Windows OS - Outlook - SMTP - Errors

[jsx]

I have installed Zimbra, and it works fine.
My Linux home PC has been configured to connect to my POP & SMTP.
My wife's Windows PC (older OS version) also connects to read/send her email.

Another person's email works via the web interface, but they can not correctly set up their computer's email program (outlook) to work for sending emails.

I have used my wife's computer and setup successfully their email - so i know the server/email/username/password/send/recieve works. It just does not work on their computer. I noticed their computer's OS (windows) is more recently updated.

I have noticed, what i believe is the key, that on my wife's pc, the first time you try to send/receive it asks if you want to trust the certificate, and on the other computer it does not.

I have followed the wiki for setting up a self cert and went through it with no problems.
SSL Certificate Problems - ZimbraWiki

Details:

Settings for both accounts to send/receive in OUTLOOK:
- receive: port 110 with no encryption (works fine on both computers)
- use SSL port 465 to send (SMTP)
- not using SPA
- requires SMTP authentication to send (checked)


I think the issue is with the other person's Window's configuration, but I've tried to find what setting would cause this. Does anyone know where I might look to change the settings?
-OR-
Possibly I have messed up a setting in Zimbra...

Zimbra Settings:
MTA tab: checked- enable auth, notchecked-TLS-only
(for both global settings, and the specific server)

If I have missed posting some vital piece of information, please let me know.

Thanks for any help.
-Mike

[zimbratester]

Hey bud,

I'm still a new zimbra user myself, but some of the things I would check on the remote pc would be:

Windows Firewall ? maybe it is blocking an incoming or outgoing ssl port

Remote Router ? same as the windows firewall, it might be setup to block all traffic (ipcop has a mod that does this)

Your router ? do you have all of the zimbra required ports forwarded to your internal box

Maybe you have tried these already, but if not thats where I would start. Hope it helps.

[jsx]

I didn't think of a windows based firewall. seems like an obvious thing to check first :blush: (i'll go check in a sec...)

In an effort to isolate the problem I removed as many differences between a working and non-working setup.

I have two PCs, both on my internal LAN:
- PC1(wife's) which works
- PC2 (spare) which does not work

The only difference is the windows OS.
The outlook settings are identical on both PCs.

Both are behind a Clark Connect firewall/router.
I'll go check to see if I have special rules for one vs the other IP in ClarkConnect.

Thanks for the advice...

[jsx]

windows did have a firewall running, but turning it off did not help any...
i think there is a built in part of the later windows OS (or maybe internet explorer 7) that automatically blocks self signed certs.

[darkmemory]

First thing I would do is from the remote machine telnet to the ports to verify you can connect. If you can not then there is a network issue or a firewall stopping you.

Example (replace zimbraserver.test.com with your mail server):

Telnet zimbraserver.test.com 110 (you should receive a POP3 banner)
Telnet zimbraserver.test.com 465 (there will be no banner but the telnet window will stay up)

If your telnet session times out or immediately disappears then the client machine can not connect either because of a firewall or network issue. If you are using a hostname then it might be DNS, try the IP address instead of the hostname.

I would also check your maillog to verify the remote machine is establishing a connection.

[jsx]

From the PC with the problem, I was able to telnet to the server by both domain name and IP address
(mail.js-x.com - 208.109.162.164)
telnet to port 110 shows the response, and port 465 shows the blank response.

This is the message that I get from outlook on the working PC:
[quote]
The server you are connected to is using a security certificate that could not be verified.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

Do you want to continue using this server?
[quote]
After I say "YES" then it will work.

When I did the telnet to port 465 I saw in the maillog this:

Code:

May 28 16:46:44 ip-208-109-162-164 postfix/smtpd[976]: warning: 208.66.144.10: hostname h10-208-66-144.mesh.net verification failed: Name or service not known
May 28 16:46:44 ip-208-109-162-164 postfix/smtpd[976]: connect from unknown[208.66.144.10]
May 28 16:46:44 ip-208-109-162-164 postfix/smtpd[976]: setting up TLS connection from unknown[208.66.144.10]
May 28 16:46:44 ip-208-109-162-164 postfix/smtpd[976]: SSL_accept error from unknown[208.66.144.10]: -1
May 28 16:46:44 ip-208-109-162-164 postfix/smtpd[976]: lost connection after CONNECT from unknown[208.66.144.10]
May 28 16:46:44 ip-208-109-162-164 postfix/smtpd[976]: disconnect from unknown[208.66.144.10]

So it looks like the net-connection is there, just that the windows-OS is preventing it to access this 'un'-trusted certificate/site.

Has anyone successfully connected to the SSL(port 465 in my case)?
-OR-
Does anyone know what some versions of Windows are doing?
-Maybe there is a setting somewhere that says - don't trust, and don't ask...

Thanks again for the thoughts and help

[darkmemory]

I am able to get my windows box to work with outlook 2003. I do receive the warning about the cert as you do but that is to be expected when the cert is not signed by a trusted root CA. I am also trying on a private network. Maybe the client machine in question needs to add you server to the trusted sites?

Is this at initial client startup that the failure occurs or is when a send and receive is initialized? Outlook will try and establish the pop3 connection at startup and if you do not have allow "Enable clear text login" ticked then outlook will not be able to logon. Just a thought...

[jsx]

the error occurs after the 'send receive' button is pressed.

i found a site that described the same type of problem, and they suggested to have the machine install the crt -- i noticed several *.crt files on my server (locate *.crt)

i put them on the web so i could d/l it to my pc#2 and install the certificate. (then i removed the crt file from the web).

i used pc#2 to d/l and install the cert. but it didn't seem to take -- i'll reboot pc#2 in a bit to see if it processes them at boot up or something...

i have opened up non encrypted port (25) and it will work - but my ISP blocks all port 25 traffic - so the zimbra server is working -- just can't get the encrypted SMTP to work right now...

any idea which cert file is the right one to install?
or if just clicking from IE and following the prompts to install is not right?

[darkmemory]

I believe the cert that is being used for SMTP is /opt/zimbra/conf/smtpd.crt. You will have to export the cert using openssl in order to install it anywhere else I think.

I don't know if that will help because it seems like the client isn't even trying to initiate the TLS session because you do not get a prompt. Just for the sake of taking a MS product out of the loop have you tried using Thunderbird or some other mail client?

[jsx]

Linux is great! the linux boxes can work just fine -- its just the MS Office that has the problem. I will try the cert you specified and see if that works.

thanks for the ideas.