osx - upgrade from 4.0.3 to 4.5 GA - ssl, cert error, can't send mail

[gherndon]

below is a snippet from my /var/log/zimbra.log

Code:

myhost postfix/smtpd[29445]: connect from myhost/myipaddress
Jan 23 21:54:24 myhost postfix/smtpd[29445]: setting up TLS connection from myhost/myipaddress
Jan 23 21:54:25 myhost postfix/smtpd[29445]: TLS connection established from myhost/myipaddress: TLSv1 with cipher AES128-SHA (128/128 bits)
Jan 23 21:54:27 myhost saslauthd[23191]: auth_zimbra: me@mydomain auth failed: curl_easy_perform: error(60): SSL certificate problem, verify that the CA cert is OK. Details:\nerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jan 23 21:54:27 myhost saslauthd[23191]: do_auth         : auth failure: [user=me@mydomain] [service=smtp] [realm=mydomain] [mech=zimbra] [reason=Unknown]
Jan 23 21:54:27 myhost postfix/smtpd[29445]: warning: SASL authentication failure: Password verification failed

i obviously sanitized my host, domain, and client info

my environment:

4.5.0_GA_612_MACOSX
upgraded from 4.0.3 GA
running on osx server 10.4.8 w zimbra ldap

after the update (which appeared to go smoothly) i cannot send mail via imap smtp using secure mail port 25.

i've read several threads related to sasl-tls errors and have checked my auth methods and auth urls. the default after upgrade was mixed auth, i changed to https but no joy. i manually recreated and installed new certs via wiki, no joy.

i then re-ran zmsetup.pl with no change. the log snippet is post upgrade (second time). i basically wanted to undo any damage i might have done in troubleshooting and chasing the sasl-tls threads.

if anyone can offer a suggestion, that'd be great. i'm going to check this thread wed. a.m. and hopefully be able to remedy with your help.

tia, george

[jholder]

Did you take a look at here:
http://wiki.zimbra.com/index.php?tit...icate_Problems

DON"T FORGET TO BACKUP!

[gherndon]

yes, i tried this procedure (not the optional parts) but don't know enough about it to really test the results. i do have the updated certs in ldap and they match the files in /opt/zimbra locations.

thanks for the pointer. i'm hoping someone else will ring in.

geo

[gherndon]

i've re-read some threads on sasl errors when trying to send emai from imap / pop3 clients securely. these are very similar, if not identical to what i'm seeing.

to clarify, webmail is working correctly. client auth for imap and pop3 delivery is working correctly.

client auth for sending via ssl is what's not working.

-george

[gherndon]

any other suggestions? i'm going to backup / re-install tonight if i can't get any resolution within the next few hours.

-george

[jholder]

Yeah,
You should be able to do a reinstall that might fix it.
Run the install as an upgrade, and I believe it reinstalls the certs.

jh

[gherndon]

wannabetenor,

when i run zmsetup.pl, i don't have an option to alter configs. when i've run this from other platforms (linux for example) i've been able to select subsystems to alter config.

on osx, settings are read from ldap and i don't see the expected config menu.

is there a flag for zmsetup.pl? is there a zmsetup.log file somewhere to edit / delete?

tia,

george

[jholder]

Just run the installer script again.

Backup first tho

./install.sh

[gherndon]

okay, i re-ran the installer (osx mpkg instead of .sh script) the install takes about an hour on my hardware.

i still have cert and TLS errors. here's a snippet from my zimbra.log

Code:

postfix/smtpd[19274]: warning: TLS library problem: 19274:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:411:
Jan 24 22:myhost postfix/smtpd[19167]: lost connection after STARTTLS from

i monitored the install and new certs were installed during install/upgrade.

i scanned zmsetup.log and don't see any errors during setup of certs.

i'm really bummed over this. what else should i try?

george

[gherndon]

just closing the loop here. i never resolved the TLS - auth - cert issue after several tries.

using a backup from prior to the upgrade, i re-installed 4.5 cleanly and am currently injecting old store msgs into my new instance. it's a little time consuming, but i'm learning a little about zmlmtpinject in the process. if i could have gotten my backup running i would have used imapsync instead.

i don't know why my attempts to fix the config using mac-install.sh, zmsetup.pl etc didn't work. i know the osx installed base might be small, but i'm greatful for the product and would like to help make it better.

one thing that would help me would be to better understand the dependencies that zmsetup.pl expects, relative to existing config files, interrupted / aborted runs, etc. i'd like to know how to initiate a re-config from the zmsetup expanded menu short of having to delete .install_history, .ssh, config.*, /tmp/zmsetup.log.*, etc... i was guessing most of the time.

i think the behavior on linux and other os's might be different. when i was testing version 3.x on linux prior to adopting osx, it was much easier to get to the config menu to reset params.

if i can help test something, let me know. and if some of this can be helped by rtfm, then point me to the right place :-)

george