Zimbra fails to send outbound emails via SCES

8 months ago
sorb
2 minutes

Problem Statement

Zimbra server can’t send the emails out via SCES. After looking into the log, here is what can be found.

Aug  3 17:57:16 email amavis[7794]: (07794-01) extra modules loaded: Amavis/Lookup/Opaque.pm, Amavis/Out/SMTP/Protocol.pm, Amavis/Out/SMTP/Session.pm, Mozilla/CA.pm
Aug  3 17:57:18 email postfix/smtp[8194]: SSL_connect error to mx2-sces.sorbsecurity.com[129.126.138.125]:2525: -1
Aug  3 17:57:18 email postfix/smtp[8194]: warning: TLS library problem: error:0A000066:SSL routines::bad dh value:ssl/statem/statem_clnt.c:2085:
Aug  3 17:57:18 email postfix/smtp[8194]: DE5DF1A00D8: Cannot start TLS: handshake failure
Aug  3 17:57:18 email postfix/smtp[8194]: SSL_connect error to mx1-sces.sorbsecurity.com[129.126.138.125]:2525: -1
Aug  3 17:57:18 email postfix/smtp[8194]: warning: TLS library problem: error:0A000066:SSL routines::bad dh value:ssl/statem/statem_clnt.c:2085:
Aug  3 17:57:18 email postfix/smtp[8194]: DE5DF1A00D8: to=<user@domain.com>, relay=mx1-sces.sorbsecurity.com[129.126.138.125]:2525, delay=1.7, delays=0.05/0.04/1.6/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

It complains at the SSL handshake stage. It can be verified in Wireshark if the packets are collected.

Root Cause Analysis

By default, Zimbra turns on FIPS in some patches. FIPS would complain DH groups during SSL handshake. Please follow Zimbra article to turn it off in case it happens.

Troubleshooting

1. Look at the Zimbra mail log, /var/log/zimbra.log

https://wiki.zimbra.com/wiki/Understanding_zimbra.log_And_Postfix_Log_Events_-_MTA

2. If you want to confirm further, you can run tcpdump on Zimbra server to collect the network packets. To trigger the packets, you can reload the postfix MTA engine.

Optional:

To understand more about what happened to the connection, you can turn the debug on.

https://wiki.zimbra.com/wiki/Verbose_logging_for_specific_SMTP_connections

High level of the attachment protection feature,SCES will replace the attachment with a HTML wrapper in the email which will comply to the Gmail regulation.

Workaround

https://wiki.zimbra.com/wiki/FIPS

Note

SCES has been configured to work with FIPS. Supposedly, the workaround is not required. Just in case, please apply it and report to support@sorbsecurity.com.