Hello everyone,
we are running a central server (CentOS 6.5, dovecot-2.0.9-7.el6 with a small patch to disable the IMAP CREATE command, and openssl-1.0.1e-16.el6_5.7) and distribute standard client software to customer( site)s.
The clients do IMAPS connects in regular intervals (no IDLE, no lingering logins) and authenticate with certs issued by a dedicated PKI ("auth_ssl_username_from_cert = yes" and a static global password).
One of the customers has a major networking problem that hasn't been fully analyzed yet. Sniffing his IMAPS connects on the server side, I see no (necessarily fragmented) TLSv1 Client Cert + Key Exchange happen; instead, after ~60s, we receive a single packet with "TLSv1 Certificate Verify, Change Cipher Spec, Encrypted Handshake Message" *and* the TCP FIN+PSH+ACK flags set.
The problem I'ld like to ask for help with here is that dovecot's imap-login process doesn't terminate when the FIN is received, or when the IMAP protocol's inactivity timeout is reached, it takes *more than two hours* for it to go away. Because of that, this single client racks up 1100+ processes (counting against dovecot's configured limits), TCP connections, and the associated RAM usage.
(Since the client cert is obviously never received, the default mail_max_userip_connections of 10 doesn't come into play, either.)
Is there any way - short of hexing a negative feedback loop straight into the iptables - to prevent this kind of buildup?
Kind regards, J. Bern
[root ~]# date ; ps auwwwx --forest | grep -A 12 '/dove[c]ot' Mo 5. Mai 21:45:39 CEST 2014 root 25297 0.8 0.0 19568 824 ? Ss Apr30 64:44 /usr/sbin/dovecot dovecot 25299 0.1 0.1 17996 5828 ? S Apr30 11:52 \_ dovecot/anvil [1147 connections] root 25300 0.1 0.0 13388 1220 ? S Apr30 8:07 \_ dovecot/log root 25301 0.0 0.0 39596 1564 ? S Apr30 2:21 \_ dovecot/ssl-params dovecot 25304 0.3 0.0 78384 3552 ? S Apr30 22:13 \_ dovecot/auth [0 wait, 0 passdb, 0 userdb] root 13161 0.3 0.3 25236 13352 ? S May04 7:11 \_ dovecot/config root 18384 0.2 0.2 20080 8200 ? S 08:20 1:37 \_ dovecot/config [... long-running IMAP login by the operators ...] dovenull 12064 0.0 0.0 42440 3656 ? S 19:32 0:00 \_ dovecot/imap-login [1 connections (1 TLS)] dovenull 12441 0.0 0.0 42440 3656 ? S 19:32 0:00 \_ dovecot/imap-login [1 connections (1 TLS)] dovenull 12495 0.0 0.0 42440 3656 ? S 19:32 0:00 \_ dovecot/imap-login [1 connections (1 TLS)] dovenull 12496 0.0 0.0 42440 3652 ? S 19:32 0:00 \_ dovecot/imap-login [1 connections (1 TLS)]
[root ~]# doveconf -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-431.3.1.el6.x86_64 x86_64 CentOS release 6.5 (Final) auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes listen = [...] login_greeting = [...] mail_location = maildir:~ mail_log_prefix = "%s(%u)[%p]: " mbox_write_locks = fcntl passdb { args = password=[...] driver = static } plugin { mail_log_events = delete undelete expunge mail_log_fields = uid msgid size vsize flags } protocols = imap service anvil { client_limit = 3605 } service auth { client_limit = 7000 } service imap-login { process_limit = 3500 } service imap { process_limit = 3500 } ssl = required ssl_ca = </etc/pki/dovecot/certs/[...].pem ssl_cert = </etc/pki/dovecot/certs/[...].pem ssl_key = </etc/pki/dovecot/private/[...].pem ssl_verify_client_cert = yes userdb { args = uid=mandanten gid=mandanten home=/[...]/%Ld_[...]/%Ln driver = static } verbose_proctitle = yes protocol imap { mail_plugins = " mail_log notify" }
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel