Problems with dovecot 2.2.13 and monit
Hello,
When I upgraded my servers to dovecot 2.2.13 the monitoring tool monit started to send out warnings that it couldn't reach my imap/pop3 servers through ssl any more. The same problem didn't happen on non-ssl-connections.
According to people on the monit list this is likely a dovecot issue: https://lists.gnu.org/archive/html/monit-general/2014-06/msg00031.html Let me quote:
the root cause of the error is, that dovecot 2.2.13 closes the connection if SSL is used in response to LOGOUT command instead of sending usual response. When no SSL is enabled, dovecot responses to LOGOUT command normally. [...] According to RFC 3501 (http://tools.ietf.org/html/rfc3501), LOGOUT is any-state command, where the server MUST send response before closing the connection: http://tools.ietf.org/html/rfc3501#section-3.4
=> the problem is caused by dovecot 2.2.13 bug ... its behaviour is inconsistent (LOGOUT in non-authenticated state works per RFC requirement if no SSL is used and doesn't conform to RFC if SSL is used). It is possible that the problem is related to their DoS-attack modification, which has most probably unexpected side-effect.
Maybe this is related to the DDoS-protection measures that have been added in dovecot 2.2.13.
Would apprechiate if someone could have a look.
cu,
Hanno Böck http://hboeck.de/
mail/jabber: hanno@hboeck.de GPG: BBB51E42
On 06/16/2014 03:35 PM, Hanno Böck wrote:>> => the problem is caused by dovecot 2.2.13 bug ... its behaviour is
inconsistent (LOGOUT in non-authenticated state works per RFC requirement if no SSL is used and doesn't conform to RFC if SSL is used). It is possible that the problem is related to their DoS-attack modification, which has most probably unexpected side-effect. This was fixed in commits http://hg.dovecot.org/dovecot-2.2/rev/09d3c9c6f0ad and http://hg.dovecot.org/dovecot-2.2/rev/7129fe8bc260
so it will work better in the next release.
br, Teemu Huovila
Teemu Huovila <teemu.huovila <at> dovecot.fi> writes:
On 06/16/2014 03:35 PM, Hanno Böck wrote:>> => the problem is caused by
dovecot 2.2.13 bug ... its
behaviour is
inconsistent (LOGOUT in non-authenticated state works per RFC requirement if no SSL is used and doesn't conform to RFC if SSL is used). It is possible that the problem is related to their DoS-attack modification, which has most probably unexpected side-effect. This was fixed in commits http://hg.dovecot.org/dovecot-2.2/rev/09d3c9c6f0ad and http://hg.dovecot.org/dovecot-2.2/rev/7129fe8bc260
so it will work better in the next release.
br, Teemu Huovila
Hello,
I am having the same problem with dovecot 2.0.9 on CentOS
I manually tested over ssl (imap, 993) and if the connection is authenticated i get the bye reply after I issue logout and connection ends gracefully.
If I fail authentication on purpose and issue logout afterwards, then the connection gets terminated abruptly.
Any way to fix this?
Thank you.
On 08/17/2014 11:56 PM, Marius wrote:
Teemu Huovila <teemu.huovila <at> dovecot.fi> writes:
On 06/16/2014 03:35 PM, Hanno Böck wrote:>> => the problem is caused by
dovecot 2.2.13 bug ... its
behaviour is
inconsistent (LOGOUT in non-authenticated state works per RFC requirement if no SSL is used and doesn't conform to RFC if SSL is used). It is possible that the problem is related to their DoS-attack modification, which has most probably unexpected side-effect. This was fixed in commits http://hg.dovecot.org/dovecot-2.2/rev/09d3c9c6f0ad and http://hg.dovecot.org/dovecot-2.2/rev/7129fe8bc260
so it will work better in the next release.
br, Teemu Huovila
Hello,
I am having the same problem with dovecot 2.0.9 on CentOS
I manually tested over ssl (imap, 993) and if the connection is authenticated i get the bye reply after I issue logout and connection ends gracefully.
If I fail authentication on purpose and issue logout afterwards, then the connection gets terminated abruptly.
Any way to fix this? The fixes in question are not applied to the 2.0 tree. Furthermore you are not even running the latest release from the 2.0 series, so the fixes for Dovecot might be out of the question, unless you make similar fixes to the version you are running.
One way forward might be to alter the way monit does the monitoring. I got a success on the ssl port, when using the following monit configuration snippet (tested with dovecot 2.2 hg tip and monit github tip". Obviously you have to change "localhost" and the login credentials to whatever matches your config. It also requires plain auth. On the plus side, you get to see if your authentication backend is up and running.
if failed host localhost port 993 type tcpssl sslauto and expect "^\* OK.* Dovecot ready." send "a login test pass \r\n" expect "^a OK.* Logged in" send "a logout\r\n" expect "^\* BYE Logging out\r\na OK Logout completed." then alert
br, Teemu
participants (3)
-
Hanno Böck
-
Marius
-
Teemu Huovila