Strange "IMAP connection broken (server response)" errors

Kadlecsik József kadlecsik.jozsef at wigner.mta.hu
Tue Mar 20 10:16:15 EET 2018


On Fri, 20 Oct 2017, Kadlecsik József wrote:

> On Fri, 6 Oct 2017, Jozsef Kadlecsik wrote:
> 
> > We upgraded one of our dovecot servers to debian stretch with dovecot 
> > 2.2.27 and since then one of our users has been experiencing random IMAP 
> > failures.
> > 
> > On the client side the user runs alpine and the corresponding debug lines:
> > 
> > IMAP DEBUG 14:22:02.216167: 00000011 FETCH 6 (BODYSTRUCTURE FLAGS)
> > 
> > 14:22:02.217396
> > IMAP 14:22:02 10/6 mm_notify bye: 
> > {[127.0.0.1]:1555/imap/user="ha4aa"}INBOX: [CLOSED] IMAP connection broken 
> > (server response)
> 
> The date of the last rawlog line corresponds to an ssl debug log of 
> dovecot (from the last run):
> 
> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read() 
> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

It is an openssl compatibility issue introduced in OpenSSL 1.0.2f. The 
IMAP failures could be solved with the following patches, which are 
similar to what nginx uses (http://hg.nginx.org/nginx/rev/062c189fee20):

For Dovecot 2.2.35:

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 68ec221..31d1017 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -324,7 +324,7 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
 
 static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
 {
-	if (SSL_shutdown(ssl_io->ssl) != 1) {
+	if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
 		/* if bidirectional shutdown fails we need to clear
 		   the error queue */
 		openssl_iostream_clear_errors();
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index 947c8ef..3ac6823 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -833,7 +833,7 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy)
 	if (proxy->io_plain_write != NULL)
 		io_remove(&proxy->io_plain_write);
 
-	if (SSL_shutdown(proxy->ssl) != 1) {
+	if (!SSL_in_init(proxy->ssl) && SSL_shutdown(proxy->ssl) != 1) {
 		/* if bidirectional shutdown fails we need to clear
 		   the error queue. */
 		openssl_iostream_clear_errors();

For Dovecot master branch:

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 45de412..ed1f0a4 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -345,7 +345,7 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
 
 static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
 {
-	if (SSL_shutdown(ssl_io->ssl) != 1) {
+	if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
 		/* if bidirectional shutdown fails we need to clear
 		   the error queue */
 		openssl_iostream_clear_errors();

Best regards,
Jozsef
--
E-mail : kadlecsik.jozsef at wigner.mta.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
         H-1525 Budapest 114, POB. 49, Hungary


More information about the dovecot mailing list