Strange "IMAP connection broken (server response)" errors

Aki Tuomi aki.tuomi at dovecot.fi
Tue Mar 20 12:20:56 EET 2018



On 20.03.2018 10:16, Kadlecsik József wrote:
> On Fri, 20 Oct 2017, Kadlecsik József wrote:
>
>> On Fri, 6 Oct 2017, Jozsef Kadlecsik wrote:
>>
>>> We upgraded one of our dovecot servers to debian stretch with dovecot 
>>> 2.2.27 and since then one of our users has been experiencing random IMAP 
>>> failures.
>>>
>>> On the client side the user runs alpine and the corresponding debug lines:
>>>
>>> IMAP DEBUG 14:22:02.216167: 00000011 FETCH 6 (BODYSTRUCTURE FLAGS)
>>>
>>> 14:22:02.217396
>>> IMAP 14:22:02 10/6 mm_notify bye: 
>>> {[127.0.0.1]:1555/imap/user="ha4aa"}INBOX: [CLOSED] IMAP connection broken 
>>> (server response)
>> The date of the last rawlog line corresponds to an ssl debug log of 
>> dovecot (from the last run):
>>
>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read() 
>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> It is an openssl compatibility issue introduced in OpenSSL 1.0.2f. The 
> IMAP failures could be solved with the following patches, which are 
> similar to what nginx uses (http://hg.nginx.org/nginx/rev/062c189fee20):
>
> For Dovecot 2.2.35:
>
> diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
> index 68ec221..31d1017 100644
> --- a/src/lib-ssl-iostream/iostream-openssl.c
> +++ b/src/lib-ssl-iostream/iostream-openssl.c
> @@ -324,7 +324,7 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
>  
>  static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
>  {
> -	if (SSL_shutdown(ssl_io->ssl) != 1) {
> +	if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
>  		/* if bidirectional shutdown fails we need to clear
>  		   the error queue */
>  		openssl_iostream_clear_errors();
> diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
> index 947c8ef..3ac6823 100644
> --- a/src/login-common/ssl-proxy-openssl.c
> +++ b/src/login-common/ssl-proxy-openssl.c
> @@ -833,7 +833,7 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy)
>  	if (proxy->io_plain_write != NULL)
>  		io_remove(&proxy->io_plain_write);
>  
> -	if (SSL_shutdown(proxy->ssl) != 1) {
> +	if (!SSL_in_init(proxy->ssl) && SSL_shutdown(proxy->ssl) != 1) {
>  		/* if bidirectional shutdown fails we need to clear
>  		   the error queue. */
>  		openssl_iostream_clear_errors();
>
> For Dovecot master branch:
>
> diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
> index 45de412..ed1f0a4 100644
> --- a/src/lib-ssl-iostream/iostream-openssl.c
> +++ b/src/lib-ssl-iostream/iostream-openssl.c
> @@ -345,7 +345,7 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
>  
>  static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
>  {
> -	if (SSL_shutdown(ssl_io->ssl) != 1) {
> +	if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
>  		/* if bidirectional shutdown fails we need to clear
>  		   the error queue */
>  		openssl_iostream_clear_errors();
>
> Best regards,
> Jozsef
> --
> E-mail : kadlecsik.jozsef at wigner.mta.hu
> PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
>          H-1525 Budapest 114, POB. 49, Hungary
Hi!

Thank you for your patch, we'll look into it.

Aki


More information about the dovecot mailing list