Dovecot Replication Errors (only) when using tcps: as the mail_replica Protocol
Reuben Farrelly
reuben-dovecot at reub.net
Sat Jun 13 05:38:35 EEST 2020
Hi,
I've been seeing errors logged for some time with replication processes,
whereby replication sessions seem to be timing out periodically.
This is with dovecot version 2.3.10.1 (a3d0e1171) and both are Gentoo
x86_64.
After some investigation I've determined that these timeouts are only
ever occurring with tcps as the replication connection type. These
errors never occur if non-encrypted tcp is configured. I've been able
to validate this by changing only the replica_type on both ends of the
replication configuration to tcp, and with no other changes and after a
few days of operation there is not a single error logged.
mail_replica = tcps:lightning.reub.net:4813 <<< periodic timeouts
mail_replica = tcp:lightning.reub.net:4814 <<< works perfectly
Example of the error:
Jun 12 15:45:44 thunderstorm.reub.net dovecot[21149]:
dsync-local(kaylene)<zx+WKTAU416UMwAAzkCIew>: Error:
dsync(lightning.reub.net): I/O has stalled, no activity for 600 seconds
(last sent=mailbox_delete, last recv=handshake)
Jun 12 15:45:44 thunderstorm.reub.net dovecot[21149]:
dsync-local(kaylene)<zx+WKTAU416UMwAAzkCIew>: Error: Timeout during
state=recv_mailbox_tree
doveadm: Error: Timeout during state=slave_recv_mailbox: 6 Time(s)
doveadm: Error: Timeout during state=sync_mails (send=mail_requests
recv=attributes): 31 Time(s)
doveadm: Error: dsync(thunderstorm.reub.net): I/O has stalled, no
activity for 600 seconds (last sent=mail_change (EOL), last
recv=mailbox): 31 Time(s)
doveadm: Error: dsync(thunderstorm.reub.net): I/O has stalled, no
activity for 600 seconds (last sent=mailbox_delete, last
recv=mailbox_delete): 6 Time(s)
It is seen on both sides of the replication setup. The replica is
offsite but only a few ms of latency away and there is no packet loss.
The replication is happening over IPv6, and the local firewall is
logging that sessions are always permitted, and only ever finishing due
to tcp-fin or tcp-rst-from-client .
SSL appears to be correctly configured, and it seems that the
replication itself is for the most part working. Clients are able to
use imaps just fine so I don't think there's anything much wrong from an
SSL perspective else I'd be seeing complete replication failure and/or
client devices unable to connect.
Can anyone suggest how we can further debug this problem?
Thanks,
Reuben
-------------- next part --------------
# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (bf8ef1c2)
# OS: Linux 5.7.2-gentoo x86_64 Gentoo Base System release 2.7
# Hostname: thunderstorm.reub.net
auth_mechanisms = plain login
auth_username_format = %Ln
disable_plaintext_auth = no
doveadm_password = # hidden, use -P to show it
first_valid_uid = 1000
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
last_valid_uid = 1099
login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %c %k
login_trusted_networks = 192.168.0.0/16 2403:5800:7100:0900::/56 180.150.17.229
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_location = maildir:~/Maildir
mail_plugins = notify replication fts fts_lucene
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = failure_show_msg=yes %s
driver = pam
}
plugin {
fts = lucene
fts_autoindex = yes
fts_languages = en
fts_lucene = whitespace_chars=@.
mail_replica = tcps:lightning.reub.net:4813
replication_full_sync_interval = 2 hours
sieve = file:~/sieve;active=~/.dovecot.sieve
}
postmaster_address = postmaster at reub.net
protocols = imap lmtp sieve submission sieve
recipient_delimiter = -
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
user = root
}
unix_listener replication-notify {
mode = 0666
user = root
}
}
service auth {
inet_listener {
port = 45347
}
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0777
}
}
service doveadm {
inet_listener {
address = 2403:5800:7100:0910::23
port = 4813
ssl = yes
}
inet_listener {
address = 2403:5800:7100:0910::23
port = 4814
ssl = no
}
inet_listener {
address = 192.168.10.23
port = 4813
ssl = yes
}
inet_listener {
address = 192.168.10.23
port = 4814
ssl = no
}
user = root
}
service imap-login {
inet_listener imap {
address = 192.168.10.23 2403:5800:7100:0910::23
}
inet_listener imaps {
address = 192.168.10.23 2403:5800:7100:0910::23
ssl = yes
}
}
service lmtp {
inet_listener lmtp {
address = ::1
port = 24
}
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
address = 127.0.0.1 2403:5800:7100:0910::23
port = 4190
}
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
service submission-login {
inet_listener submission {
address = 192.168.10.23 2403:5800:7100:0910::23
}
}
ssl_cert = </etc/letsencrypt/live/reub.net/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
submission_client_workarounds = whitespace-before-path
submission_relay_host = inside-mail.reub.net
submission_relay_trusted = yes
userdb {
driver = passwd
result_success = continue-ok
}
userdb {
args = /etc/dovecot/passwd.extra
driver = passwd-file
skip = notfound
}
protocol lmtp {
mail_plugins = notify replication fts fts_lucene sieve
}
protocol lda {
mail_plugins = notify replication fts fts_lucene sieve
}
protocol imap {
imap_metadata = yes
mail_max_userip_connections = 25
}
local_name imap.reub.net {
ssl_cert = </etc/letsencrypt/live/reub.net/fullchain.pem
ssl_key = # hidden, use -P to show it
}
local_name imap.htperham.name {
ssl_cert = </etc/letsencrypt/live/imap.htperham.name/fullchain.pem
ssl_key = # hidden, use -P to show it
}
More information about the dovecot
mailing list