Bug 51 - ZeXtras 1.6.2 "View Mail" broken in Zimbra8 -- Error: "hmac failure"
Summary: ZeXtras 1.6.2 "View Mail" broken in Zimbra8 -- Error: "hmac failure"
Status: RESOLVED INVALID
Alias: None
Product: ZeXtras
Classification: Unclassified
Component: Zimlet (show other bugs)
Version: 1.6.2
Hardware: -- Other
: Normal major
Assignee: ZeXtras Bugzilla Admin
QA Contact:
URL:
Depends on:
Blocks:
 
Reported: 2012-11-01 20:30 CET by pgnd
Modified: 2012-11-07 15:18 CET (History)
1 user (show)

See Also:
Browser: Firefox
Zimlet Chat version: ---
Zimbra Version: ---


Attachments
screenshot of ZeXtras "View Mail" menu item (11.48 KB, image/png)
2012-11-01 20:30 CET, pgnd
Details

Note You need to log in before you can comment on or make changes to this bug.
Description pgnd 2012-11-01 20:30:35 CET
Created attachment 5 [details]
screenshot of ZeXtras "View Mail" menu item

A consultant here found this, & reported it to Zimbra forums.  He's gone, passed it to me, and I believe it's a Zextras issue.

I'm able to reproduce it on my system:

zmcontrol -v
  Release 8.0.0.GA.5434.UBUNTU12.64 UBUNTU12_64 FOSS edition.

Zextras 1.6.2 is installed & deployed.

When I acccess the Admin UI's account management list, selecting any listed account, I can right-click on the account or pull down the settings menu and see Zextras' "View Mail" item (see attached .png)

If I select that "View Mail" item for any account I get an error in the browser.

	HTTP ERROR 400
	Problem accessing /service/preauth. Reason:
	hmac failure
	Powered by Jetty://

The expected result is, as in Z7, to be able to view/manage the selected account's mail.
Comment 1 pgnd 2012-11-02 18:41:40 CET
I got updated on some feedback on this:

> After some tests I managed to reproduce your issue.
> The cause of the error seems to be caused by a bad DNS resolution
> or Zimbra misconfiguration for the "public hostname" of your server.

On my Z8 server, DNS resolution is similarly configured to how our Z7 boxes have been configured for a long time,

	cat /etc/hostname
		mx.mydomain.com

	hostname
		mx.mydomain.com

	hostname -f
		mx.mydomain.com

	cat /etc/hosts
		127.0.0.1     localhost.localdomain localhost
		10.10.10.116  mx.mydomain.com  mx
		::1           localhost ip6-localhost ip6-loopback
		fe00::0       ip6-localnet
		ff00::0       ip6-mcastprefix
		ff02::1       ip6-allnodes
		ff02::2       ip6-allrouters

	su - zimbra -c "zmhostname"
		mx.mydomain.com

	dig mx.mydomain.com +short
		10.10.10.116

	dig PTR +short 106.1.200.10.in-addr.arpa
		mx.mydomain.com.

	host mx.mydomain.com
		mx.mydomain.com has address 10.10.10.116
		mx.mydomain.com mail is handled by 5 mx.mydomain.com.

	host 10.10.10.116
		106.1.200.10.in-addr.arpa domain name pointer mx.mydomain.com.

	nslookup 10.10.10.116
		Server:         127.0.0.1
		Address:        127.0.0.1#53

		106.1.200.10.in-addr.arpa      name = mx.mydomain.com.


> To make sure that the request are sent to the correct server, please use the "View Mail"
> function (either Zimbra's or ZeXtras', as both are just different front-ends to the very same API)

Atm, Zimbra 8.0.0 is *missing* the ViewMail function;  the administrative Zimlet was removed, and won't be replaced until Zimbra v8.0.2 release.

> Then, search the current /opt/zimbra/log/access.log-* file in your local Zimbra installations for a
> "400" error line starting with "GET /service/preauth?".

> Please let me know the result of this test.

checking on my server,

	grep preauth /opt/zimbra/log/access_log*
		(empty)
	grep preauth /opt/zimbra/log/*
		(empty)

??? um. huh ?

rereading your comment "make sure that the request are sent to the correct server" ... I think you've found the problem.

My current setup is *two* servers -- I'm "in process" of a Z7 -> Z8 migration.

	this Z8 server
		ip = 10.10.10.116
		hostname = mx.mydomain.com
		DNS is dnsmasq, locally hosted

	my Z7 server
		ip = 192.168.1.116
		hostname = mx.mydomain.com
		DNS is bind9, lan hosted

and

	@ my desktop,
		ip = 192.168.1.17 & 10.200.1.17
		DNS is bind9, lan hosted

where, @ desktop,

		host mx.mydomain.com
			mx.mydomain.com has address 192.168.1.116
		host mx-alt.mydomain.com
			mx-alt.mydomain.com has address 10.10.10.116

@ desktop, when I browse to

	https://mx-alt.mydomain.com:7071/zimbraAdmin/

I login to the Z8 server, and can access/control *everything* there.  I can also login to any/all migrated accounts directly at,

	https://mx-alt.mydomain.com

BUT, when I'm at the Z8 admin UI, accessed from my dual-homed desktop, and I exec the "View Mail", as above I see NO log entries in my Z8 server's access*log.

I *DO* see this in the Z*7* server's log


	192.168.1.17 -  -  [02/Nov/2012:18:11:22 +0000] "GET /service/preauth?authtoken=0_e7f2840ca9c7cb69cd4f2ccd70a3429ed8c813db_69643d33363a34386638326663322d633635632d346531342d383463322d6364373763343664373838303b6578703d31333a313335313838333438313632383b6169643d33363a30376338326235662d393361632d346436372d396461632d3264663432386430386233623b76763d313a303b747970653d363a7a696d6272613b&isredirect=1&adminPreAuth=1 HTTP/1.1" 400 1386 "https://mx-alt.mydomain.com:7071/zimbraAdmin/" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0"
	127.0.0.1 -  -  [02/Nov/2012:18:11:22 +0000] "POST /service/admin/soap/GetDomainInfoRequest HTTP/1.1" 200 433 "-" "ZCS 7.2.0_GA_2669"
	127.0.0.1 -  -  [02/Nov/2012:18:11:23 +0000] "POST /service/admin/soap/GetDomainInfoRequest HTTP/1.1" 200 433 "-" "ZCS 7.2.0_GA_2669"
	192.168.1.17 -  -  [02/Nov/2012:18:11:22 +0000] "GET /favicon.ico HTTP/1.1" 404 1412 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0"
	127.0.0.1 -  -  [02/Nov/2012:18:11:23 +0000] "POST /service/admin/soap/GetDomainInfoRequest HTTP/1.1" 200 433 "-" "ZCS 7.2.0_GA_2669"
	192.168.1.17 -  -  [02/Nov/2012:18:11:23 +0000] "GET /favicon.ico HTTP/1.1" 404 1409 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0"
	192.168.1.17 -  -  [02/Nov/2012:18:11:47 +0000] "PROPFIND /dav/pgn%40mydomain.com/Calendar/ HTTP/1.1" 207 4768 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2 Lightning/1.8"


The problem is apparently NOT with the Z8 server's DNS, but @ the desktop, and only because/while I'm in the inbetween-migration state.

Temporarily adding

	10.10.10.116 mx.mydomain.com

to /etc/hosts/ on the *desktop* cures the problem -- on the Z8 server.  Now, "View Mail" works correctly.  Of course, the desktop can no longer correctly access the still-live production Z7 server @ the "real" mx.domain.com = 192.168.1.116 :-/

I'm not sure this *is* a bug.  It *could* be accommodated in code, I suppose.  Or, at least, in documentation.  But it's such an infrequent case -- only during testing during live migration in the multi-lan-segment case -- I'm not sure it's worth the trouble to fix.  Beyond just knowing what's going on ...
Comment 2 Cine 2012-11-07 15:18:01 CET
Hello pgn,
thank you for your feedback...

As you said this is not a bug per-se, so it won't be possible to "fix" this situation serverside - the only option would be to use the server's IP address in the "View Mail" request, but this approach would be formally wrong for HTTPS connections and of unpredictable results in case of HTTP connections (multiple addresses? NAT rules? etc...).


Have a nice day,
Cine
the ZeXtras Team