmconfigd.log doesn not show anything strange.

It looks like zmconfigd does not rewrite /opt/zimbra/postfix/conf/main.cf correctly.

Anyone can confirm this?

I checked the zmconfigd.log, and no errors in the 7.1.1 installation.
I also checked /opt/zimbra/postfix\main.cf in both v7.1.0 and v7.1.1 instalations and smtp_sasl_security_options entry is in v7.1.0, but does not appear in the v7.1.1 instalation, even though I executed the below commands, more than once.

Code:

zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous
zmcontrols restart

[BarBaar]

Created Bug 60605

[flsimbeck]

For Release 7.1.1_GA_3196.RHEL5_64_20110527011124 RHEL6_64 FOSS edition. I've loosely tested a work around that survives a zimbra restart and a reboot.

Manually setting configuration values with "postconf -e” as the zimbra user sets the values in /opt/postfix/conf/main.cf and zmconfigd does not appear to reset, change, or remove them.

The values I was forced to set to re-enable outbound SMTP authentication and not be rejected by the outbound relay are:

Code:

smtp_sasl_auth_enable
smtp_cname_overrides_servername
smtp_use_tls
smtp_sasl_security_options
smtp_sasl_mechanism_filter
smtp_tls_security
smtp_sasl_password_maps

I have verified that none of theses confirguation valuse when set with "zmlocalconfig -e postfix_" are written to /opt/postfix/conf/main.cf

[quanah]

if you make changes via zmlocalconfig -e , and those changes end up in /opt/zimbra/postfix/conf/main.cf, it is zmconfigd that is making that update, as that's the only process that pushes changes from zmlocalconfig to postfix.

[flsimbeck]

Quote:

Originally Posted by quanah

if you make changes via zmlocalconfig -e , and those changes end up in /opt/zimbra/postfix/conf/main.cf, it is zmconfigd that is making that update, as that's the only process that pushes changes from zmlocalconfig to postfix.

I believe that is the point of the issue, the changes made with "zmlocalconfig -e" are not being written to /opt/zimbra/postfix/conf/main.cf by zmconfigd

If a change, to the postfix config, is made with zmlocalconfig is made, zmconfigd does log that it did rewrite main.cf. If you check the parameter you just changed, zmlocalconfig does reflect the change, but the change does not actually make it to main.cf.

[quanah]

Quote:

Originally Posted by flsimbeck

The values I was forced to set to re-enable outbound SMTP authentication and not be rejected by the outbound relay are:

Code:

smtp_sasl_auth_enable
smtp_cname_overrides_servername
smtp_use_tls
smtp_sasl_security_options
smtp_sasl_mechanism_filter
smtp_tls_security
smtp_sasl_password_maps

I have verified that none of theses confirguation valuse when set with "zmlocalconfig -e postfix_" are written to /opt/postfix/conf/main.cf

None of these values have *ever* been tracked or handled by zmconfigd or zmmtaconfig. They are not valid keys to set in zmlocalconfig either.

[flsimbeck]

I found this information when I orginally switched to an outbound relay and had to setup SMTP Auth (required by my relay service) on October 02, 2009 (I checked my relay billing). This is at least since zcs 6. Below is the referance link I used to initialy set up outbound SMTP Authentication. The zmlocalconfig options appear toward the end of the article.

Code:

http://wiki.zimbra.com/wiki/Outgoing_SMTP_Authentication

The key names in my previous post are accepted by zmlocalconfig and stored in /etc/zimbra/conf/localconfig.xml and have been transferred to /ect/zimbra/postfix/conf/main.cf for every version prior to zcs 7.1.1 since I setup SMTP Auth. Without these settings in main.cf, Postfix will not use authentication for outbound mail relaying.

Here is the relevant portion of my current /etc/zimbra/conf/localconfig.xml
(I had to remove all the carrets to get to display in the post)

Code:

?xml version="1.0" encoding="UTF-8"?

localconfig
  key name="postfix_smtp_sasl_password_maps"
    valuehash:/opt/zimbra/conf/relay_password/value
  /key
  key name="postfix_always_add_missing_headers"
    valueyes/value
  /key
  key name="postfix_smtp_tls_security"
    valuemay/value
  /key
  key name="postfix_smtp_sasl_mechanism_filter"
    valueplain,login/value
  /key
  key name="postfix_smtp_sasl_auth_enable"
    valueyes/value
  /key
  key name="postfix_smtp_use_tls"
    valueyes/value
  /key
  key name="postfix_smtp_cname_overrides_servername"
    valueno/value
  /key
  key name="postfix_smtp_sasl_security_options"
    valuenoanonymous/value
  /key
/localconfig

With version 7.1.1, they are stored in localconfig.xml, but not transferred to main.cf.

Your, maybe mistaken?, impression that they have never been handled by zmlocalconfig could be the very reason it has stopped working with v7.1.1, and has worked on previouse versions back in to v6.

I backed up my current zcs 7.1.1 installation (a hard drive image) and restored the previous zcs 7.1.0 installation and CONFIRMED that the zmlocalconfig options are accepted and stored in localconfig.xml AND written to main.cf.

You can then maybe understand why your statement:

Quote:

Originally Posted by quanah

None of these values have *ever* been tracked or handled by zmconfigd or zmmtaconfig. They are not valid keys to set in zmlocalconfig either.

Is making no sense to me, when I just PROVED it is not the case.

I've been a ZCS user since version 5.0.19 (because I hate Exchange, yes hate), and have applied every update and upgrade as they've come out without issue intill v7.1.1

If I'm mistaken, I'll apologize in advance, but I don't see how I can be when, with v7.1.0, I can show just the opposite behavior to your above statement.

[quanah]

You can create, and set, whatever keys in the world you want, in localconfig.xml via zmlocalconfig. It doesn't mean they are supported or necessarily processed. I'm looking at the actual code for zmlocalconfig (LC.java), and these keys do not exist in them.

You can also look at the zmmta.cf file to find out where things get pulled from. Anything starting with VAR gets pulled from LDAP. Anything starting with LOCAL comes from zmlocalconfig.

These values get pulled from LDAP. So I stand by what I said. These do not, and never have, come from zmlocalconfig. So, there may be issues with zmconfigd getting values from LDAP, but the problem has nothing to do with zmlocalconfig.