#175 Android devices cannot download attachments from shared account

[Josh Wiles]

When attempting to download an attachment from a shared account on an Android device, the following error is thrown in the Z-Push log...
/usr/share/z-push/backend/zimbra/zimbraHttpStreamWrapper.php:79 fopen(url here): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found

[LiverpoolFCfan]

It sounds like you have pointed z-push directly at a zimbra mailbox server rather than at the nginx proxy - or used the internal name of the server rather than the Public Host URL.

Can you please explain your setup and configuration. Single/Multiple zimbra server(s)? Have you configured z-push to hit your externally available webmail URL?

[Josh Wiles]

Sorry, I should have included more info in the original post. I actually can copy the URL in the log and paste it, and it's a valid working URL. Here's my setup though:

I have a public HAProxy server in my DMZ, which has rules setup on it to route the traffic based on the URL. So, if the URL contains webmail.domain.com/Microsoft-Server-ActiveSync or .../autodiscover/autodiscover.xml, HAProxy routes it to one of my four Z-Push servers in round robin. Else, it routes to my Zimbra01 server, which has the Nginx proxy role installed. Z-Push is configure with the public URL, not a specific server name.

I have 3 mailbox servers, with 01 having the proxy role. webmail.domain.com is setup to be my public URL. The mailboxes in question both reside on 03.

Here's the interesting troubleshooting bits:

1) The user can download attachments if it's within their own account. Attachments don't work when downloading from a shared folder/account.
2) This only appears to affect Android. I cannot replicate the issue on an iOS device.
3) Both mailboxes (working and not working) are on 03, which eliminates a server routing/access issue.

Another interesting thing. In the log, the url inside on fopen doesn't have quotes around it. Is it possible that it's attempting to interpret that as a variable instead of a string?

[LiverpoolFCfan]

"Both mailboxes (working and not working) are on 03, which eliminates a server routing/access issue." - that is not necessarily true. All traffic must pass through the proxy as it is there that the access token is generated for the session. That token is what gives permission to an account to access resources owned by other accounts. If the request from the attachment streamer instead hit another server directly without coming through the proxy it would not have permission to download the file.

Can you generate a debug level log for the user - reproducing the issue. Ideally, add that user to the $specialLogUsers array in the z-push config,

    define('LOGUSERLEVEL', LOGLEVEL_WBXML);
    $specialLogUsers = array();
    $specialLogUsers[] = 'username';

and set the ZIMBRA_DEBUG to 'username' (replacing with the user's login name) in the zimbra backend config file.

    define('ZIMBRA_DEBUG','username');

I can set the ticket private so you can upload the log, and I can change it back after I download and delete it from the ticket.

[LiverpoolFCfan]

Setting ticket Private

[Josh Wiles]

Here you go.

[LiverpoolFCfan]

Sorry, I should have been clearer. I need to see a complete transaction. Starting from a steady ping state - send a new email with an attachment to the account/mailbox that is shared, open it on the device, try to open the attachment.

It is vital also that you have the ZIMBRA_DEBUG turned on for the user so I can see the content of the zimbra calls.

[Josh Wiles]

Sorry for the delay, things have been busy! Here you go.

I added a new account and shared an account with it. I sent the same attachment to both accounts. It obviously works when it gets sent to the main account, and does not work when sent to the shared account.

[LiverpoolFCfan]

Are there any errors logged by zimbra at the time?

[LiverpoolFCfan]

Hopefully you will find the reason for the auth problem..

I don't see anything untoward in the logs - other than a failure to get the file. The auth problem likely explains that.

[Josh Wiles]

I have no idea what would cause the auth error and why it only happens for none iOS mail clients. The main account is relying on AD for authentication. The shared account is not. Perhaps that's the issue?

[LiverpoolFCfan]

iOS works differently. iOS grabs the entire MIME message in one go, and parses the parts out itself - including extracting the attachments.

Android asks for the Text/HTML of the email first, and only downloads the attachments as and when they are requested by thee user clicking on the attachment thumbnail

So, that difference is expected.

[Josh Wiles]

Apparently, It's the class of service. If I change the shared account to "Default", I'm able to download the message.

So, I recreated the COS exactly like before, and it works fine. I have no idea what the deal was.

[LiverpoolFCfan]

Ah, interesting. Now you mention it, I recall there is a setting that controls access to attachments from webmail. Z-push is equivalent to a webmail user

[Josh Wiles]

I think it's okay to close this ticket. It clearly was some kind of issue with Zimbra config, but I'm still not sure what it was. Thanks for all the help!

[LiverpoolFCfan]

Removed log file, and will set ticket back to public, and move it from Bugs to Support Tickets

[LiverpoolFCfan]

Removing Private Setting

[LiverpoolFCfan]

Ticket moved from /p/zimbrabackend/bugs/82/

[LiverpoolFCfan]

Closing ticket - Zimbra configuration issue.