[Dovecot] Dovecot auth process delays exiting if LDAPS passdb used
Hi,
I'm using Dovecot 2.1.6 and LDAP server as a backend for Postfix SMTP-Auth (SASL) on Debian GNU/Linux (wheezy), Solaris 10 and AIX 6.1/7.1.
If Dovecot passdb is configured with LDAP (no TLS/SSL), it is no problem. But if Dovecot passdb is configured with LDAPS (or LDAP+TLS), Dovecot auth process has a problem that Dovecot auth delays exiting about between 20 and 60 seconds when Dovecot dovecot (master) process is already terminated by an administrator.
Is this known problem?
On AIX, this problem prevents restart Dovecot service by the following error:
May 24 00:42:03 build-aix6 mail:warn|warning dovecot: master: Warning: Killed with signal 15 (by pid=11337890 uid=0 code=kill) May 24 00:42:10 build-aix6 mail:err|error dovecot: master: Error: service(auth): Socket already exists: /opt/osstech/var/run/dovecot/auth-login May 24 00:42:11 build-aix6 mail:crit dovecot: master: Fatal: Failed to start listeners
My Dovecot 2.1.6 platforms are:
- Debian GNU/Linux wheezy + OpenLDAP 2.4.28 (linked with GNU TLS 2.12.18)
- Solaris 10 + OpenLDAP 2.4.26 (linked with OpenSSL 0.9.7)
- AIX 6.1 + OpenLDAP 2.4.31 (linked with OpenSSL 1.0.0)
- AIX 7.1 + OpenLDAP 2.4.28 (linked with OpenSSL 1.0.0)
Because I see the problem on the all of above, there is a bug in Dovecot 2.1.6, I think.
Thanks.
-- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- Personal Home: http://www.SFO.jp/blog/
Hi,
At Thu, 24 May 2012 01:01:25 +0900, SATOH Fumiyasu wrote:
If Dovecot passdb is configured with LDAP (no TLS/SSL), it is no problem. But if Dovecot passdb is configured with LDAPS (or LDAP+TLS), Dovecot auth process has a problem that Dovecot auth delays exiting about between 20 and 60 seconds when Dovecot dovecot (master) process is already terminated by an administrator.
Is this known problem?
GDB backtrace in Dovecot auth process on Debian GNU/Linux:
(gdb) bt full #0 0x00007fa725c59f43 in __epoll_wait_nocancel () at ../sysdeps/unix/syscall-template.S:82 No locals. #1 0x00007fa7267a6db7 in io_loop_handler_run (ioloop=0x17686d0) at ioloop-epoll.c:181 ctx = 0x1770350 events = 0xfffffffffffffffc event = 0x7530 list = <optimized out> io = <optimized out> tv = {tv_sec = 29, tv_usec = 999374} msecs = 30000 ret = <optimized out> i = <optimized out> j = <optimized out> call = <optimized out> #2 0x00007fa7267a5cc9 in io_loop_run (ioloop=0x17686d0) at ioloop.c:398 No locals. #3 0x00007fa7267938ff in master_service_run (service=0x1768580, callback=<optimized out>) at master-service.c:544 No locals. #4 0x0000000000418517 in main (argc=1, argv=0x1768370) at main.c:373 c = <optimized out>
DBX backtrace in Dovecot auth process on Solaris 10:
(dbx) where [1] __pollsys(0x80bc3c8, 0x4, 0x8047cd8, 0x0), at 0xfed75a15 [2] _pollsys(0x80bc3c8, 0x4, 0x8047cd8, 0x0), at 0xfed69fc8 [3] _poll(0x80bc3c8, 0x4, 0x7530), at 0xfed1e95a =>[4] io_loop_handler_run(ioloop = ???) (optimized), at 0xfef59294 (line ~166) in "ioloop-poll.c" [5] io_loop_run(ioloop = ???) (optimized), at 0xfef586cf (line ~398) in "ioloop.c" [6] master_service_run(service = ???, callback = ???) (optimized), at 0xfef42e03 (line ~544) in "master-service.c" [7] main(argc = ???, argv = ???) (optimized), at 0x8077d9b (line ~374) in "main.c"
Thanks.
-- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- Personal Home: http://www.SFO.jp/blog/
On AIX, this problem prevents restart Dovecot service by the following error:
May 24 00:42:03 build-aix6 mail:warn|warning dovecot: master: Warning: Killed with signal 15 (by pid=11337890 uid=0 code=kill) May 24 00:42:10 build-aix6 mail:err|error dovecot: master: Error: service(auth): Socket already exists: /opt/osstech/var/run/dovecot/auth-login May 24 00:42:11 build-aix6 mail:crit dovecot: master: Fatal: Failed to start listeners
My Dovecot 2.1.6 platforms are:
- Debian GNU/Linux wheezy + OpenLDAP 2.4.28 (linked with GNU TLS 2.12.18)
- Solaris 10 + OpenLDAP 2.4.26 (linked with OpenSSL 0.9.7)
- AIX 6.1 + OpenLDAP 2.4.31 (linked with OpenSSL 1.0.0)
- AIX 7.1 + OpenLDAP 2.4.28 (linked with OpenSSL 1.0.0)
Because I see the problem on the all of above, there is a bug in Dovecot 2.1.6, I think.
At Thu, 24 May 2012 01:01:25 +0900, SATOH Fumiyasu wrote:
If Dovecot passdb is configured with LDAP (no TLS/SSL), it is no problem. But if Dovecot passdb is configured with LDAPS (or LDAP+TLS), Dovecot auth process has a problem that Dovecot auth delays exiting about between 20 and 60 seconds when Dovecot dovecot (master) process is already terminated by an administrator.
I can reproduce this problem with LDAP (no TLS/SSL) passdb.
Sorry...
-- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- Personal Home: http://www.SFO.jp/blog/
On Thu, 2012-05-24 at 01:22 +0900, SATOH Fumiyasu wrote:
At Thu, 24 May 2012 01:01:25 +0900, SATOH Fumiyasu wrote:
If Dovecot passdb is configured with LDAP (no TLS/SSL), it is no problem. But if Dovecot passdb is configured with LDAPS (or LDAP+TLS), Dovecot auth process has a problem that Dovecot auth delays exiting about between 20 and 60 seconds when Dovecot dovecot (master) process is already terminated by an administrator.
I can reproduce this problem with LDAP (no TLS/SSL) passdb.
And I suppose you can reproduce it even when not using LDAP?
All of the Dovecot processes are supposed to close all listeners immediately when the master process dies. If this doesn't happen then something strange is going on.
At Tue, 29 May 2012 18:31:45 +0300, Timo Sirainen wrote:
If Dovecot passdb is configured with LDAP (no TLS/SSL), it is no problem. But if Dovecot passdb is configured with LDAPS (or LDAP+TLS), Dovecot auth process has a problem that Dovecot auth delays exiting about between 20 and 60 seconds when Dovecot dovecot (master) process is already terminated by an administrator.
I can reproduce this problem with LDAP (no TLS/SSL) passdb.
And I suppose you can reproduce it even when not using LDAP?
Yes. I can reproduce with dovecot 1:2.1.7-1 (Debian unstable package) with PAM passdb. This PAM environment is configured for local UNIX passwd file only (no LDAP).
All of the Dovecot processes are supposed to close all listeners immediately when the master process dies. If this doesn't happen then something strange is going on.
My dovecot config (PAM version) is below:
# dovecot -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-2-amd64 x86_64 Debian wheezy/sid namespace inbox { inbox = yes location = prefix = } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap pop3" service auth { unix_listener /var/spool/postfix/private/dovecot-auth { mode = 0666 } } ssl_cert =
-- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
On 7.6.2012, at 6.06, SATOH Fumiyasu wrote:
Dovecot auth process has a problem that Dovecot auth delays exiting about between 20 and 60 seconds when Dovecot dovecot (master) process is already terminated by an administrator.
Yes. I can reproduce with dovecot 1:2.1.7-1 (Debian unstable package) with PAM passdb. This PAM environment is configured for local UNIX passwd file only (no LDAP).
I can't reproduce this. I installed the 1:2.1.7-1 Debian unstable package. Put your dovecot.conf to /etc/dovecot/. Did:
/etc/init.d/dovecot start telnet localhost 143 x login foo bar x logout /etc/init.d/dovecot stop
No dovecot processes left.
At Mon, 11 Jun 2012 15:30:59 +0300, Timo Sirainen wrote:
Dovecot auth process has a problem that Dovecot auth delays exiting about between 20 and 60 seconds when Dovecot dovecot (master) process is already terminated by an administrator.
Yes. I can reproduce with dovecot 1:2.1.7-1 (Debian unstable package) with PAM passdb. This PAM environment is configured for local UNIX passwd file only (no LDAP).
I can't reproduce this. I installed the 1:2.1.7-1 Debian unstable package. Put your dovecot.conf to /etc/dovecot/. Did:
/etc/init.d/dovecot start telnet localhost 143 x login foo bar x logout /etc/init.d/dovecot stop
No dovecot processes left.
If an auth client remains a connection to dovecot/auth, dovecot/auth does NOT exit immediately when dovecot master exits.
(1) Install Postfix and Dovecot.
# apt-get install postfix dovecot(2) Configure Postfix /etc/postfix/main.cf with the following:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth(3) Configre Dovecot /etc/dovecot/conf.d/10-master with the following:
service auth {
unix_listener auth-userdb {
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}(4) Start postfix and dovecot service.
# /etc/init.d/dovecot start # /etc/init.d/postfix start
(5) Invoke Postfix smtpd(8), it connects to dovecot/auth socket.
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 sugar.osstech.co.jp ESMTP Postfix
AUTH PLAIN dummy
535 5.7.8 Error: authentication failed:
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Or use netcat-openbsd to connect to dovecot/auth socket:
# nc.openbsd -U /var/spool/postfix/private/dovecot-auth &(6) Stop dovecot service.
# /etc/init.d/dovecot stop
-- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
On 11.6.2012, at 18.24, SATOH Fumiyasu wrote:
If an auth client remains a connection to dovecot/auth, dovecot/auth does NOT exit immediately when dovecot master exits.
Ah, now we're getting somewhere :) Yes, this is correct and intentional. But it should still close the listeners, so this shouldn't happen:
May 24 00:42:10 build-aix6 mail:err|error dovecot: master: Error: service(auth): Socket already exists: /opt/osstech/var/run/dovecot/auth-login
(1) Install Postfix and Dovecot.
# apt-get install postfix dovecot(2) Configure Postfix /etc/postfix/main.cf with the following:
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth(3) Configre Dovecot /etc/dovecot/conf.d/10-master with the following:
service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 } }(4) Start postfix and dovecot service.
# /etc/init.d/dovecot start # /etc/init.d/postfix start
(5) Invoke Postfix smtpd(8), it connects to dovecot/auth socket.
$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 sugar.osstech.co.jp ESMTP Postfix AUTH PLAIN dummy 535 5.7.8 Error: authentication failed: QUIT 221 2.0.0 Bye Connection closed by foreign host.Or use netcat-openbsd to connect to dovecot/auth socket:
# nc.openbsd -U /var/spool/postfix/private/dovecot-auth &(6) Stop dovecot service.
# /etc/init.d/dovecot stop
And (7) /etc/init.d/dovecot start fails?
At Mon, 11 Jun 2012 18:32:35 +0300, Timo Sirainen wrote:
If an auth client remains a connection to dovecot/auth, dovecot/auth does NOT exit immediately when dovecot master exits.
Ah, now we're getting somewhere :) Yes, this is correct and intentional. But it should still close the listeners, so this shouldn't happen:
May 24 00:42:10 build-aix6 mail:err|error dovecot: master: Error: service(auth): Socket already exists: /opt/osstech/var/run/dovecot/auth-login
(6) Stop dovecot service.
# /etc/init.d/dovecot stop
And (7) /etc/init.d/dovecot start fails?
Yes: AIX 6.1, 7.1 No: Debian GNU/Linux stable, testing, unstable / Solaris 10
-- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
(1) Install Postfix and Dovecot.
# apt-get install postfix dovecot(2) Configure Postfix /etc/postfix/main.cf with the following:
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth(3) Configre Dovecot /etc/dovecot/conf.d/10-master with the following:
service auth { unix_listener auth-userdb { } unix_listener /var/spool/postfix/private/auth { mode = 0666 } }(4) Start postfix and dovecot service.
# /etc/init.d/dovecot start # /etc/init.d/postfix start
(5) Invoke Postfix smtpd(8), it connects to dovecot/auth socket.
$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 sugar.osstech.co.jp ESMTP Postfix AUTH PLAIN dummy 535 5.7.8 Error: authentication failed: QUIT 221 2.0.0 Bye Connection closed by foreign host.Or use netcat-openbsd to connect to dovecot/auth socket:
# nc.openbsd -U /var/spool/postfix/private/dovecot-auth &(6) Stop dovecot service.
# /etc/init.d/dovecot stop
And (7) /etc/init.d/dovecot start fails?
On 11.6.2012, at 19.39, SATOH Fumiyasu wrote:
At Mon, 11 Jun 2012 18:32:35 +0300, Timo Sirainen wrote:
If an auth client remains a connection to dovecot/auth, dovecot/auth does NOT exit immediately when dovecot master exits.
Ah, now we're getting somewhere :) Yes, this is correct and intentional. But it should still close the listeners, so this shouldn't happen:
May 24 00:42:10 build-aix6 mail:err|error dovecot: master: Error: service(auth): Socket already exists: /opt/osstech/var/run/dovecot/auth-login
(6) Stop dovecot service.
# /etc/init.d/dovecot stop
And (7) /etc/init.d/dovecot start fails?
Yes: AIX 6.1, 7.1 No: Debian GNU/Linux stable, testing, unstable / Solaris 10
OK, so this is AIX specific. Two problems: 1) I have no access to AIX to test and debug this, 2) even if I did, I'm not very motivated in debugging possibly hours for a system that is very rarely used in email servers.. (If any AIX user wanted to buy one of the Dovecot support services, I could look into this and get it fixed in some way.)
It would also be possible to modify the sources a bit to get the pending processes killed immediately at shutdown.
participants (2)
-
SATOH Fumiyasu
-
Timo Sirainen