[Dovecot] vpopmail passdb deadlock if tcprules binary is missing
Teodor Milkov
tm at del.bg
Mon Feb 7 23:15:10 EET 2011
Hello,
I've just found that if vpopmail is compiled with --enable-roaming-users=y, but
tcprules binary is missing there is kind of denial of service situation, which is
not very obvious for debugging.
I know this is result of misconfiguration and I suppose this is more of a
vpopmail() bug, but it is somewhat hard to debug and causes greater harm to
dovecot long running auth process than vpopmail's short living vchkpw process.
Symptoms
--------
Login to dovecot imap takes very long time. There are auth processes in D state:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 9873 0.0 0.0 2884 1396 ? D 14:04 0:00 dovecot/auth -w
root 11292 0.0 0.0 2884 1396 ? S 14:25 0:00 \_ dovecot/auth -w
Cause
-----
When new user has to be authenticated from vpopmail, the sequence of events
goes something like this:
* libexec/dovecot/auth -w process is doing the authentication
(passdb-vpopmail.c)
* passdb-vpopmail.c: at some point user is authenticated and open_smtp_relay()
is called
* vpopmail.c: open_smtp_relay() gets a write lock on
~vpopmail/etc/open-smtp.lock adds new IP to ~vpopmail/etc/open-smtp and
calls update_rules() etc. to rebuild the tcp.cdb file
* vpopmailc: tcprules_open() is called and it fork()s and tries to execv()
tcprules
* if tcprules is not found, execv() fails silently, and we are left with a
forked libexec/dovecot/auth instance, which runs all over again up to the
open_smtp_relay() point where it tries to obtain write lock on
~vpopmail/etc/open-smtp.lock again (it is already locked by parent)
Hope this helps someone.
More information about the dovecot
mailing list