Strange "IMAP connection broken (server response)" errors
Kadlecsik József
kadlecsik.jozsef at wigner.mta.hu
Tue Mar 20 10:16:15 EET 2018
On Fri, 20 Oct 2017, Kadlecsik József wrote:
> On Fri, 6 Oct 2017, Jozsef Kadlecsik wrote:
>
> > We upgraded one of our dovecot servers to debian stretch with dovecot
> > 2.2.27 and since then one of our users has been experiencing random IMAP
> > failures.
> >
> > On the client side the user runs alpine and the corresponding debug lines:
> >
> > IMAP DEBUG 14:22:02.216167: 00000011 FETCH 6 (BODYSTRUCTURE FLAGS)
> >
> > 14:22:02.217396
> > IMAP 14:22:02 10/6 mm_notify bye:
> > {[127.0.0.1]:1555/imap/user="ha4aa"}INBOX: [CLOSED] IMAP connection broken
> > (server response)
>
> The date of the last rawlog line corresponds to an ssl debug log of
> dovecot (from the last run):
>
> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
It is an openssl compatibility issue introduced in OpenSSL 1.0.2f. The
IMAP failures could be solved with the following patches, which are
similar to what nginx uses (http://hg.nginx.org/nginx/rev/062c189fee20):
For Dovecot 2.2.35:
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 68ec221..31d1017 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -324,7 +324,7 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
{
- if (SSL_shutdown(ssl_io->ssl) != 1) {
+ if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
/* if bidirectional shutdown fails we need to clear
the error queue */
openssl_iostream_clear_errors();
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index 947c8ef..3ac6823 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -833,7 +833,7 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy)
if (proxy->io_plain_write != NULL)
io_remove(&proxy->io_plain_write);
- if (SSL_shutdown(proxy->ssl) != 1) {
+ if (!SSL_in_init(proxy->ssl) && SSL_shutdown(proxy->ssl) != 1) {
/* if bidirectional shutdown fails we need to clear
the error queue. */
openssl_iostream_clear_errors();
For Dovecot master branch:
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 45de412..ed1f0a4 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -345,7 +345,7 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
{
- if (SSL_shutdown(ssl_io->ssl) != 1) {
+ if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
/* if bidirectional shutdown fails we need to clear
the error queue */
openssl_iostream_clear_errors();
Best regards,
Jozsef
--
E-mail : kadlecsik.jozsef at wigner.mta.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
More information about the dovecot
mailing list