Saslauth Failed (curl easy perform error): Difference between revisions

 
(14 intermediate revisions by 3 users not shown)
Line 4: Line 4:
=Saslauth Failed (curl_easy_perform error)=  
=Saslauth Failed (curl_easy_perform error)=  
<hr>
<hr>
{{KB|{{WIP}}|{{ZCS 8.x.x}}||||}}  
{{KB|{{ZC}}|{{ZCS 8.8}}||||}}  
    
    




====Problem====
====Problem====
IMAP/POP clients getting a password pop-up window and not able to send and receive the e-mails. When putting correct username and password we are getting an authentication error.
IMAP/POP clients get a password pop-up window and are not able to send and receive any e-mails. When using the correct username and password, the following authentication error in /var/log/zimbra.log file is observed :
 
'''Following error in Zimbra.log'''


  Nov 28 15:06:57 mbox1 saslauthd[45799]: auth_zimbra: ztest@xxxxxx.com auth failed: curl_easy_perform: error(56): Received HTTP code 503 from proxy after
  Nov 28 15:06:57 mbox1 saslauthd[45799]: auth_zimbra: ztest@xxxxxx.com auth failed: curl_easy_perform: error(56): Received HTTP code 503 from proxy after
Line 19: Line 17:
  Nov 28 15:06:57 mbox1 postfix/smtpd[18938]: warning: unknown[10.0.7.162]: SASL LOGIN authentication failed: authentication failure
  Nov 28 15:06:57 mbox1 postfix/smtpd[18938]: warning: unknown[10.0.7.162]: SASL LOGIN authentication failed: authentication failure
  Nov 28 15:06:57 mbox1 postfix/smtpd[18938]: lost connection after AUTH from unknown[10.0.7.162]
  Nov 28 15:06:57 mbox1 postfix/smtpd[18938]: lost connection after AUTH from unknown[10.0.7.162]


====Solution====
====Solution====
Need to confirm, the customer has enabled additional proxy on there environment like Nginx proxy or Squid proxy.
Check if any additional forward proxy is enabled (like Nginx or Squid)
 
=====Step=====
* Run following command to check:
*:<pre># env | grep -i proxy</pre>
*:<pre>$ curl -X POST -u zimbra.user2@example.com:test@123 -d 'authType=sasl' https://mbox1.example.com:7073/service/admin/soap/ -k</pre>
*Please remove additional proxy and restart the MTA service to invalid the old saslauth connection which was established.
*:<pre>$ zmmtactl restart</pre>


Run following command to check the additional proxy:
# env | grep -i proxy
Run the following command to check saslauth with the mailbox node. The same curl command works in the backend during saslauth.
$ curl -X POST -u zimbra.user2@example.com:test@123 -d 'authType=sasl' https://mbox1.example.com:7073/service/admin/soap/ -k
Remove additional proxy and restart the MTA service to invalidate the old saslauth connection which was established.
$ zmmtactl restart




=====Why this issue occurred?===== 
When the saslauth happens on the MTA server it will check ZCS saslauthd lookup server on port 7073, which is a mailbox server. If the local proxy configured this request will handle by the local proxy and local proxy don't know where to forward this request. That's why we get HTTP 503 and 502 errors.


=====Why does this issue occur?===== 
When saslauth happens on MTA server, it checks ZCS saslauthd lookup server on port 7073 which is a mailbox server. If a local forward proxy is configured, this request will be handled by this proxy. Since this proxy doesn't know where to forward this request to, it shows HTTP 503 and 502 errors.


=====How SASL works=====   
=====How SASL works=====   
SASL is not a protocol but is a framework that can be used with protocols such as SMTP. For each protocol that uses SASL, there will be a specification (an Internet Standard in cases where the base protocol is an Internet Standard) as to how the protocol uses SASL. This means that SASL can be used with a wide range of protocols, and can be adapted to the details of how any specific protocols work.
SASL is not a protocol but is a framework that can be used with protocols such as SMTP. For each protocol that uses SASL, there will be a specification as to how the protocol uses SASL. This means that SASL can be used with a wide range of protocols, and can be adapted to the details of how any specific protocols work.


The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client says which one will be used (based on the client’s capabilities and security requirements).
The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client says which one will be used (based on the client’s capabilities and security requirements).
Line 51: Line 47:
*Isode's SOM (Switch Operations and Management) Protocol
*Isode's SOM (Switch Operations and Management) Protocol


This [https://www.isode.com/products/sasl.html:Formatting external link] contains more information about SASL.
This [https://www.isode.com/products/sasl.html external link] contains more information about SASL.


{{SubmittedBy|Gopal Singh Bhandari}}
{{SubmittedBy|Gopal Singh Bhandari}}


{{Article Footer|ZCS 8.8|2020-04-13}}
{{Article Footer|ZCS 8.8|2020-04-13}}

Latest revision as of 13:19, 15 November 2021

Saslauth Failed (curl_easy_perform error)


   KB 24091        Last updated on 2021-11-15  




0.00
(0 votes)


Problem

IMAP/POP clients get a password pop-up window and are not able to send and receive any e-mails. When using the correct username and password, the following authentication error in /var/log/zimbra.log file is observed :

Nov 28 15:06:57 mbox1 saslauthd[45799]: auth_zimbra: ztest@xxxxxx.com auth failed: curl_easy_perform: error(56): Received HTTP code 503 from proxy after
CONNECT
Nov 28 15:06:57 mbox1 saslauthd[45799]: do_auth         : auth failure: [user=ztest@xxxx.com] [service=smtp] [realm=xxxx.in] [mech=zimbra] [rea
son=Unknown]
Nov 28 15:06:57 mbox1 postfix/smtpd[18938]: warning: unknown[10.0.7.162]: SASL LOGIN authentication failed: authentication failure
Nov 28 15:06:57 mbox1 postfix/smtpd[18938]: lost connection after AUTH from unknown[10.0.7.162]

Solution

Check if any additional forward proxy is enabled (like Nginx or Squid)

Run following command to check the additional proxy:

# env | grep -i proxy

Run the following command to check saslauth with the mailbox node. The same curl command works in the backend during saslauth.

$ curl -X POST -u zimbra.user2@example.com:test@123 -d 'authType=sasl' https://mbox1.example.com:7073/service/admin/soap/ -k

Remove additional proxy and restart the MTA service to invalidate the old saslauth connection which was established.

$ zmmtactl restart


Why does this issue occur?

When saslauth happens on MTA server, it checks ZCS saslauthd lookup server on port 7073 which is a mailbox server. If a local forward proxy is configured, this request will be handled by this proxy. Since this proxy doesn't know where to forward this request to, it shows HTTP 503 and 502 errors.

How SASL works

SASL is not a protocol but is a framework that can be used with protocols such as SMTP. For each protocol that uses SASL, there will be a specification as to how the protocol uses SASL. This means that SASL can be used with a wide range of protocols, and can be adapted to the details of how any specific protocols work.

The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client says which one will be used (based on the client’s capabilities and security requirements).

Protocols that contain SASL support include:

  • LDAP (Internet Standard Lightweight Directory Access Protocol)
  • SMTP (Internet Standard Simple Message Transfer Protocol)
  • POP3 (Internet Standard Post Office Protocol v3)
  • IMAP (Internet Standard Internet Mail Access Protocol)
  • XMPP: Extensible Messaging and Presence Protocol
  • Isode's SOM (Switch Operations and Management) Protocol

This external link contains more information about SASL.

Submitted by: Gopal Singh Bhandari
Verified Against: ZCS 8.8 Date Created: 2020-04-13
Article ID: https://wiki.zimbra.com/index.php?title=Saslauth_Failed_(curl_easy_perform_error) Date Modified: 2021-11-15



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search