Dear all,
A lot of doveadm commands (e.g. backup/sync, deduplicate, mailbox) support a
-S
(a.k.a socket-path
) argument that allows to run the command remotely.
Unfortunately, I think that there is a bug in the handling of the TLS
configuration for this feature.
After a bit of debugging, I think it's simply due to
doveadm_mail_server_user_get_host
(https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server....)
bailing out too quickly: It's used by doveadm_mail_server_user
(https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server....)
to set its user
, host
, hostip
, port
and ssl_flags
. When doveadm_port
is not (or set to 0):
option): OK
user
is set toinput->username
: OKhost
is set toctx->set->doveadm_socket_path
(the content of the-S
hostip
is not set: OK (Later on, thehost
is used in that case)port
is set to 0: This is OK, as when thehostip
(or rather theserver->ip
later in the code) is not set, this is only the default, the port is extracted from thehost
(or ratherserver->name
)ssl_flags
is not modified: this is not OK as there is nothing else modifying it!
Bailing out just a few line later (as in https://patch-diff.githubusercontent.com/raw/dovecot/core/pull/145.patch) fixes the issue for me.
To reproduce the issue, with dovecot-2.3.11.3-4, you will need two systems, A & B: A needs to have dovecot configured and port 9091 open in its firewall for B. B just need dovecot to be installed.
Testing without TLS:
- Add the following to A's dovecot configuration (and reload it):
service doveadm { inet_listener { port = 9091 } } doveadm_password=VeryRandomString
- On B, create a file X containing (only):
doveadm_password=VeryRandomString
- On B, running
doveadm -c X mailbox list -u ${existing_user} -S ${A}:9091
should return the mailbox list
- Add the following to A's dovecot configuration (and reload it):
Switching to TLS:
- Replace what was added to A's dovecot configuration (and reload it) with:
service doveadm { inet_listener { port = 9091 ssl = yes } } doveadm_password=VeryRandomString doveadm_ssl = ssl # Not strictly required
- On B, create a file Y containing (only):
doveadm_password=VeryRandomString doveadm_ssl=yes
- On B, running
doveadm -c Y mailbox list -u ${existing_user} -S ${A}:9091
will not work. - On A, you should see in the logs:
dovecot[16435]: doveadm(${B}): Error: SSL handshake failed: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
- Replace what was added to A's dovecot configuration (and reload it) with:
Applying the patch mentioned above makes the 2nd case work.
What do you think? Cheers, Vincent