Problem with Certificate can cause MTA Failure: Difference between revisions

(New page: There are some issues in Zimbra 5.0 GA that you should know about. Zimbra can install/upgrade and work under most circumstances, however, a small number of users are encountering some iss...)
 
No edit summary
Line 6: Line 6:


---------------------------------------------------
---------------------------------------------------
Issue:
'''Issue:'''


Problem with Certificate can cause MTA Failure [Bug 23253]
Problem with Certificate can cause MTA Failure [Bug 23253]


Symptom:
'''Symptom:'''


When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:


Error:
'''Error:'''


   postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
   postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Line 23: Line 23:
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).


Common Cause:
'''Common Cause:'''


CA chain can be appended in reverse creating invalid Certificate
CA chain can be appended in reverse creating invalid Certificate


Workaround:
'''Workaround:'''


Read this post: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure
Read this post: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure
Line 34: Line 34:
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------


Steps:
'''Steps:'''


  (a) as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
(a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
  (b) as zimbra:
(b) Run this as zimbra:
  (b1) to get the password: zmlocalconfig -s zimbra_ldap_password
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password
  (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W


Code:
'''Code:'''


dn: cn=config,cn=zimbra
dn: cn=config,cn=zimbra
Line 50: Line 50:
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W


Code:
'''Code:'''


dn: cn=config,cn=zimbra
dn: cn=config,cn=zimbra
changetype:modify
changetype:modify
delete: zimbraCertAuthorityKeySelfSigned
delete: zimbraCertAuthorityKeySelfSigned     [Hit Enter Twice here]
^D
^D


Line 65: Line 65:


-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
'''
References:'''


References:
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html
[SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure


Bug 23253 - an expired CA cert will block mail delivery after upgrading to 5.0.0
[Bug 23253] - an expired CA cert will block mail delivery after upgrading to 5.0.0


---------------------------------------------------
---------------------------------------------------
Issue:
'''Issue:'''


Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]
Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]
 
'''
Symptom:
Symptom:'''


User is unable to install a commercial certificate in Zimbra 5.0
User is unable to install a commercial certificate in Zimbra 5.0
 
'''
Common Cause:
Common Cause:'''


Related to Bug [23253]
Related to Bug [23253]


Workaround:
'''Workaround:'''


Installing Cert via Command Line: Bug [23294] - commercial certs fail to install
Installing Cert via Command Line: Bug [23294] - commercial certs fail to install


References:
'''References:'''


Bug [23294] - commercial certs fail to install
Bug [23294] - commercial certs fail to install
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!
---------------------------------------------------
---------------------------------------------------

Revision as of 07:00, 2 January 2008

There are some issues in Zimbra 5.0 GA that you should know about.

Zimbra can install/upgrade and work under most circumstances, however, a small number of users are encountering some issues.

We wanted to post this thread to let you know about these, and help you work through any issue you have.


Issue:

Problem with Certificate can cause MTA Failure [Bug 23253]

Symptom:

When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:

Error:

  postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error


Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).

Common Cause:

CA chain can be appended in reverse creating invalid Certificate

Workaround:

Read this post: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure Alternate: Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!


Steps:

(a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak (b) Run this as zimbra: (b1) To get the password: zmlocalconfig -s zimbra_ldap_password (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W

Code:

dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here] ^D

(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W

Code:

dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here] ^D

(c) as root: run /opt/zimbra/bin/zmcertmgr createca (d) as root: run /opt/zimbra/bin/zmcertmgr deployca (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start

^D is Control-D


References:

http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html

[Bug 23253] - an expired CA cert will block mail delivery after upgrading to 5.0.0


Issue:

Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294] Symptom:

User is unable to install a commercial certificate in Zimbra 5.0 Common Cause:

Related to Bug [23253]

Workaround:

Installing Cert via Command Line: Bug [23294] - commercial certs fail to install

References:

Bug [23294] - commercial certs fail to install Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!


Jump to: navigation, search