Zimbra http error 502

Return to “Administrators”

Hello Mark,

Thank you for your post.

Please find below relevant information from log files ( I have replaced server IP and hostname with 192.168.1.33 and mydomain.com) :

====================
mailbox.log

2018-07-29 00:19:06,526 WARN [Index-7] [name=admin@mydomain.com;mid=4;] mailbox — transaction canceled because of lock failure
2018-07-29 00:19:06,527 INFO [qtp1798286609-777:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-752:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-803:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-770:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-748:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-759:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-734:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-737:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-770:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-724:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-740:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-773:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-781:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-799:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-725:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:06,527 INFO [qtp1798286609-724:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:00,200 INFO [qtp1798286609-740:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:19:44,710 INFO [LmtpServer-18] [name=admin@mydomain.com;mid=4;ip=192.168.1.33;] sqltrace — Slow execution (18032ms): SELECT mi.id, mi.type, mi.parent_id, mi.fo$
2018-07-29 00:21:27,423 ERROR [Index-7] [name=admin@mydomain.com;mid=4;] mailbox — Failed to lock mailbox
Write Lock Owner — LmtpServer-18 prio=5 id=829 state=RUNNABLE
at java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1019)
at java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006)
at sun.util.resources.ParallelListResourceBundle.loadLookupTablesIfNecessary(ParallelListResourceBundle.java:169)
at sun.util.resources.ParallelListResourceBundle.handleKeySet(ParallelListResourceBundle.java:134)
at sun.util.resources.ParallelListResourceBundle.keySet(ParallelListResourceBundle.java:143)
at sun.util.resources.ParallelListResourceBundle.containsKey(ParallelListResourceBundle.java:129)
at sun.util.resources.ParallelListResourceBundle$KeySet.contains(ParallelListResourceBundle.java:208)
at sun.util.resources.ParallelListResourceBundle.containsKey(ParallelListResourceBundle.java:129)
at sun.util.resources.ParallelListResourceBundle$KeySet.contains(ParallelListResourceBundle.java:208)
at sun.util.resources.ParallelListResourceBundle.containsKey(ParallelListResourceBundle.java:129)
at java.text.DateFormatSymbols.initializeData(DateFormatSymbols.java:716)
at java.text.DateFormatSymbols.<init>(DateFormatSymbols.java:145)
at sun.util.locale.provider.DateFormatSymbolsProviderImpl.getInstance(DateFormatSymbolsProviderImpl.java:85)
at java.text.DateFormatSymbols.getProviderInstance(DateFormatSymbols.java:364)
at java.text.DateFormatSymbols.getInstance(DateFormatSymbols.java:340)
at java.util.Calendar.getDisplayName(Calendar.java:2110)
at java.text.SimpleDateFormat.subFormat(SimpleDateFormat.java:1125)
at java.text.SimpleDateFormat.format(SimpleDateFormat.java:966)
at java.text.SimpleDateFormat.format(SimpleDateFormat.java:936)
at java.text.DateFormat.format(DateFormat.java:345)
at org.apache.log4j.pattern.CachedDateFormat.format(CachedDateFormat.java:279)
at org.apache.log4j.pattern.DatePatternConverter.format(DatePatternConverter.java:158)
at org.apache.log4j.pattern.DatePatternConverter.format(DatePatternConverter.java:145)
at org.apache.log4j.rolling.RollingPolicyBase.formatFileName(RollingPolicyBase.java:150)
at org.apache.log4j.rolling.TimeBasedRollingPolicy.rollover(TimeBasedRollingPolicy.java:226)
at org.apache.log4j.rolling.RollingFileAppender.rollover(RollingFileAppender.java:240)
at org.apache.log4j.rolling.RollingFileAppender.subAppend(RollingFileAppender.java:352)
at org.apache.log4j.WriterAppender.append(WriterAppender.java:162)
at org.apache.log4j.AppenderSkeleton.doAppend(AppenderSkeleton.java:251)
at org.apache.log4j.helpers.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:66)
at org.apache.log4j.Category.callAppenders(Category.java:206)
at org.apache.log4j.Category.forcedLog(Category.java:391)
at org.apache.log4j.Category.info(Category.java:666)
at com.zimbra.common.util.Log.info(Log.java:247)
at com.zimbra.cs.db.DebugPreparedStatement.log(DebugPreparedStatement.java:127)
at com.zimbra.cs.db.DebugPreparedStatement.executeQuery(DebugPreparedStatement.java:171)
at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at com.zimbra.cs.db.StatTrackingPreparedStatement.executeQuery(StatTrackingPreparedStatement.java:352)
at com.zimbra.cs.db.DbMailItem.getByHashes(DbMailItem.java:2706)
at com.zimbra.cs.mailbox.Threader.lookupByReference(Threader.java:348)
at com.zimbra.cs.mailbox.Threader.lookupConversation(Threader.java:304)
at com.zimbra.cs.mailbox.Mailbox.addMessageInternal(Mailbox.java:6078)
at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.java:5913)
at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.java:5847)
at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.java:5842)
at com.zimbra.cs.filter.IncomingMessageHandler.addMessage(IncomingMessageHandler.java:137)
at com.zimbra.cs.filter.IncomingMessageHandler.implicitKeep(IncomingMessageHandler.java:129)
at com.zimbra.cs.filter.ZimbraMailAdapter.keep(ZimbraMailAdapter.java:446)
at com.zimbra.cs.filter.ZimbraMailAdapter.executeActions(ZimbraMailAdapter.java:274)
at org.apache.jsieve.SieveFactory.evaluate(SieveFactory.java:175)
at com.zimbra.cs.filter.RuleManager.applyRulesToIncomingMessage(RuleManager.java:537)
at com.zimbra.cs.lmtpserver.ZimbraLmtpBackend.deliverMessageToLocalMailboxes(ZimbraLmtpBackend.java:615)
at com.zimbra.cs.lmtpserver.ZimbraLmtpBackend.deliver(ZimbraLmtpBackend.java:385)
at com.zimbra.cs.lmtpserver.LmtpHandler.processMessageData(LmtpHandler.java:445)
at com.zimbra.cs.lmtpserver.TcpLmtpHandler.continueDATA(TcpLmtpHandler.java:79)
at com.zimbra.cs.lmtpserver.LmtpHandler.doDATA(LmtpHandler.java:434)
at com.zimbra.cs.lmtpserver.LmtpHandler.processCommand(LmtpHandler.java:216)
at com.zimbra.cs.lmtpserver.TcpLmtpHandler.processCommand(TcpLmtpHandler.java:72)
at com.zimbra.cs.server.ProtocolHandler.processConnection(ProtocolHandler.java:189)
at com.zimbra.cs.server.ProtocolHandler.run(ProtocolHandler.java:128)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

com.zimbra.cs.mailbox.MailboxLock$LockFailedException: timeout
at com.zimbra.cs.mailbox.MailboxLock.lock(MailboxLock.java:211)
at com.zimbra.cs.mailbox.Mailbox.beginTransaction(Mailbox.java:1726)
at com.zimbra.cs.mailbox.Mailbox.beginReadTransaction(Mailbox.java:1702)
at com.zimbra.cs.mailbox.MailboxIndex.indexItemList(MailboxIndex.java:744)
at com.zimbra.cs.mailbox.MailboxIndex.indexDeferredItems(MailboxIndex.java:408)
at com.zimbra.cs.mailbox.MailboxIndex.access$600(MailboxIndex.java:86)
at com.zimbra.cs.mailbox.MailboxIndex$BatchIndexTask.exec(MailboxIndex.java:1442)
at com.zimbra.cs.mailbox.MailboxIndex$IndexTask.run(MailboxIndex.java:1421)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2018-07-29 00:21:40,526 WARN [Index-7] [name=admin@mydomain.com;mid=4;] mailbox — transaction canceled because of lock failure
2018-07-29 00:20:29,084 INFO [qtp1798286609-720:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:20:29,082 INFO [qtp1798286609-724:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:20:23,386 INFO [qtp1798286609-753:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:20:23,380 INFO [qtp1798286609-795:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,070 INFO [qtp1798286609-764:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,070 INFO [qtp1798286609-770:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,070 INFO [qtp1798286609-742:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,070 INFO [qtp1798286609-720:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,070 INFO [qtp1798286609-760:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,070 INFO [qtp1798286609-737:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,071 INFO [qtp1798286609-773:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,071 INFO [qtp1798286609-746:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$
2018-07-29 00:22:00,071 INFO [qtp1798286609-562:https:https://mail.mydomain.com:7073/service/admin/soap/] [] misc — Suspending for 1000ms because context path /service is at 20$

============================

============================
nginx.log

2018/07/28 21:02:36 [notice] 22592#0: memcached channel:192.168.1.33:11211 down, reconnect after:60000 ms
2018/07/28 21:02:41 [notice] 22594#0: *24 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /img/logo/$
2018/07/28 21:02:41 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /img/zimbr$
2018/07/28 21:02:41 [notice] 22593#0: *22 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /img/zimbr$
2018/07/28 21:02:41 [notice] 22594#0: *24 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:41 [notice] 22593#0: *11 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «HEAD /public/b$
2018/07/28 21:02:41 [notice] 22593#0: *41 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /js/MailCo$
2018/07/28 21:02:41 [notice] 22593#0: *42 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /img/anima$
2018/07/28 21:02:42 [notice] 22593#0: *41 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:42 [notice] 22593#0: *43 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /skins/_ba$
2018/07/28 21:02:42 [notice] 22593#0: *42 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:42 [notice] 22593#0: *11 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:42 [notice] 22593#0: *22 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:42 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:42 [notice] 22593#0: *43 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:44 [notice] 22594#0: *24 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:02:44 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:02:44 [notice] 22593#0: *41 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /img/logo/$
2018/07/28 21:02:44 [notice] 22593#0: *22 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /img/logo/$
2018/07/28 21:02:44 [notice] 22594#0: *24 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:44 [notice] 22593#0: *22 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:44 [notice] 22593#0: *41 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:44 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:45 [notice] 22594#0: *24 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /js/Contac$
2018/07/28 21:02:45 [notice] 22594#0: *24 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:46 [notice] 22594#0: *24 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /home/admi$
2018/07/28 21:02:46 [notice] 22594#0: *24 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /home/admi$
2018/07/28 21:02:46 [notice] 22594#0: *24 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:46 [notice] 22594#0: *24 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:47 [notice] 22594#0: *24 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /skins/har$
2018/07/28 21:02:47 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /skins/har$
2018/07/28 21:02:47 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:47 [notice] 22594#0: *24 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:02:48 [notice] 22593#0: *41 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «GET /js/Startu$
2018/07/28 21:03:56 [notice] 22593#0: *11 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:03:56 [notice] 22593#0: *11 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:03:57 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:03:57 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:03:58 [notice] 22593#0: *11 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:03:58 [notice] 22593#0: *11 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:03:59 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:03:59 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:06 [notice] 22593#0: *11 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:04:06 [notice] 22593#0: *11 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:07 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:04:08 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:09 [notice] 22593#0: *11 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:04:09 [notice] 22593#0: *11 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:10 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:04:10 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:11 [info] 22593#0: *135 proxied session done, client: 23.101.117.29:47702, server: 0.0.0.0:993, login: «diego.ucharo@mydomain.com», upstream: 192.168.1.33:79$
2018/07/28 21:04:11 [info] 22593#0: *158 proxied session done, client: 23.101.117.29:48210, server: 0.0.0.0:993, login: «diego.ucharo@mydomain.com», upstream: 192.168.1.33:79$
2018/07/28 21:04:11 [info] 22593#0: *181 client 23.101.117.29:48614 connected to 0.0.0.0:993
2018/07/28 21:04:12 [notice] 22593#0: *181 no memcache server available, cannot post request while in mail zmauth state, client: 23.101.117.29:48614, server: 0.0.0.0:993, logi$
2018/07/28 21:04:12 [notice] 22593#0: *181 no memcache server available, cannot post request while in mail zmauth state, client: 23.101.117.29:48614, server: 0.0.0.0:993, logi$
2018/07/28 21:04:12 [notice] 22593#0: *181 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 23.101.117.29:48614, server: 0.0.$
2018/07/28 21:04:12 [notice] 22593#0: *181 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 23.101.117.29:48614, server: 0.0.$
2018/07/28 21:04:13 [info] 22593#0: *181 client logged in, client: 23.101.117.29:48614, server: 0.0.0.0:993, login: «diego.ucharo@mydomain.com», upstream: 192.168.1.33:7993 ($
2018/07/28 21:04:13 [notice] 22594#0: *24 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:04:13 [notice] 22594#0: *24 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:14 [notice] 22593#0: *11 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:04:14 [notice] 22593#0: *11 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:15 [info] 22593#0: *188 client 23.101.117.29:48762 connected to 0.0.0.0:993
2018/07/28 21:04:15 [notice] 22593#0: *23 no memcache server available, cannot post request, client: 190.237.183.182, server: mail.mydomain.com.default, request: «POST /service/$
2018/07/28 21:04:15 [notice] 22593#0: *23 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 190.237.183.182, server: mail.clos$
2018/07/28 21:04:15 [notice] 22593#0: *188 no memcache server available, cannot post request while in mail zmauth state, client: 23.101.117.29:48762, server: 0.0.0.0:993, logi$
2018/07/28 21:04:15 [notice] 22593#0: *188 no memcache server available, cannot post request while in mail zmauth state, client: 23.101.117.29:48762, server: 0.0.0.0:993, logi$
2018/07/28 21:04:16 [notice] 22593#0: *188 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 23.101.117.29:48762, server: 0.0.$
2018/07/28 21:04:16 [notice] 22593#0: *188 no memcache server available, cannot post request while SSL handshaking to lookup handler, client: 23.101.117.29:48762, server: 0.0.$
2018/07/28 21:04:16 [info] 22593#0: *188 client logged in, client: 23.101.117.29:48762, server: 0.0.0.0:993, login: «diego.ucharo@mydomain.com», upstream: 192.168.1.33:7993 ($
2018/07/28 21:04:17 [info] 22593#0: *193 client 23.101.117.29:48852 connected to 0.0.0.0:993
2018/07/28 21:04:18 [notice] 22593#0: *193 no memcache server available, cannot post request while in mail zmauth state, client: 23.101.117.29:48852, server: 0.0.0.0:993, logi$
2018/07/28 21:04:18 [notice] 22593#0: *193 no memcache server available, cannot post request while in mail zmauth state, client: 23.101.117.29:48852, server: 0.0.0.0:993, logi$

==============================

==============================

zimbra logegrep ‘(reject|warning|error|fatal|panic):’ /var/log/zimbra.log

Jul 29 16:33:17 mail postfix/submission/smtpd[20069]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:17 mail postfix/submission/smtpd[20069]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:33:17 mail postfix/submission/smtpd[20069]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:17 mail postfix/submission/smtpd[20069]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:33:18 mail postfix/submission/smtpd[20069]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:18 mail postfix/submission/smtpd[20069]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:33:26 mail postfix/submission/smtpd[14634]: warning: unknown[206.189.228.184]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:33:26 mail postfix/submission/smtpd[14678]: warning: unknown[192.81.216.62]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:33:30 mail postfix/submission/smtpd[14634]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:30 mail postfix/submission/smtpd[14634]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:33:31 mail postfix/submission/smtpd[14678]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:31 mail postfix/submission/smtpd[14678]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:33:32 mail postfix/submission/smtpd[16709]: warning: unknown[192.81.215.213]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:33:36 mail postfix/submission/smtpd[14634]: warning: hostname qa.swarmwkr2 does not resolve to address 192.81.216.62: Name or service not known
Jul 29 16:33:37 mail postfix/submission/smtpd[16917]: warning: unknown[192.81.215.213]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:33:42 mail postfix/submission/smtpd[16709]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:42 mail postfix/submission/smtpd[17079]: warning: unknown[192.81.215.213]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:33:47 mail postfix/submission/smtpd[17079]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:52 mail postfix/submission/smtpd[20252]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:57 mail postfix/submission/smtpd[20455]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:33:57 mail postfix/submission/smtpd[20455]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:34:03 mail postfix/submission/smtpd[20522]: warning: hostname qa.swarmwkr2 does not resolve to address 192.81.216.62: Name or service not known
Jul 29 16:34:08 mail postfix/submission/smtpd[20796]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:08 mail postfix/submission/smtpd[20796]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:34:08 mail postfix/submission/smtpd[20796]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:08 mail postfix/submission/smtpd[20796]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:34:09 mail postfix/submission/smtpd[20796]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:09 mail postfix/submission/smtpd[20796]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:34:09 mail postfix/submission/smtpd[20796]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:09 mail postfix/submission/smtpd[20796]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:34:11 mail postfix/submission/smtpd[17089]: warning: unknown[206.189.228.249]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:34:11 mail postfix/submission/smtpd[17142]: warning: unknown[192.81.215.213]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:34:17 mail postfix/submission/smtpd[17370]: warning: unknown[192.81.215.213]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:34:20 mail postfix/submission/smtpd[20796]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:22 mail postfix/submission/smtpd[14829]: warning: unknown[192.81.215.213]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:34:26 mail postfix/submission/smtpd[17089]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:27 mail postfix/submission/smtpd[15055]: warning: unknown[192.81.215.213]: SASL LOGIN authentication failed: authentication failure
Jul 29 16:34:36 mail postfix/submission/smtpd[15055]: warning: hostname qa.swarmwkr2 does not resolve to address 192.81.216.62: Name or service not known
Jul 29 16:34:41 mail postfix/submission/smtpd[14829]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:46 mail postfix/submission/smtpd[20973]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:51 mail postfix/submission/smtpd[20977]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:51 mail postfix/submission/smtpd[20977]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission
Jul 29 16:34:52 mail postfix/submission/smtpd[20977]: warning: hostname qa.swarmwkr1 does not resolve to address 192.81.215.213: Name or service not known
Jul 29 16:34:52 mail postfix/submission/smtpd[20977]: warning: Connection concurrency limit exceeded: 51 from unknown[192.81.215.213] for service submission

==============================

Any feedback or suggestions will be highly appreciated.

Kind regards,

Martin

Setting up your own email server on Linux from scratch is a long and tedious process, a pain in the butt if you are not an advanced user. This tutorial will be showing you how to use Zimbra to quickly set up a full-featured mail server on Ubuntu 18.04, saving you lots of time and headaches.

What is Zimbra?

Zimbra is an open-source email, calendaring, and collaboration software suite developed by Synacor, Inc. It comes with a shell script that automatically installs and configures all necessary mail server components on your Linux server, thus eliminating manual installation and configuration. With Zimbra, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Email accounts can be managed in MariaDB or OpenLDAP. The following is a list of open-source software that will be automatically installed and configured by Zimbra.

• Postfix SMTP server
• Nginx web server to serve the admin console and webmail. It will also be used as an IMAP/POP3 proxy.
• Jetty: web application server that runs Zimbra software.
• OpenLDAP stores Zimbra system configuration, the Zimbra Global Address List, and provides user authentication.
• MariaDB database
• OpenDKIM: for DKIM signing and verification
• Amavised-new: an interface between MTA and content scanner.
• SpamAssassin for anti-spam
• ClamAV: anti-virus scanner
• Lucene: open-source full-featured text and search engine
• Apache JSieve: email message filter
• LibreOffice: High fidelity document preview
• Aspell: an open-source spell checker used on the Zimbra Web Client
• memcached: open-source object caching system.
• unbound: lightweight and fast DNS resolver.

Zimbra also ships with some of its own developed software:

• zimbra-drive: cloud storage.
• zimbra-chat: text chat.
• zimbra-talk: group messaging and video conferencing with screen sharing and file sharing funcationality.
• mailboxd: Its own developed IMAP/POP3 server.

There are two editions of Zimbra:

• Free open-source edition.
• Commercially supported Network Edition with 60-days free trial.

Some well-known Zimbra users include: Mozilla, Skype, O’Reilly Media, Standford University, and Comcast. We will be using the open-source edition (OSE) in this article.

Server Requirements

• A clean fresh Ubuntu 18.04 OS.
• At least 2 CPU cores and 3GB RAM. If you use a single-core CPU, Zimbra will be running very slowly. And you need a server with at least 3GB of RAM, because after the installation, your server will use more than 2GB of RAM.

Step 1: Choose the Right Hosting Provider and Buy a Domain Name

Zimbra must be installed on a clean fresh server.

This tutorial is done on a $9/month Kamatera VPS (virtual private server) with 1 CPU and 3GB RAM. They offer a 30-day free trial.

Kamatera is a very good option to run a mail server because

• They don’t block port 25, so you can send unlimited emails (transactional email and newsletters) without spending money on SMTP relay service. Kamatera doesn’t have any SMTP limits. You can send a million emails per day.
• The IP address isn’t on any email blacklist. (At least this is true in my case. I chose the Dallas data center.) You definitely don’t want to be listed on the dreaded Microsoft Outlook IP blacklist or the spamrats blacklist. Some blacklists block an entire IP range and you have no way to delist your IP address from this kind of blacklist.
• You can edit PTR record to improve email deliverability.
• They allow you to send newsletters to your email subscribers with no hourly limits or daily limits, whatsoever.
• You can order multiple IP addresses for a single server. This is very useful for folks who need to send a large volume of emails. You can spread email traffic on multiple IP addresses to achieve better email deliverability.

Other VPS providers like DigitalOcean blocks port 25. DigitalOcean would not unblock port 25, so you will need to set up SMTP relay to bypass blocking, which can cost you additional money. If you use Vultr VPS, then port 25 is blocked by default. They can unblock it if you open a support ticket, but they may block it again at any time if they decide your email sending activity is not allowed. Vultr actually may re-block it if you use their servers to send newsletters.

Go to Kamatera website to create an account, then create your server in your account dashboard.

I recommend following the tutorial linked below to properly set up your Linux VPS server on Kamatera.

• How to Create a Linux VPS Server on Kamatera

Once you created a server, Kamatera will send you an email with the server SSH login details. To log into your server, you use an SSH client. If you are using Linux or macOS on your computer, then simply open up a terminal window and run the following command to log into your server. Replace 12.34.56.78 with your server’s IP address.

ssh [email protected]

You will be asked to enter the password.

It’s highly recommended that you use Ubuntu LTS like Ubuntu 18.04. Installing a piece of complex server software like Zimbra on a non-LTS Ubuntu is discouraged as you will probably encounter problems when upgrading your OS every 9 months. It is far better for your mail server to stay stable for 2 or 5 years.

You also need a domain name. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

Step 2: Creating DNS MX Record

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is mail.linuxbabe.com. If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of linuxbabe.com. When it finds out that mail.linuxbabe.com is responsible for accepting email, it then queries the A record of mail.linuxbabe.com to get the IP address, thus the email can be delivered.

You need to go to your DNS hosting service (usually your domain registrar) to create DNS records. In your DNS manager, create a MX record for your domain name. Enter @ in the Name field to represent the main domain name, then enter mail.your-domain.com in the Value field.

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Your DNS manager may require you to enter a preference value (aka priority value). It can be any number between 0 and 65,356. A small number has higher priority than a big number. It’s recommended that you set the value to 0, so this mail server will have the highest priority for receiving emails. After creating MX record, you also need to create an A record for mail.your-domain.com , so that it can be resolved to an IP address. If your server uses IPv6 address, be sure to add AAAA record.

Hint: If you use Cloudflare DNS service, you should not enable the CDN feature when creating A record for mail.your-domain.com. Cloudflare does not support SMTP proxy.

Step 3: Configuring Hostname

Log into your server via SSH, then run the following command to update existing software packages.

sudo apt update

sudo apt upgrade -y

I strongly recommend creating a sudo user for managing your server rather than using the default root user. Run the following command to create a user. Replace username with your preferred username.

adduser username

Then add the user to the sudo group.

adduser username sudo

Switch to the new user.

su - username

Next, set a fully qualified domain name (FQDN) for your server with the following command.

sudo hostnamectl set-hostname mail.your-domain.com

We also need to update /etc/hosts file with a command-line text editor like Nano.

sudo nano /etc/hosts

Edit it like below. Use arrow keys to move the cursor in the file. You must put your mail server hostname after localhost.

127.0.0.1       localhost.localdomain localhost mail.your-domain.com

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To close the file, press Ctrl+X.)

To see the changes, re-login and then run the following command to see your hostname.

hostname -f

Step 4: Install Zimbra Mail Server on Ubuntu 18.04

Zimbra 9 still provides an open-source edition. However, it doesn’t provide the binary. Only the source code is available. Fortunately, there’s a third-party Zimbra solution provider named Zextras that offers Zimbra binary download.

You can go to Zextras website, and fill out a form to get the Zimbra 9 binary download link. If you don’t want to fill out the form, run the following command on your server to download Zimbra 9 installer.

wget download.zextras.com/zcs-9.0.0_OSE_UBUNTU18_latest-zextras.tgz

Extract the archived file.

tar xvf zcs-9.*.tgz

Then change to the newly-created directory.

cd zcs-9*/

Before running the installer script, install the netstat utility.

sudo apt install net-tools

Next, run the Bash script with sudo privilege.

sudo bash install.sh

The mail server setup wizard will appear. First, you need to agree with the terms of the software license agreement.

Then type y to confirm that you want to use Zimbra’s package repository.

Next, it will ask you to select the packages you want to install. You can install them by pressing y. ( Y is capitalized, which means it’s the default answer when you press Enter.) Note that the zimbra-imapd package is currently in beta and it’s not recommended to install it. I simply press Enter to use the default answers.

Confirm the packages you selected by pressing y.

Now installation begins.

It might tell you that you need to change the hostname. Answer y and enter your mail server hostname (mail.your-domain.com).

It might also tell you that you need to change the domain name. This tutorial assumes that you want an email address like [email protected]in.com. In that case, Type Y and then enter your-domain.com here, without sub-domain.

If it tells you that none of the MX records resolve to this host, then you need to create DNS A record for mail.your-domain.com.

If there’s a port conflict detected for zimbra-dnscache (port 53), then you need to open another SSH session and run the following command to stop the systemd-resolved service.

sudo systemctl stop systemd-resolved

and continue the installation.

Then the main menu displays. It tells you that the admin password is not set, so you need to press 7, then press 4 to set the admin password.

Once you set a password for the admin account, press r to go back to the main menu, then press the following keys.

• Press a to apply the configuration.
• Press y to save the configuration to a file.
• Press Enter to use the default file name.
• Press y to continue.

Wait for the installation process to finish. At the end of the installation, you have the option to notify Zimbra of your installation.

Once the configuration is complete, press Enter to exit from the setup wizard. Now you can visit the web-based admin panel at https://mail.your-domain.com. Because it’s using a self-signed TLS certificate, you need to add a security exception in your web browser. You will learn how to install a valid Let’s Encrypt TLS certificate in step 7.

Step 5: Configure Systemd-Resolved

Systemd-resolved is the default DNS resolver manager on Ubuntu. We need to change its configuration to make it work with Zimbra. It should start after the Zimbra service at system boot time.

The service configuration file for systemd-resolved is /lib/systemd/system/systemd-resolved.service. To override the default systemd service configuration, we create a separate directory.

sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d/

Then create a file under this directory.

sudo nano /etc/systemd/system/systemd-resolved.service.d/custom.conf

Add the following lines in the file, which will make systemd-resolved start after Zimbra is started, and we make it sleep 60 seconds before it will be started.

[Unit]
After=zimbra.service
Before=

[Service]
ExecStartPre=/bin/sleep 60

Save and close the file. Then reload systemd for the changes to take effect.

sudo systemctl daemon-reload

Step 6: Testing Unbound DNS Resolver

The unbound DNS resolver is installed by Zimbra. However, it might not be able to work out of the box. Restart your server.

sudo shutdown -r now

Then log in to your server again over SSH and run the following command to test if DNS resolution is working.

dig A linuxbabe.com

If you see the SERVFAIL error, it means Unbound isn’t running properly.

To fix it, switch to the zimbra user.

sudo su - zimbra

And check which upstream DNS resolver Unbound is using.

zmprov getServer `zmhostname` | grep DNSMasterIP

A correct setup should show you that 8.8.8.8 is the upstream DNS resolver.

zimbraDNSMasterIP: 8.8.8.8

If 127.0.0.53 is the upstream resolver, you have a problem. Remove it with:

zmprov ms `zmhostname` -zimbraDNSMasterIP 127.0.0.53

Then add 8.8.8.8 as the upstream resolver.

zmprov ms `zmhostname` +zimbraDNSMasterIP 8.8.8.8

Now exit from the zimbra user

exit

Wait a few moments and run the following command again to test.

dig A linuxbabe.com

You should see the following output, which means it’s working correctly now.

If you run the following command to show which DNS resolver your server is using,

cat /etc/resolv.conf

and it tells you that

/etc/resolv.conf: No such file or directory

Check if the systemd-resolved.service is running.

sudo systemctl status systemd-resolved

Run the following command to make sure it will be automatically started at boot time.

sudo systemctl enable --now systemd-resolved

Step 7: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, run the following command to install the latest Let’s Encrypt (certbot) client from the Snap store.

sudo snap install certbot --classic

Zimbra has already configured TLS settings in the Nginx, we can use the standalone plugin to obtain a certificate over TCP port 80. Run the following command. Replace the red text with your actual data.

sudo /snap/bin/certbot certonly --standalone --agree-tos --staple-ocsp --email [email protected] -d mail.your-domain.com --preferred-chain 'ISRG Root X1'

• certonly: obtain the certificate, but don’t install it automatically.
• --standalone: uses the standalone plugin to obtain certificate.
• --preferred-chain 'ISRG Root X1': Use the ISRG Root X1 certificate chain, because the default DST root CA certificate expired on September 31, 2021.

When it asks you if you want to receive communications from EFF, you can choose No.

If everything went well, you will see the following text indicating that you have successfully obtained a TLS certificate. Your certificate and chain have been saved at /etc/letsencrypt/live/mail.your-domain.com/ directory.

Failure to Obtain TLS Certificate

If certbot failed to obtain TLS certificate, maybe it’s because your DNS records are not propagated to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io, enter your mail server’s hostname (mail.your-domain.com) to check DNS propagation.

Installing the Certificate in Zimbra

After obtaining a TLS certificate, let’s configure Zimbra to use it. Grant permission to the zimbra user so it can read the Let’s Encrypt files.

sudo apt install acl

sudo setfacl -R -m u:zimbra:rwx /etc/letsencrypt/

Switch to the zimbra user.

sudo su - zimbra

Copy the private key.

cp /etc/letsencrypt/live/mail.your-domain.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

Download Let’s Encrypt Root CA certificate.

wget -O /tmp/isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

Create a certificate chain. The following command will put the root CA certificate (isrgrootx1.pem) under the intermediate CA certificate (chain.pem). You should not reverse the order, or it won’t work.

cat /etc/letsencrypt/live/mail.your-domain.com/chain.pem /tmp/isrgrootx1.pem > /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

deploy the certificate.

/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.your-domain.com/cert.pem /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

View the deployed cert.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Restart Zimbra.

zmcontrol restart

Run the following command as the zimbra user to check if all Zimbra services are running.

zmcontrol status

If all is working, it should display

Troubleshooting

Wrong Hostname

If the zmcontrol status command shows the localhost.localdomain hostname, then you need to change the hostname to mail.your-domain.com.

/opt/zimbra/libexec/zmsetservername -n mail.your-domain.com

Then delete localhost.localdomain.

zmloggerhostmap -d localhost.localdomain localhost.localdomain

OpenLDAP Failure

If OpenLDAP fails to restart, and it says that

Unable to start TLS: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed when connecting to ldap master.

Then you can disable TLS on OpenLDAP with the following two commands. Some folks might be wondering if it’s safe to disable TLS on OpenLDAP. It is safe because the LDAP connection is only established on the mail server itself. There’s no LDAP connection to be established from another host.

zmlocalconfig -e ldap_starttls_required=false

zmlocalconfig -e ldap_starttls_supported=0

Then restart Zimbra services.

zmcontrol restart

Hint: If you have successfully deploy Let’s Encrypt TLS certificate in Zimbra as instructed earlier, then your OpenLDAP server should have no problem in starting TLS.

Amavis Failure

If Amavis is not running, then restart it with:

zmamavisdctl restart

If the restart failed, you should check the Zimbra log file (/var/log/zimbra.log). For example, I have the following error message in this file.

Ignoring stale PID file /opt/zimbra/log/amavisd.pid, older than system uptime 0 0:01:00
Pid_file already exists for running process (3340)

So I need to delete the stale PID file.

rm /opt/zimbra/log/amavisd.pid

Then restart Amavis.

zmamavisdctl restart

Reduce CPU & RAM Usage

Avoid using the zmcontrol restart command whenever you can, because it will generate many report emails to the admin account. Every email will invoke ClamAV for virus-scanning. ClamAV is a resource hog. If you need to start/stop an individual Zimbra service, use the specific tools to complete the task .

• zmopendkimctl: OpenDKIM.
• zmamavisdctl: Amavis
• zmantispamctl: Anti-Spam
• zmdnscachectl: Unbound DNS resolver.
• zmantivirusctl: Anti-Virus
• zmmtactl: Postfix SMTP server
• zmspellctl: Spell checking
• zmzimletctl: Zimlet webapp
• zmmailboxdctl: mailboxd
• zmstatctl: stats
• zmconfigdctl: zmconfigd
• zmmemcachedctl: memcached
• zmloggerctl: logger

To reduce the CPU and RAM usage by Amavis and ClamAV, run the following two commands as the zimbra user.

zmprov ms `zmhostname` zimbraAmavisMaxServers 1
zmprov ms `zmhostname` zimbraClamAVMaxThreads 1

This will make Amavis and ClamAV use only one thread to process emails. (Default is 10) If you have a 4 cores CPU and 16 GB RAM, you can increase the number of threads to make email processing faster.

Step 9: Sending Test Email

Now you can visit the Zimbra web client again. Your web browser won’t warn you anymore because Nginx is now using a valid TLS certificate.

Log into Zimbra web client with the admin account ([email protected]) and you can test email sending and receiving.

Zimbra has a built-in calendar.

You can log into the admin console, which is accessible from the dropdown menu in the upper-right corner. Or you can access it via https://mail.your-domain.com:7071/zimbraAdmin/.

Click the Add Account link to add new email addresses.

Step 10: Checking If Port 25 (outbound) is blocked

Your ISP or hosting provider won’t block incoming connection to port 25 of your server, which means you can receive emails from other mail servers. However, many ISP/hosting providers block outgoing connection to port 25 of other mail servers, which means you can’t send emails.

Hint: If you use Kamatera VPS, then the outbound port 25 is open by default.

If your email didn’t arrive at your other email address such as Gmail, then run the following command on your mail server to check if port 25 (outbound) is blocked.

telnet gmail-smtp-in.l.google.com 25

If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)

Trying 74.125.68.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP y22si1641751pll.208 - gsmtp

If port 25 (outbound) is blocked, you would see something like:

Trying 2607:f8b0:400e:c06::1a...
Trying 74.125.195.27...
telnet: Unable to connect to remote host: Connection timed out

In this case, your Postfix can’t send emails to other SMTP servers. Ask your ISP/hosting provider to open it for you. If they refuse your request, you need to set up SMTP relay to bypass port 25 blocking.

Still Can’t Send Email?

If port 25 (outbound) is not blocked, but you still can’t send emails from your own mail server to your other email address like Gmail, then you should check the mail log (/var/log/mail.log).

sudo tail -n 30 /var/log/mail.log

For example, some folks might see the error message.

host gmail-smtp-in.l.google.com[2404:6800:4003:c03::1b] said: 550-5.7.1 [2a0d:7c40:3000:b8b::2] Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information

This means your mail server is using IPv6 to send the email, but you didn’t set up IPv6 records. You should go to your DNS manager, set AAAA record for mail.your-domain.com, then you should set PTR record for your IPv6 address, which is discussed in step 9.

Step 11: Login From Mail Clients

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account.

• In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
• In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

Step 12: Improving Email Deliverability

To prevent your emails from being flagged as spam, you should set PTR, SPF, DKIM and DMARC records.

PTR record

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short

or

host IP-address

PTR record isn’t managed by your domain registrar. It’s managed by the organization that gives you an IP address. Because you get IP address from your hosting provider or ISP, not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider, or ask your ISP. Its value should be your mail server’s hostname: mail.your-domain.com. If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

To edit the reverse DNS record for your Kamatera VPS, log into the Kamatera client area, then open a support ticket and tell them to add PTR record for your server IP addresss to point the IP address to mail.your-domain.com. It’s not convenient, you might think, but this is to keep spammers away from the platform, so legitimate email senders like us will have a great IP reputation.

SPF Record

SPF (Sender Policy Framework) record specifies which hosts or IP address are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain. In your DNS management interface, create a new TXT record like below.

Explanation:

• TXT indicates this is a TXT record.
• Enter @ in the name field to represent the main domain name.
• v=spf1 indicates this is a SPF record and the version is SPF1.
• mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
• ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged.

To check if your SPF record is propagated to the public Internet, you can use the dig utility on your Linux mail server like below:

dig your-domain.com txt

The txt option tells dig that we only want to query TXT records.

DKIM Record

DKIM (DomainKeys Identified Mail) uses a private key to digitally sign emails sent from your domain. Receiving SMTP servers verify the signature by using the public key, which is published in the DNS DKIM record.

Run the following command to generate DKIM keys on your Zimbra mail server.

/opt/zimbra/libexec/zmdkimkeyutil -a -d your-domain.com

The DKIM public key is in the parentheses. My DKIM selector is F9421034-2BCF-11EC-80AF-728BCB6E6C77. The DKIM sub-domain is F9421034-2BCF-11EC-80AF-728BCB6E6C77._domainkey.linuxbabe.com. Yours might be different.

Then in your DNS manager, create a TXT record, enter F9421034-2BCF-11EC-80AF-728BCB6E6C77._domainkey in the name field. (Your DKIM sub-domain might be different.) Copy everything in the parentheses and paste it into the value field. Delete all double quotes and line breaks.

Note that your DKIM record may need some time to propagate to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/ to check if your DKIM record is valid.

DMARC Record

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC can help receiving email servers to identify legitimate emails and prevent your domain name from being used by email spoofing.

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. (You should create the [email protected] email address.)

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

The above DMARC record is a safe starting point. If you want to read the full explanation of DMARC, please check the following article. Note that this is optional.

• Creating DMARC Record to Protect Your Domain Name From Email Spoofing

Step 13: Testing Email Score and Placement

After creating PTR, SPF, DKIM record, go to https://www.mail-tester.com. You will see a unique email address. Send an email from your domain to this address and then check your score. As you can see, I got a perfect score. In the test result, you should check if your PTR record, SPF and DKIM record is valid.

Mail-tester.com can only show you a sender score. There’s another service called GlockApps that allow you to check if your email is landed in the recipient’s inbox or spam folder, or rejected outright. It supports many popular email providers like Gmail, Outlook, Hotmail, YahooMail, iCloud mail, etc.

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: How to stop your emails being marked as spam. Although it will take some time and effort, your emails will eventually be placed in inbox after applying these tips.

What if Your Email is Rejected by Microsoft Mailbox?

Microsoft seems to be using an internal blacklist that blocks many legitimate IP addresses. If your emails are rejected by Outlook or Hotmail, you need to submit the sender information form. After that, your email will be accepted by Outlook/Hotmail.

Troubleshooting

First, please use a VPS with at least 4GB RAM. Running Zimbra on a 2GB RAM VPS will cause the database, SpamAssassin, or ClamAV to be killed because of out-of-memory problem. If you really want to use a 2GB RAM VPS, you are going to lose incoming emails and have other undesirable outcomes.

As a rule of thumb, you should always check the mail log /var/log/mail.log when there’s email delivery problem.

HTTP ERROR 502

If the Zimbra web interface isn’t accessible, such as a 502 gateway error, it’s likely that your server needs more RAM.

You can also try to restart all Zimbra services to fix this issue.

Run the following command as the zimbra user to check if all Zimbra services are running.

zmcontrol status

If you enabled the firewall, you should open the following ports in the firewall.

HTTP port:  80
HTTPS port: 443
SMTP port:  25
Submission port: 587
SMTPS port: 465 (For Microsoft Outlook mail client)
IMAP port:  143 and 993

If you would like to use the UFW firewall, check my guide here: Getting started with UFW firewall on Debian and Ubuntu.

How to Renew TLS Certificate

Let’s Encrypt issued TLS certificate is valid for 90 days only and it’s important that you set up a Cron job to automatically renew the certificate. You can run the following command to renew certificate.

sudo certbot renew

You can use the --dry-run option to test the renewal process, instead of doing a real renewal.

sudo /snap/bin/certbot renew --dry-run

Create Cron Job

If the dry run is successful, you can create Cron job to automatically renew certificate. Simply open root user’s crontab file.

sudo crontab -e

Then add the following line at the bottom of the file.

@daily /snap/bin/certbot renew --quiet

Save and close the file.

Setting Up Backup Mail Server

Your primary mail server could be down sometimes. If you host your mail server in a data center, then the downtime is very minimal, so you shouldn’t be worried about losing inbound emails. If you host your mail server at home, the downtime can’t be predicted so it’s a good practice for you to run a backup mail server in a data center to prevent losing inbound emails. The backup mail server needs just 512MB RAM to run. Please check the full detail in the following article.

• How to Set up a Backup Email Server with Postfix on Ubuntu (Complete Guide)

Setting Up SMTP for your Website

If your website and mail server are running on two different VPS (virtual private server), you can set up SMTP relay between your website and mail server, so that your website can send emails through your mail server. See the following article.

• How to set up SMTP relay between 2 Postfix SMTP servers on Ubuntu

Wrapping Up

That’s it! I hope this tutorial helped you set up a mail server on Ubuntu 18.04 with Zimbra. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Здравствуйте, друзья!

Когда дело доходит до проверки веб-сайтов в интернете, вы можете столкнуться с различными ошибками.

Одной из самых известных и популярных среди всех является ошибка «502 Bad Gateway».

В то время как ваше интернет-соединение или компьютер не имеют к этому никакого отношения, поскольку проблема связана с веб-сайтом.

Тем не менее, проверка своего соединения всегда стоит того.

Итак, в этой статье мы собираемся обсудить некоторые из наиболее известных способов исправления ошибки.

Что такое ошибка «502 Bad Gateway»?

Для облегчения понимания отображается ошибка «502 Bad Gateway Error», когда веб-сервер не может получить действительный ответ от входящего сервера.

Каждый раз, когда вы заходите на веб-сайт, ваш веб-браузер отправляет запросы на веб-сервер.

После обработки запроса веб-сервер отправляет обратно запрошенные ресурсы.

Теперь используется термин 502, поскольку это обозначенный код состояния HTTP, используемый веб-сервером для определения ошибок, связанных с сервером.

Есть множество причин, по которым вы можете получить такой ответ.

Во-первых, между двумя серверами может быть перегрузка сервера или даже проблема с сетью.

Иногда даже неправильная конфигурация брандмауэра может вызвать ошибку «502 Bad Gateway».

Вариация ошибки «502 Bad Gateway»

С множеством веб-браузеров, веб-сервисов и операционных систем вы действительно можете найти различные варианты «502 Bad Gateway».

В этом разделе мы собрали все варианты ошибки «502 Bad Gateway Error», с которыми вы можете столкнуться.

• 502 Bad Gateway;
• HTTP Error 502: Bad Gateway;
• Error 502;
• 502 Proxy Error;
• 502 Service Temporarily Overloaded;
• 502 Server Error: The server encountered a temporary error and could not complete your request;
• 502 bad gateway Cloudflare;
• Temporary Error (502);
• HTTP 502”.

7 способов исправить ошибку «502 Bad Gateway»

Независимо от того, как ошибка представлена вам, с вашей машиной все в порядке.

В большинстве случаев это что-то со стороны сервера.

При этом есть еще некоторые исправления, которые вы можете попробовать со своей стороны.

1. Обновите страницу

Это само собой разумеется, но обновление вашей веб-страницы может мгновенно решить вашу проблему.

Фактически, в большинстве случаев ошибка «502 Bad Gateway Error» носит временный характер.

Вы можете просто перезагрузить страницу с помощью обновить страницу в браузере или нажатием клавиш F5, Ctrl + F5 или CMD + R.

Скорее всего, хост-сервер может испытать перегрузку, и ваш веб-сайт скоро появится в сети.

Тем временем вы также можете попробовать загрузить веб-сайт в другом браузере, чтобы проверить, сохраняется ли проблема.

2. Проверка, доступен ли этот веб-сайт для всех

Если вам не удалось связаться с каким-либо веб-сайтом, всегда полезно проверить, связана ли проблема с вашей стороной или другие люди тоже испытывают те же самые проблемы.

На самом деле существует множество веб-сайтов и инструментов, которые могут оказать вам необходимую помощь.

Наиболее часто используемые — это downforeveryoneorjustme.com и isitdownrightnow.com.

Оба сайта работают одинаково.

Все, что вам нужно сделать, это вставить URL-адрес, который вы предпочитаете проверить, и вы получите соответствующие результаты.

В случае, если вы получите сообщение о том, что веб-сайт недоступен для всех, вы вряд ли сможете что-либо сделать со своей стороны.

Напротив, если отчет показывает, что веб-сайт работает, вам необходимо проверить соединение на своем конце.

Вы всегда можете попробовать другие советы, упомянутые ниже.

3. Выберите другой браузер

Как указывалось ранее, всегда есть вероятность, что ваш веб-браузер является основной проблемой для ошибки «502 Bad Gateway».

Самое простое решение — просто проверить веб-сайт в другом веб-браузере.

Вы можете использовать Microsoft Edge, Mozilla Firefox, Google Chrome или Apple Safari.

Если сайт не открывается, значит, проблема не в вашем браузере.

4. Очистка кэша и файлов cookie веб-сайта

Если вы пробовали другой веб-браузер и проблема была устранена, значит, с вашим основным браузером что-то не так.

Фактически, любой устаревший кэш или поврежденный файл может быть причиной ошибки «502 Bad Gateway Error».

Вы всегда можете обратиться к нашим статьям, чтобы получить более подробные инструкции по удалению кэша или файлов cookie вашего веб-сайта.

После успешного удаления файлов вы можете попробовать открыть веб-сайт, если проблема решена.

5. Проверка подключаемых модулей и расширений браузера

Иногда плагины и расширения браузера могут вызывать множество проблем при попытке открыть определенные веб-страницы.

Вы всегда можете попробовать отключить расширения и проверить, открывается сайт или нет.

В случае, если ошибка «502 Bad Gateway Error» устранена, вероятно, это был один из плагинов, вызывающий эту ошибку.

Попробуйте включить плагины один за другим, чтобы выявить виновника.

6. Перезагрузка устройства

Вы будете удивлены, узнав, сколько проблем с вашим компьютером можно легко решить, просто перезагрузив устройство.

Теперь, когда вы проверили все инструменты и поменяли разные веб-браузеры, проблема все еще сохраняется.

В таких обстоятельствах мы рекомендуем просто перезагрузить компьютер вместе с сетевым устройством.

Используйте это исправление как последнее средство решения проблемы.

7. Изменение DNS-сервера

Скорее всего, проблема с DNS также может вызвать ошибку «502 Bad Gateway Error».

Хотя вы не можете полностью рассматривать то же самое как исправление, всегда стоит попробовать.

Тем не менее, это также совершенно легко изменить.

В большинстве случаев DNS-сервер настраивается вашим интернет-провайдером.

Замена его на любой сторонний DNS-сервер, включая Google DNS или OpenDNS, может оказаться полезным.

Подведение итогов: ошибка «502 Bad Gateway»

Итак, это был наш список различных способов, с помощью которых вы можете фактически устранить и исправить ошибку «502 Bad Gateway Error».

Обычно это все, что вы можете сделать со своей стороны.

Итак, дайте нам знать в разделе комментариев ниже, какое исправление помогло вам справиться с ошибкой.

Спасибо что дочитали!

Hi, in the last two days we encountered serious problems with our zimbra installation.
It’s configured in this way: server1 with proxy and mailboxes (about 95%), server2 with mailboxes (5%), server3 with z-push.
Zimbra 8.6.0, z-push 2.3.8, zimbra backend release 67. Users that use z-push about 200, zimbra total users 3400.
We installed proxy and created server2 about 2 months ago.
Here it’s what happens: server1 cpu rises a lot, mainly caused by java process; zimbra users get server disconnected problem. if we stop z-push service, after about 10 minutes cpu becomes normal. If we restart z-push, after 5/10 minutes cpu rises again.
We made some debug: in the z-push-error.log there are many errors 502 like this:

Zimbra->SoapRequest(): SOAP FAULT: HTML Error Returned - Error 502 Connection to Upstream is Refused - Enable ZIMBRA_DEBUG for more details - returning { false }

enabling debug, sometimes errors like this:

05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] -------- Start
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] cmd='Ping' devType='Android' devId='androidc787264364' getUser='xxxxxxx' from='151.38.66.171' version='2.3.8+0' method='POST'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Used timezone 'Europe/Rome'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Including backend file: '/usr/share/z-push/backend/zimbra/zimbra.php'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Request::ProcessHeaders() ASVersion: 14.0
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] ZPush::CommandNeedsAuthentication(18): true
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] FileStateMachine->GetState() read '1471' bytes from file: '/var/lib/z-push/4/6/androidc787264364-devicedata'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] ASDevice data loaded for user: 'xxxxxxx'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] TopCollector(): Initialized mutexid Resource id #55 and memid Resource id #56.
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] TopCollector initialised with IPC provider 'IpcSharedMemoryProvider' with type '20'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] LoopDetection(): Initialized mutexid Resource id #60 and memid Resource id #61.
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] LoopDetection initialised with IPC provider 'IpcSharedMemoryProvider' with type '1337'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] ZPush::HierarchyCommand(18): false
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->Logon(): START Logon { username [xxxxxxx] - domain [] - password <hidden> - php [5.4.16] - zpzb [67] - ua [Android/7.0-EAS-2.0] - as [14.0] }
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->Logon(): Multi-Folder support configured using [Android/7] with settings Calendar [SUPPORTED], Contacts [NOT SUPPORTED], Tasks [SUPPORTED], Notes [NOT SUPPORTED]
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->Logon(): Local Cache ENABLED with Lifetime [3600] seconds
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->SoapRequest(): SOAP Message: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
                            <soap:Header><context xmlns="urn:zimbra">
                            <session />
                            <notify  seq="0" />
                            <format type="js" />
                            <userAgent name="Android/7.0-EAS-2.0(...264364) devip=151.38.66.171 ZPZB" version="67" />
                        </context></soap:Header>
                            <soap:Body><AuthRequest xmlns="urn:zimbraAccount">
                        <account by="name">xxxxxxx</account>
                        <password>**********</password>
                        <attrs><attr name="uid"/></attrs>
                        <prefs><pref name="zimbraPrefTimeZoneId"/></prefs>
                    </AuthRequest></soap:Body>
                         </soap:Envelope>
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->SoapRequest(): SOAP response: {"Header":{"context":{"_jsns":"urn:zimbra"}},"Body":{"AuthResponse":{"authToken":[{"_content":"0_ea1bb35d52dd838f3be067c37cc3ceb45b6a8510_69643d33363a
66393361363132652d626533352d343534302d626537642d6366313536363637653239323b6578703d31333a313532333039303932353330303b76763d323a32303b747970653d363a7a696d6272613b7469643d31303a313530323833383530383b76657273696f6e3d31333a382e362e305f47415f3
13135333b"}],"lifetime":172800000,"prefs":{"_attrs":{"zimbraPrefTimeZoneId":"Europe/Berlin"}},"attrs":{"_attrs":{"uid":"xxxxxxx"}},"skin":[{"_content":"beach"}],"_jsns":"urn:zimbraAccount"}},"_jsns":"urn:zimbraSoap"}
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] FileStateMachine->GetState() read '36227' bytes from file: '/var/lib/z-push/4/6/androidc787264364-bs-1506458283'
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->Logon(): Local Cache Initialized !
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->Logon(): Smart Folders ENABLED - User Profile XML files will be ignored
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->SoapRequest(): SOAP Message: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
                            <soap:Header><context xmlns="urn:zimbra">
                                    <session />
                                    <authToken>0_ea1bb35d52dd838f3be067c37cc3ceb45b6a8510_69643d33363a66393361363132652d626533352d343534302d626537642d6366313536363637653239323b6578703d31333a313532333039303932353330303b76763d323a32303b747
970653d363a7a696d6272613b7469643d31303a313530323833383530383b76657273696f6e3d31333a382e362e305f47415f313135333b</authToken>
                                    <notify  seq="0" />
                                    <format type="js" />
                                    <userAgent name="Android/7.0-EAS-2.0(...264364) devip=151.38.66.171 ZPZB" version="67" />
                                </context></soap:Header>
                            <soap:Body><NoOpRequest xmlns="urn:zimbraMail" /></soap:Body>
                         </soap:Envelope>
 05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->SoapRequest(): SOAP Response: <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 502 Connection to Upstream is Refused</title>
</head>
<body>
<h2>HTTP ERROR 502</h2>
<p>Problem accessing ZCS upstream server.
        Cannot connect to the ZCS upstream server. Connection is refused.<br/>
    Possible reasons:
    <ul>
        <li>upstream server is unreachable</li>
        <li>upstream server is currently being upgraded</li>
        <li>upstream server is down</li>
    </ul>
    Please contact your ZCS administrator to fix the problem.
</p><br/>
<i><small>Powered by Nginx-Zimbra://</small></i><br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>

</body>
</html>

05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->ExtractHtmlErrorTitle(): errorTitle [Error 502 Connection to Upstream is Refused]
05/04/2018 10:48:45 [19711] [ERROR] [xxxxxxx] Zimbra->SoapRequest(): SOAP FAULT: HTML Error Returned - Error 502 Connection to Upstream is Refused - Enable ZIMBRA_DEBUG for more details - returning { false }
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->SoapRequest(): SOAP response:
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->Logon(): ZIMBRA_RETRIES_ON_HOST_CONNECT_ERROR defined, and set to [5]
05/04/2018 10:48:45 [19711] [DEBUG] [xxxxxxx] Zimbra->Logon(): Proxy Connect Error: Retry in 60 seconds ...

and sometimes soap response is this:

05/04/2018 10:50:07 [18509] [DEBUG] [xxxxxxx] Zimbra->SoapRequest(): SOAP Response: <html>

sometimes responses are good, bad responses happen randomly.
server1, nginx.log, a lot of errors like this:

2018/04/05 20:13:33 [error] 27677#0: *331578 no live upstreams while connecting to upstream, client: xxxxxxx, server: server1, request: "POST /service/soap/ HTTP/1.1", host: "xxxxxxxxx"

Note that proxy and mailbox are on the same server, so no network issues are possible.
If we disable zimbra proxy, pointing z-push directly to server1, all services work fine.
So it seems some issue related to z-push and zimbra proxy (but only towards server1), but who causes it?
Trying to find some post about it, I found this: https://forums.zimbra.org/viewtopic.php?t=60298 which seems similar to our problem.
Any ideas?
Note: we always had problems with soap session number, never solved, see https://sourceforge.net/p/zimbrabackend/support-requests/150/

Thanks