setting up mailbox server with AD + proxy

[danber]

Hi all, I am trying to setup a new zimbra environment (open source for the moment) with two server installation (both on ubuntu 10.04).
The first server is in internal network and is a mailbox for an internal domain. I did install on it all components except proxy with internal auth. After this, using admin console, I did change the auth to Active Directory. So far, so good: accounts are receiving messages and I can use webmail or imap with thunderbird.
On the next step I did install a second server on the public network with proxy and I am trying to use this server to proxy imap to the internal server, so now I can see both servers in the admin gui of the internal server and I can also work with emails using the external http (I believe this means that the protocol between the two servers is ok and also authentication).
My problem arise when I configure my account on thunderbird to use the external server instead of the internal: I always got authentication error.
In nginx.log I got:
2012/01/03 17:32:13 [info] 26068#0: *7 upstream sent invalid response: "2 NO mechanism not supported: PLAIN" while reading response from upstream, client: 172.18.21.102, server: 0.0.0.0:993, login: "daniele", upstream: 172.18.10.145:143 (172.18.21.102:43961-159.213.51.154:993) <=> (159.213.51.154:44256-172.18.10.145:143)
Following this I issued the command: zmprov ms $(zmhostname) zimbraReverseProxyImapSaslPlainEnabled TRUE
on both servers but nothing changed.
Any clue?
Thank you
Daniele Bernazzi

[iggy]

Make sure you run libexec/zmproxyconfig on the backend mailstores. If this has been done, be sure to set zimbraImapCleartextLoginEnabled on the mailstores to TRUE.

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled TRUE

[danber]

Great: it works!
The problem was about the locking coming from the flag "This server is a reverse proxy lookup target": setting it disable the possibility to change zimbraImapCleartextLoginEnabled but it leave it unchanged (it does not force it to a specific value!), so the solution was to uncheck the flag, change the other option and recheck the flag.
BTW I have another marginal question (if you know the answer) where are the ip ports 7143 and 7993 used? they are not opened in listening on both servers and so I am puzzled about them. I believed 143 and 993 are open for the client and 7143 and 7993 are the corresponding port that should be open on the mailbox server for the use by the proxy server, but I guess this is not true. So, how it works?
Thank you a lot.
Daniele

[iggy]

Ports 7143 and 7993 are the designated listener ports for the mailstore when proxy and mailboxd are running on the same host to avoid port conflicts. In a multi-node setup, you will see those ports configured in the server object in LDAP regardless of which services are running on the actual host.

zimbraImapBindPort: 7143
zimbraImapSSLBindPort: 7993

and

zimbraPop3SSLBindPort: 7995
zimbraPop3BindPort: 7110

The values above are used only by mailboxd. These values are ignored by the proxy service even though they will be configured.

[danber]

thank you
Daniele