Problem with Certificate can cause MTA Failure

Revision as of 07:04, 2 January 2008 by Vagarwal (talk | contribs)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

There are some issues in Zimbra 5.0 GA that you should know about.

Zimbra can install/upgrade and work under most circumstances, however, a small number of users are encountering some issues.

We wanted to post this thread to let you know about these, and help you work through any issue you have.


Issue:

Problem with Certificate can cause MTA Failure [Bug 23253]

Symptom:

When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:

Error:

  postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error


Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).

Common Cause:

CA chain can be appended in reverse creating invalid Certificate

Workaround:

Read this post: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure Alternate: Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!


Steps:

(a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak (b) Run this as zimbra: (b1) To get the password: zmlocalconfig -s zimbra_ldap_password (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W

Code:

dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here] ^D

(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W

Code:

dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here] ^D

(c) as root: run /opt/zimbra/bin/zmcertmgr createca (d) as root: run /opt/zimbra/bin/zmcertmgr deployca (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start

^D is Control-D


References:

http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html

[Bug 23253] - an expired CA cert will block mail delivery after upgrading to 5.0.0


Issue:

Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294] Symptom:

User is unable to install a commercial certificate in Zimbra 5.0 Common Cause:

Related to Bug [23253]

Workaround:

Installing Cert via Command Line: [ BUG 23294 http://bugzilla.zimbra.com/show_bug.cgi?id=23294] - commercial certs fail to install

References:

Bug [23294] - commercial certs fail to install Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!


Jump to: navigation, search