[Dovecot] Weird Dovecot 1.1.6 + pop3s certificate issues

Bernhard Schmidt berni at birkenwald.de
Sat Feb 14 04:13:12 EET 2009


Hello everyone,

I've been asked by a colleague to have a look at some extremely weird
dovecot SSL issue they are seeing on one of the student mailservers.

They are running dovecot 1.1.6 (yes, I know, a bit old ...) on SLES 10.2
x86_64 with imap(+starttls), imaps, pop3(+starttls) and pop3s enabled.
Every couple of weeks the pop3s and pop3+starttls part bail out out.
Clients can't connect, when you try openssl s_client you get this:

15960:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
type is not 01:rsa_pk1.c:100:
15960:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:rsa_eay.c:699:
15960:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
signature:s3_clnt.c:1414:

server logs don't show much except for various SSL_accept() errors,
including

TLS handshaking: SSL_accept() failed: error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
TLS handshaking: SSL_accept() syscall failed: Connection reset by peer
TLS handshaking: SSL_accept() failed: error:1409441B:SSL
routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

imaps and imap+starttls work fine during the whole time (and always
have), although they are much more used.

Restarting dovecot fixes the issue for a couple of weeks. Does anyone
have an idea where to start debugging? As far as I understand the whole
SSL_accept() thing is a giant blackbox for Dovecot, but how comes it
only affects POP3? dovecot -n (paths and addresses altered, not sure how
much I can reveal without getting shot):

# 1.1.6: /mnt//usr/local/etc/dovecot.conf
# OS: Linux 2.6.16.60-0.25-smp x86_64 SUSE Linux Enterprise Server 10
# (x86_64)
protocols: imap imaps pop3 pop3s
listen(default): [ipv6]:143, ipv4:143
listen(imap): [ipv6]:143, ipv4:143
listen(pop3): [ipv6]:110, ipv4:110
ssl_listen(default): [ipv6]:993, ipv4:993
ssl_listen(imap): [ipv6]:993, ipv4:993
ssl_listen(pop3): [ipv6]:995, ipv4:995
disable_plaintext_auth: no
login_dir: /usr/local/var/run/dovecot/login
login_executable(default):
/mnt//usr/local/libexec/dovecot/imap-login
login_executable(imap):
/mnt//usr/local/libexec/dovecot/imap-login
login_executable(pop3):
/mnt//usr/local/libexec/dovecot/pop3-login
login_process_per_connection: no
login_max_connections: 128
max_mail_processes: 2500
mail_uid: campus
mail_gid: lmu
mail_location: maildir:~/Maildir:INDEX=/home/something/indexes/%-1.1n/%n
mmap_disable: yes
mail_nfs_index: yes
mail_executable(default): /mnt//usr/local/libexec/dovecot/imap
mail_executable(imap): /mnt//usr/local/libexec/dovecot/imap
mail_executable(pop3): /mnt//usr/local/libexec/dovecot/pop3
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): quota
mail_plugin_dir(default): /mnt//usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /mnt//usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /mnt//usr/local/lib/dovecot/pop3
pop3_uidl_format(default): %08Xu%08Xv
pop3_uidl_format(imap): %08Xu%08Xv
pop3_uidl_format(pop3): %08Xv%08Xu
namespace:
  type: private
  separator: .
  prefix: INBOX.
  inbox: yes
  list: yes
  subscriptions: yes
auth default:
  worker_max_request_count: 500
  passdb:
    driver: ldap
    args: /mnt//usr/local/etc/dovecot-ldap.conf
  userdb:
    driver: prefetch
  userdb:
    driver: ldap
    args: /mnt//usr/local/etc/dovecot-ldap.conf
  socket:
    type: listen
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: campus
      group: lmu
plugin:
  quota: maildir
  quota_rule: Trash:ignore
  quota_rule2: *:storage=512M

Anyone having an idea?

bernhard



More information about the dovecot mailing list