Ajcody-Ciphers-Outlook-Troubleshooting

Revision as of 18:50, 15 January 2015 by Ajcody (talk | contribs) (Created page with "<pre> References: * https://www.openssl.org/docs/apps/ciphers.html ** will explain what HIGH and other variables used in zimbraReverseProxySSLCiphers * http://wiki.zimbra.com/...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
References:
* https://www.openssl.org/docs/apps/ciphers.html
** will explain what HIGH and other variables used in zimbraReverseProxySSLCiphers
* http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#zmtlsctl
** http only mode?
* http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#Using_Existing_Servers_2
** proxy isn't enabled for http/mail ?

First, you might want to get cipherscan. It's available at https://github.com/jvehent/cipherscan .
Run this against your server's name, example :

./cipherscan ldap2.zimbra.DOMAIN.com

It will default to port 443 . You can also check it against port 8443 by doing:

./cipherscan ldap2.zimbra.DOMAIN.com:8443

Second, the assumption is your running with the zcs proxy service is enabled for the various methods your attempting with Outlook 2011 [http{mail},pop,imap] and SSL is enabled for each of the access methods.

Let's confirm your account that you'l test with is enabled for ews. 

[zimbra@ldap2 log]$ zmprov ga user1@ldap2.zimbra.DOMAIN.com zimbraFeatureEwsEnabled
[zimbra@ldap2 log]$ zmlicense -p | grep -i ews

Let's also get what your current zimbraReverseProxySSLCiphers is set for before you change it.

[zimbra@ldap2 log]$ zmprov gcf zimbraReverseProxySSLCiphers

Depending on what you have set, you'll need to adjust it to deal with the 3DES option. If you had manually set zimbraReverseProxySSLCiphers at some point in your ZCS server's history then our upgrade process will not change it. Below I include what is also the default for 8.6 and how to modify it for 3DES. The first example comes from what you might see if you upgraded from ZCS 7 and/or manually set it at some point to the default as it as in ZCS 7.

If you want to see/confirm what is the default value for ZCS 8.6 , you can do the following below. !!!Please Note!!! You can't paste into your CLI the variable string if it has ! in it and you haven't manually put a \ in front of each ! . For 8.6, the default will have !3DES , we'll want that to be 3DES - as shown in exampe 2.

[zimbra@ldap2 log]$ zmprov desc -a zimbraReverseProxySSLCiphers

[example 1]
[zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:3DES:HIGH:
[zimbra@ldap2 log]$ zmproxyctl restart

[example 2]
[zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:3DES:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!MD5:\!PSK

[zimbra@ldap2 log]$zmproxyctl restart

Once you've restarted the proxy services, you'll want to close down your Outlook session if you haven't already and relaunch it. With my testing, I didn't have to reconfigure the account in outlook that I had setup that was initially failing because of the cipher issue but I did have to relaunch outlook before it would sync after I made the server changes and restarted the proxy services.

If things still fail, you'll also want to provide the information below as well with all the data/tests from above. Note, I'm including my output from my test box below from these commands. My test box was a single 8.6 ZCS server [clean install, no prior ZCS versions upgraded from] with all services enabled.

[This command just needs to be shared once with us since it's your global variables]

[zimbra@ldap2 log]$ zmprov gacf | egrep -i 'mailsslp|proxy' | egrep -i 'ssl|cipher|enabled:|port:|mode' | sort
zimbraAdminProxyPort: 9071
zimbraImapProxyBindPort: 143
zimbraImapSSLProxyBindPort: 993
zimbraMailProxyPort: 0
zimbraMailSSLPort: 0
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 0
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyDnsLookupInServerEnabled: TRUE
zimbraReverseProxyHttpEnabled: FALSE
zimbraReverseProxyHttpSSLPortAttribute: zimbraMailSSLPort
zimbraReverseProxyImapSSLPortAttribute: zimbraImapSSLBindPort
zimbraReverseProxyImapSaslGssapiEnabled: FALSE
zimbraReverseProxyImapSaslPlainEnabled: TRUE
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailImapEnabled: TRUE
zimbraReverseProxyMailImapsEnabled: TRUE
zimbraReverseProxyMailPop3Enabled: TRUE
zimbraReverseProxyMailPop3sEnabled: TRUE
zimbraReverseProxyPop3SSLPortAttribute: zimbraPop3SSLBindPort
zimbraReverseProxyPop3SaslGssapiEnabled: FALSE
zimbraReverseProxyPop3SaslPlainEnabled: TRUE
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:3DES:HIGH:
zimbraReverseProxySSLECDHCurve: prime256v1
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLToUpstreamEnabled: TRUE

[This command should be ran on each of your proxy and mailstore servers]

[zimbra@ldap2 log]$ zmprov gs `zmhostname` | egrep -i 'mailssl|proxy' | egrep -i 'ssl|cipher|enabled:|port:|mode' | sort
zimbraAdminProxyPort: 9071
zimbraImapProxyBindPort: 143
zimbraImapSSLProxyBindPort: 993
zimbraMailProxyPort: 80
zimbraMailSSLClientCertMode: Disabled
zimbraMailSSLClientCertOCSPEnabled: TRUE
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 8443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 443
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyDnsLookupInServerEnabled: TRUE
zimbraReverseProxyHttpEnabled: TRUE
zimbraReverseProxyImapSaslGssapiEnabled: FALSE
zimbraReverseProxyImapSaslPlainEnabled: TRUE
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailImapEnabled: TRUE
zimbraReverseProxyMailImapsEnabled: TRUE
zimbraReverseProxyMailMode: https
zimbraReverseProxyMailPop3Enabled: TRUE
zimbraReverseProxyMailPop3sEnabled: TRUE
zimbraReverseProxyPop3SaslGssapiEnabled: FALSE
zimbraReverseProxyPop3SaslPlainEnabled: TRUE
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraServiceEnabled: proxy
Jump to: navigation, search