Dear all,

A lot of doveadm commands (e.g. backup/sync, deduplicate, mailbox) support a -S (a.k.a socket-path) argument that allows to run the command remotely. Unfortunately, I think that there is a bug in the handling of the TLS configuration for this feature.

After a bit of debugging, I think it's simply due to doveadm_mail_server_user_get_host (https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server....) bailing out too quickly: It's used by doveadm_mail_server_user (https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server....) to set its user, host, hostip, port and ssl_flags. When doveadm_port is not (or set to 0): option): OK

• user is set to input->username: OK
• host is set to ctx->set->doveadm_socket_path (the content of the -S

• hostip is not set: OK (Later on, the host is used in that case)
• port is set to 0: This is OK, as when the hostip (or rather the server->ip later in the code) is not set, this is only the default, the port is extracted from the host (or rather server->name)
• ssl_flags is not modified: this is not OK as there is nothing else modifying it!

Bailing out just a few line later (as in https://patch-diff.githubusercontent.com/raw/dovecot/core/pull/145.patch) fixes the issue for me.

To reproduce the issue, with dovecot-2.3.11.3-4, you will need two systems, A & B: A needs to have dovecot configured and port 9091 open in its firewall for B. B just need dovecot to be installed.

• Testing without TLS:

  • Add the following to A's dovecot configuration (and reload it):

    service doveadm {
      inet_listener {
        port = 9091
      }
    }
    doveadm_password=VeryRandomString
    

  • On B, create a file X containing (only):

  doveadm_password=VeryRandomString
  

  • On B, running doveadm -c X mailbox list -u ${existing_user} -S ${A}:9091 should return the mailbox list

• Switching to TLS:

  • Replace what was added to A's dovecot configuration (and reload it) with:

    service doveadm {
      inet_listener {
        port = 9091
        ssl = yes
      }
    }
    doveadm_password=VeryRandomString
    doveadm_ssl = ssl # Not strictly required
    

  • On B, create a file Y containing (only):

  doveadm_password=VeryRandomString
  doveadm_ssl=yes
  

  • On B, running doveadm -c Y mailbox list -u ${existing_user} -S ${A}:9091 will not work.
  • On A, you should see in the logs: dovecot[16435]: doveadm(${B}): Error: SSL handshake failed: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Applying the patch mentioned above makes the 2nd case work.

What do you think? Cheers, Vincent