Support TLS for pure remote doveadm commands

Vincent Brillault vincent.brillault at cern.ch
Wed Nov 11 17:14:25 EET 2020 

Dear all,

A lot of doveadm commands (e.g. backup/sync, deduplicate, mailbox) support a
`-S` (a.k.a `socket-path`) argument that allows to run the command remotely.
Unfortunately, I think that there is a bug in the handling of the TLS
configuration for this feature.

After a bit of debugging, I think it's simply due to
doveadm_mail_server_user_get_host
(https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server.c#L179)
bailing out too quickly: It's used by doveadm_mail_server_user
(https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server.c#L286)
to set its `user`, `host`, `hostip`, `port` and `ssl_flags`. When doveadm_port
is not (or set to 0):
- `user` is set to `input->username`: OK
- `host` is set to `ctx->set->doveadm_socket_path` (the content of the `-S`
option): OK
- `hostip` is not set: OK (Later on, the `host` is used in that case)
- `port` is set to 0: This is OK, as when the `hostip` (or rather the
`server->ip` later in the code) is not set, this is only the default, the port
is extracted from the `host` (or rather `server->name`)
- `ssl_flags` is not modified: this is not OK as there is nothing else
modifying it!

Bailing out just a few line later (as in
https://patch-diff.githubusercontent.com/raw/dovecot/core/pull/145.patch)
fixes the issue for me.

To reproduce the issue, with dovecot-2.3.11.3-4, you will need two systems, A
& B: A needs to have dovecot configured and port 9091 open in its firewall for
B. B just need dovecot to be installed.

- Testing without TLS:
    - Add the following to A's dovecot configuration (and reload it):
        ```
        service doveadm {
          inet_listener {
            port = 9091
          }
        }
        doveadm_password=VeryRandomString
        ```
    - On B, create a file X containing (only):
    ```
    doveadm_password=VeryRandomString
    ```
    - On B, running `doveadm -c X mailbox list -u ${existing_user} -S
${A}:9091` should return the mailbox list

- Switching to TLS:
    - Replace what was added to A's dovecot configuration (and reload it) with:
        ```
        service doveadm {
          inet_listener {
            port = 9091
            ssl = yes
          }
        }
        doveadm_password=VeryRandomString
        doveadm_ssl = ssl # Not strictly required
        ```
    - On B, create a file Y containing (only):
    ```
    doveadm_password=VeryRandomString
    doveadm_ssl=yes
    ```
    - On B, running `doveadm -c Y mailbox list -u ${existing_user} -S
${A}:9091` will not work.
    - On A, you should see in the logs: `dovecot[16435]: doveadm(${B}): Error:
SSL handshake failed: SSL_accept() failed: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol`

Applying the patch mentioned above makes the 2nd case work.

What do you think?
Cheers,
Vincent

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201111/d9528c6e/attachment-0001.sig>

More information about the dovecot mailing list