Zimbra: unable to get rid of DoSFilter trapping

maxxer

I’m getting mad…

I’ve a new server using Zimbra and ZPush 2.4.4 with the latest available backend.

In Zimbra I’ve whitelisted the server public IP address, localhost addresses and the office IP.

Now a user changed his password in Zimbra and the mobile phones are not prompting for the new password and Z-Push keeps authenticating to Zimbra with wrong credentials. And despite of all the whitelist above (I’ve restarted all zimbra) I keep getting 503 Service unavailable from Zimbra!

Z-Push is configured directly in zimbra’s nginx.conf using this method.

The only strange thing I noticed in mailbox.log is that I get two IPs in the oip field. That is:

2018-09-12 14:22:29,398 INFO  [qtp127618319-823:http://127.0.0.1/service/soap/] [name=username;oip=OFFICE_IP, 127.0.0.1;port=49930;ua=Android/8.0.0-EAS-2.0(...717940) devip=OFFICE_IP ZPZB/68;] SoapEngine - handler exception: authentication failed for [username], invalid password

I cannot understand why in oip I see the remote IP and the z-push server IP. Now Z-Push is configured with https://127.0.0.1 as Zimbra server (and without url override), but even if I use the public hostname I will see Zimbra’s public IP instead of 127.0.0.1.

It’s driving me mad, I cannot see why Zimbra keeps throttling Z-Push connections!

Thanks

maxxer

I tried changing USE_CUSTOM_REMOTE_IP_HEADER from HTTP_X_FORWARDED_FOR to HTTP_X_REAL_IP but everything seems the same.

Message spotted on mailboxd:

2018-09-12 14:43:30,984 INFO  [qtp127618319-1087:http://127.0.0.1/service/soap/] [] misc - Access from IP 1.2.9.21, 127.0.0.1 suspended, for repeated failed login.

It seems to me that Zimbra is threating the dual IP as a single IP address…

liverpoolfcfan

Do you have an instance of Apache you can use as a test z-push server to connect to the same zimbra host? It would allow you to determine if it is an nginx configuration that is causing the dual IP addresses.

liverpoolfcfan

@maxxer said in Zimbra: unable to get rid of DoSFilter trapping:

In Zimbra I’ve whitelisted the server public IP address, localhost addresses and the office IP.

Did you also whitelist the Z-Push server IP address? That is the most important one.

maxxer

Yes, of course the zpush and zimbra itself public IPs are whitelisted, v4 and v6.

Unfortunately I currently don’t have an apache set up, I must install it. I checked another installation I have and it seems the IP is doubled every time.

maxxer

I managed to work around the issue by setting ZIMBRA_URL directly to Jetty on port 8443, instead of passing through nginx. Now the logged oip is the correct one and it’s not joined with nginx’s IP.

I still have to figure out why zimbra is logging the two IP addresses together, but in the meantime I’m not trapped by DoSFilter

jasgggit

@maxxer said in Zimbra: unable to get rid of DoSFilter trapping:

I managed to work around the issue by setting ZIMBRA_URL directly to Jetty on port 8443, instead of passing through nginx. Now the logged oip is the correct one and it’s not joined with nginx’s IP.

I still have to figure out why Zimbra is logging the two IP addresses together, but in the meantime I’m not trapped by DoSFilter

Hi, could you please share the steps on how to do this :

setting `ZIMBRA_URL` directly to Jetty on port 8443, instead of passing through nginx.

I’m trying to solve an issue on my single server setup, and this could help.

Thank you.

Regards.
JG

maxxer

@jasgggit just set as ZIMBRA_URL https://your.domain.com:8443 instead of the plain https port. this skips nginx, and at least Zimbra logs will see the original IP

jasgggit

@maxxer said in Zimbra: unable to get rid of DoSFilter trapping:

@jasgggit just set as ZIMBRA_URL https://your.domain.com:8443 instead of the plain https port. this skips nginx, and at least Zimbra logs will see the original IP

Thanks for the reply.
I’ll check it, but since I’m using the 443 port as ZIMBRA_URL “https:/my.zimbra.com” , you saying if I specify the port as 8443 it should go to the jetty instead of Nginx ?

I’l try nevertheless, thank you.
Regards.
JG

maxxer

you saying if I specify the port as 8443 it should go to the jetty instead of Nginx ?

yes!

liverpoolfcfan

@maxxer said in Zimbra: unable to get rid of DoSFilter trapping:

I managed to work around the issue by setting ZIMBRA_URL directly to Jetty on port 8443, instead of passing through nginx. Now the logged oip is the correct one and it’s not joined with nginx’s IP.

I still have to figure out why zimbra is logging the two IP addresses together, but in the meantime I’m not trapped by DoSFilter

Beware of pointing z-push directly at jetty as the authentication is all handled by the nginx proxy. You will likely have issues downloading attachments and accessing shared folders - particularly if you have a multi-server environment.

maxxer

@liverpoolfcfan said in Zimbra: unable to get rid of DoSFilter trapping:

Beware of pointing z-push directly at jetty as the authentication is all handled by the nginx proxy. You will likely have issues downloading attachments and accessing shared folders - particularly if you have a multi-server environment.

I know it’s not correct but I’m unable to understand why it keeps logging two IPs, and thus blacklisting the Z-Push IP.

Do you have the same logging format?

liverpoolfcfan

I use Apache for z-push - so that is an obvious place to look for you to start as you are using NGinx

In my mailbox.log file the entries show 2 IP Addresses - oip=Device_IP, Z-Push-Server_IP;

I do not have anything set in the z-push config file for
// define(‘USE_CUSTOM_REMOTE_IP_HEADER’, ‘X-FORWARDED-FOR’);
// define(‘USE_X_FORWARDED_FOR_HEADER’, true);
Both are commented out.

I have no issues with the DosFilter.