CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
Christian Balzer
chibi at gol.com
Sat Aug 31 05:30:12 EEST 2019
Daniel,
thanks so much for the detailed pointers.
So it turns out to be both the evil that is systemd and an overzealous
upgrade script.
Apollon, should I raise a Debian bug for this?
As for reasons, how do 50k proxy session on the proxy servers and 25k imap
processes on the mailbox servers sound?
Even on a server with just 6k users and 7k imap processes that causes a
massive load spike and a far longer service interruption (about 50
seconds) than I'm happy with.
Penultimately if people do set "shutdown_clients = no" they hopefully know
what they are doing and do expect that to work.
Regards,
Christian
On Fri, 30 Aug 2019 17:44:23 +0200 Daniel Lange via dovecot wrote:
> Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot:
> > Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot:
> >> When upgrading on Debian Stretch with the security fix packages all
> >> dovecot processes get killed and then restarted despite having
> >> "shutdown_clients = no" set.
> >
> > This is systemd doing its "magic" (kill all control group processes),
> > see https://dovecot.org/pipermail/dovecot/2016-June/104546.html
> > for a potential fix.
>
> Actually that will not be enough in the upgrade case as the maintainer
> script calls
> deb-systemd-invoke stop dovecot.socket dovecot.service
>
> I personally think re-connecting clients are normal operations so I
> wouldn't bother. But you could override the stop action in the systemd
> unit if you have local reasons that warrant such a hack.
>
--
Christian Balzer Network/Systems Engineer
chibi at gol.com Rakuten Mobile Inc.
More information about the dovecot
mailing list