On 5.5.2014, at 23.13, Jochen Bern <Jochen.Bern@LINworks.de> wrote:
we are running a central server (CentOS 6.5, dovecot-2.0.9-7.el6 with a small patch to disable the IMAP CREATE command, and openssl-1.0.1e-16.el6_5.7) and distribute standard client software to customer( site)s.
One of the customers has a major networking problem that hasn't been fully analyzed yet. Sniffing his IMAPS connects on the server side, I see no (necessarily fragmented) TLSv1 Client Cert + Key Exchange happen; instead, after ~60s, we receive a single packet with "TLSv1 Certificate Verify, Change Cipher Spec, Encrypted Handshake Message" *and* the TCP FIN+PSH+ACK flags set.
The problem I'ld like to ask for help with here is that dovecot's imap-login process doesn't terminate when the FIN is received, or when the IMAP protocol's inactivity timeout is reached, it takes *more than two hours* for it to go away. Because of that, this single client racks up 1100+ processes (counting against dovecot's configured limits), TCP connections, and the associated RAM usage. .. dovenull 12064 0.0 0.0 42440 3656 ? S 19:32 0:00 \_ dovecot/imap-login [1 connections (1 TLS)]
The process is taking 0% CPU? There was bug where a broken handshake could have caused 100% CPU usage. Maybe the same problem could happen in a slightly different way and also not cause CPU usage. http://hg.dovecot.org/dovecot-2.2/rev/c0236d1c4a04 fixes this.
Although even then .. I'm not sure why the process wouldn't die sooner. And Dovecot especially should kill old imap-login processes that haven't logged in if it reaches the imap-login process limit.
# 2.0.9: /etc/dovecot/dovecot.conf
I'd anyway try v2.2 first..