One SWA user unable to send messages

[acb]

We have a 11.4.3 edition of Scalix running with a hosted mailnode license. One of the users in one of the mail nodes is experiencing the following error when sending any messages:

"Due to a failure to establish a connection, the message could not be sent. Please try again later. A copy of the message has been placed into your 'Drafts' folder."

One other account had experienced the same issue, and was coincidentally also a delegated mailbox under the above account. I corrected its issue by clearing the imap cache of that 2nd user. However, this did not clear up the 1st user's problem.

Strangely, other machines using that 2nd account were able to relay messages during the problem.

The only server log I could find with any relevent information was the tomcat scalix-swa.log. It says this:

2009-04-20 11:02:28,637 ERROR [SoapMail.send:1848] Failed to connect to the SMTP server.

With no other information. I am at a loss as to why this single user is unable to relay messages through SWA. He is able to relay via the Scalix connector in Outlook.

[acb]

Only other error I see is that authentication against saslauthd is failing with an "unknown" reason. The problem appears to be present for every account this user has on our system.

[acb]

I've narrowed this problem down to saslauthd being unable to pull the correct authentication information from the scalix ldap server.

testsaslauthd with the correct username and password fails with "0: NO "authentication failed"

Turning up the logging on the ldap daemon to 21 and restarting ldap didnt reveal any additional information.

Other authentication attempts to saslauthd work like a charm. But all of the accounts that this user was using have the same issue, even when the account is deleted and recreated. Authentication via sasl fails, thus breaking relay with SWA and any SMTP client.

How are authentication tokens stored within Scalix? How can I verify that the authentication information in LDAP matches what I used to create the account?

BTW, this is after configuring the system to integrate Postfix, and it was working flawlessly prior to a few days ago.

[Valerion]

Is the user authenticating against the Scalix SMTP Relay or Postfix? I've had some bad experiences with sendmail and saslauthd against Scalix, so if that's the case I would recommend you set SWA up to rather authenticate against the Scalix SMTP Relay. You can easily configure it to run a submission listener on a different port (I use 587).

If you are working against the SMTP Relay, is there anything in the Scalix event log for the attempt? Or the audit logs? You can also enable debugging on the SMTP Relay to see what happens.

[acb]

The authentication is against Postfix, which uses saslauthd to do a lookup against LDAP. In fact, any SMTP authentication attempt for this user is failing. I deleted the user with omdelu, and recreated the user. The problem persists.

testsaslauthd with the user credentials logs the following (once I pointed auth.* to /var/log/authlog in syslog):

Apr 23 09:55:43 server saslauthd[17060]: Authentication failed for user@domain.com/domain.com: Bind to ldap server failed (invalid user/password or insufficient access) (-7)

I can use the same method to authenticate successfully with other accounts. I need to find out how LDAP is storing the user credentials and why a "new" account with the same login information is still broken, yet new accounts with new information are not.

[acb]

Using submit on port 587 works around the issue, but doesn't solve the original problem. Plus, this method bypasses anti-virus scanning when internal mail is routed. How does one incorporate clamav scanning into port 587 traffic?

[Valerion]

If port 587 is the Scalix SMTP Relay you can do one of two things:

• Incorporate scanning in the Service Router, where it will also scan Outlook traffic
• use the SMTP Relay's MILTER and (soon to be deprecated) FILTER options to either incorporate a sendmail milter, or hand it to the MTA for processing

[acb]

Okay, I should be able to integrate clamav into the service router. Now I just need to figure out why certain users cannot authenticate via saslauthd but can authenticate via scalix-based mechanisms. The saslauthd log levels seem to be unhelpful, and I cannot seem get the LDAP daemon in scalix to give me any additional information.