Authentification between Dagent & Sendmail and remote Kopano Core server fails

fbartels

to be able to successfully deliver mails dagent needs to work with admin privileges within kopano-server. When running on a different host this can be achieved by using SSL client certificates.

Have a look at the Multiserver documentation for more information.

fixundfertig123

@fbartels Thank you for the fast feedback. I changed from http to https encyrpted connection to the core server and know I get the following error when doing:

echo “hello” | kopano-dagent -c /etc/kopano/dagent.cfg USERNAME

Sat Apr 28 19:36:14 2018: [warning] [ 5996] Log connection was reset
Sat Apr 28 19:36:14 2018: [info ] [ 5999] Log process received sighup
Sat Apr 28 19:36:19 2018: [=======] [ 5996] LMTP service will now exit
Sat Apr 28 19:36:19 2018: [info ] [ 5996] LMTP service shutdown complete
Sat Apr 28 19:36:19 2018: [debug ] [ 5996] StatsClient terminating
Sat Apr 28 19:36:19 2018: [debug ] [ 5996] StatsClient terminated
Sat Apr 28 19:36:19 2018: [info ] [ 5999] Log process is done
Sat Apr 28 19:36:19 2018: [info ] Coredump status left at system default.
Sat Apr 28 19:36:19 2018: [info ] Maximum LMTP threads set to 20
Sat Apr 28 19:36:19 2018: [info ] Listening on port 2003 for LMTP
Sat Apr 28 19:36:19 2018: [info ] [ 6103] Logger process started on pid 6105
Sat Apr 28 19:36:19 2018: [debug ] [ 6103] StatsClient binding socket
Sat Apr 28 19:36:19 2018: [debug ] [ 6103] StatsClient bound socket to /tmp/.1a7e505518d216cd.sock
Sat Apr 28 19:36:19 2018: [debug ] [ 6103] StatsClient thread started
Sat Apr 28 19:36:19 2018: [=======] [ 6103] Starting kopano-dagent version 8.5.8 (pid 6103) (LMTP mode)
Sat Apr 28 19:36:19 2018: [debug ] [ 6103] Submit thread started
Sat Apr 28 19:36:22 2018: [info ] Coredump status left at system default.
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] StatsClient binding socket
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] StatsClient bound socket to /tmp/.33166c971d7bc490.sock
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] StatsClient thread started
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] PYTHONPATH = /usr/share/kopano-dagent/python
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] Submit thread started
Sat Apr 28 19:36:23 2018: [ 6108] [info ] * Loading plugins started
Sat Apr 28 19:36:23 2018: [ 6108] [info ] ** Checking plugins in /var/lib/kopano/dagent/plugins
Sat Apr 28 19:36:23 2018: [ 6108] [info ] * Loading plugins done
Sat Apr 28 19:36:23 2018: [ 6108] [error ] virtual HRESULT M4LMsgServiceAdmin::ConfigureMsgService(const MAPIUID*, ULONG_PTR, ULONG, ULONG, const SPropValue*): MSGServiceEntry failed: missing or invalid argument (80070057)
Sat Apr 28 19:36:23 2018: [ 6108] [crit ] CreateProfileTemp(): ConfigureMsgService failed 80070057: missing or invalid argument
Sat Apr 28 19:36:23 2018: [ 6108] [warning] CreateProfileTemp failed: 80070057: missing or invalid argument
Sat Apr 28 19:36:23 2018: [ 6108] [error ] virtual HRESULT M4LMsgServiceAdmin::ConfigureMsgService(const MAPIUID*, ULONG_PTR, ULONG, ULONG, const SPropValue*): MSGServiceEntry failed: missing or invalid argument (80070057)
Sat Apr 28 19:36:23 2018: [ 6108] [crit ] CreateProfileTemp(): ConfigureMsgService failed 80070057: missing or invalid argument
Sat Apr 28 19:36:23 2018: [ 6108] [warning] CreateProfileTemp failed: 80070057: missing or invalid argument
Sat Apr 28 19:36:23 2018: [ 6108] [error ] Unable to login for user USERNAME, error code: 0x80070057
Sat Apr 28 19:36:23 2018: [ 6108] [error ] HRESULT deliver_recipient(pym_plugin_intf*, const char*, bool, FILE*, DeliveryArgs*): HrGetSession failed: missing or invalid argument (80070057)
Sat Apr 28 19:36:23 2018: [ 6108] [error ] int main(int, char**): deliver_recipient failed: missing or invalid argument (80070057)
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] StatsClient terminating
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] StatsClient submit int failed: No such file or directory
Sat Apr 28 19:36:23 2018: [ 6108] [debug ] StatsClient terminated

That looks to me either like a permission problem, or is beyond my Kopano knowlegde ;-)

thctlo

What happens if you set the following in systemd start up.

cat /etc/systemd/system/kopano-dagent.service.d/override.conf

After=kopano-server.service
Wants=kopano-server.service

[Service]
LimitNOFILE=8192:16384

You can use : systemctl edit kopano-dagent
or
if you want a copy of the complete file in systemd.: systemctl edit --full kopano-dagent

I did see the same messages and these where gone after the above settings.
You see this if you use run_as(user/group)

fbartels

@fixundfertig123 said in Authentification between Dagent & Sendmail and remote Kopano Core server fails:

That looks to me either like a permission problem

Yes, would have said the same. For easier testing I would suggest to use kopano-admin/kopano-cli instead of the dagent. The ssl options are named the same for all services, so you can easily specify the dagent.cfg for admin. once you get your users listed all should be good for dagent as well.

fixundfertig123

@thctlo Thank you. I believe this does not work, since DAgent is hosted on a different server? Am I right that you are assuming it is on the same server?

fixundfertig123

@fbartels said in Authentification between Dagent & Sendmail and remote Kopano Core server fails:

kopano-cli

Hello, I admit that you suggestion is not yet 100% clear to me (sorry for that and potential errors!). I verified that the ssl connecton from the DAgent -> Core Server works by entering:

openssl s_client -connect kopano.intranet.XXXXXX.de:237

Resulting in:

...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E245D3A9278C82E8124DAF8331EAA2C670CDAFC8D453513D1B7295D1778D1413
    Session-ID-ctx:
    Master-Key: A0D6A3263B4ED7117481F9DB52FF63805E90CF9F1698B14A1F92C969FF540814EDE8DCB854BE4185FFDC3B26ACE92C97
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1525084370
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
read:errno=0

When testing “kopano-admin -vvvv -h kopano.intranet.XXXXX.de:237 -c /etc/kopano/dagent.cfg -l” on the DAgent server (targeting Core server) I recieve:

[error  ] gsoap connect: ()
[error  ] virtual HRESULT M4LMsgServiceAdmin::ConfigureMsgService(const MAPIUID*, ULONG_PTR, ULONG, ULONG, const SPropValue*): MSGServiceEntry failed: network error (80040115)
[crit   ] CreateProfileTemp(): ConfigureMsgService failed 80040115: network error
[warning] CreateProfileTemp failed: 80040115: network error
Unable to open Admin session: network error (0x80040115)
The server is not running, or not accessible through "kopano.intranet.XXXXX.de:237".
Using the -v option (possibly multiple times) may give more hints.

and the “recieving” kopano core server log states:

Mon Apr 30 12:32:50 2018: [debug  ] Accepted incoming SSL connection from 172.16.1.18
Mon Apr 30 12:38:07 2018: [warning] SSL_accept() failed in soap_ssl_accept()
Mon Apr 30 12:38:07 2018: [debug  ] SOAP_SSL_ERROR: SSL_ERROR_SSL
error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Am I doing something wrong? Cheers

fixundfertig123

Looks quite similar to: https://forums.zarafa.com/showthread.php?7734-Remote-Access-to-Zarafa-Server-with-dagent-via-https-does-not-work

Unfortunately some parts of the the forum seems to be “hidden”…

fixundfertig123

And another link: https://www.cubewerk.de/2015/01/09/zarafa-port-237-ssl-ssl_accept-failed-in-soap_ssl_accept/

But still do not find my error (besides required/insisting to use my own self-signed CA files :-/)

fbartels

Hi @fixundfertig123 ,

I’d recommend to open a support case. Our support staff can have a look at your exact certificate files and through this better identify what needs to be changed.

Ps: what do you mean with “hidden” in regards to the old forum? That thread seems complete to me.

fixundfertig123

Hi @fbartels , thanks I will!

to me the zarafa forum looks like the code insertion are somehow missing?!? I attached a screenshot:

What do you think?

thctlo

@fixundfertig123 Yes, correct i run Dagent on the same server.

fbartels

@fixundfertig123 ah. did not notice this. The forum was modified a few weeks ago to be completely read-only maybe inline quotes were removed in that process.

fixundfertig123

@fbartels Okay, thats quite sad, it was a good source of knowledge… Maybe it can be readded? Thanks for your help anyway!