2.3.17 broken on CentOS8 / bug
John Stoffel
john at stoffel.org
Thu Nov 4 00:31:48 EET 2021
>>>>> "Aki" == Aki Tuomi <aki.tuomi at open-xchange.com> writes:
Aki> You are correct that the problem is not fully fixed yet. It,
Aki> however, only affects practically cases where you do doveadm -c
Aki> /path <command>
Thanks for the update.
Aki> We will fix it properly in a future release, now it has been
Aki> fixed to work as it used to before, so no new regression is
Aki> introduced.
As long as no one trips over this issue with too long certs some other way.
>> On 03/11/2021 14:54 John Stoffel <john at stoffel.org> wrote:
>>
>>
>> >>>>> "Aki" == Aki Tuomi <aki.tuomi at open-xchange.com> writes:
>>
Aki> This issue is now fixed for Dovecot on master with
Aki> https://github.com/dovecot/core/compare/ca2237e%5E..6fff8d5.patch
>>
>> Looking at the patch, I've got a couple of comments.
>>
>> 1. Even your added comment says this issue could still happen is
>> doveadm reads the config setting through doveconf, instead of the
>> config socket. To me that smells like the problem isn't really where
>> you patched it, but more in the parsing of options in doveadm.
>>
>> 2. This is much more bike-shedding, but you have the following:
>>
>> - if (input->module != NULL || input->extra_modules != NULL) {
>> + if ((service->flags & MASTER_SERVICE_FLAG_DISABLE_SSL_SET) ==
>> 0 &&
>> + (input->module != NULL || input->extra_modules != NULL)) {
>>
>> And I would think that the last line would be more readable with:
>>
>> (input->module || input->extra_modules)) {
>>
>> The != NULL test just seems really redundant. I haven't looked at the
>> rest of the main.c to see if this pattern is repeated all over the
>> place or not.
>>
>> John
>>
>>
Aki> and for pigeonhole master with
>>
Aki> https://github.com/dovecot/pigeonhole/commit/29750ba54c20eea0afd4ca436ddc1325723ce93f.patch
>>
Aki> Regards,
Aki> Aki
>>
>> >> On 01/11/2021 08:38 Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>> >>
>> >>
>> >> Hi all!
>> >>
>> >> We are looking into this issue.
>> >>
>> >> Aki
>> >>
>> >> > On 30/10/2021 19:36 TG Servers <srvrs at prvtmail.net> wrote:
>> >> >
>> >> >
>> >> > Thanks Robert, I read that. I will also wait for a patch and stay
>> >> >
>> >> > Cheers
>> >> >
>> >> >
>> >> > On 30/10/2021 12:59, Robert Nowotny wrote:
>> >> >
>> >> > > the reason is :
>> >> > >
>> >> > > ssl_ca = </etc/ssl/certs/ca-bundle.crt
>> >> > >
>> >> > > if "ca-bundle.crt"is too big, You will get that error.
>> >> > > this should be fixed, but as a workaround You might pull out the certificates You need.
>> >> > > I personally wait for the patch and stay at 2.3.16 for the time beeing.
>> >> > >
>> >> > > yours sincerely
>> >> > > Robert
>> >> > >
>> >> > >
>> >> > >
>> >> > > Am 30.10.2021 um 10:34 schrieb TG Servers:
>> >> > >
>> >> > > > Hello,
>> >> > > >
>> >> > > > tonight my dovecot upgraded to 2.3.17 and completely broke on recent CentOS 8 installation.
>> >> > > >
>> >> > > > I found the service in status
>> >> > > >
>> >> > > > [root at riot ~]# systemctl status dovecot
>> >> > > > ● dovecot.service - Dovecot IMAP/POP3 email server
>> >> > > > Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
>> >> > > > Active: failed (Result: exit-code) since Sat 2021-10-30 09:59:11 CEST; 58s ago
>> >> > > > Docs: man:dovecot(1)
>> >> > > > https://doc.dovecot.org/
>> >> > > > Process: 1515 ExecStart=/usr/sbin/dovecot -F (code=exited, status=89)
>> >> > > > Process: 1429 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS)
>> >> > > > Main PID: 1515 (code=exited, status=89)
>> >> > > >
>> >> > > > Oct 30 09:59:10 riot.<domain>.com systemd[1]: Starting Dovecot IMAP/POP3 email server...
>> >> > > > Oct 30 09:59:11 riot.<domain>.com dovecot[1515]: doveconf: Fatal: execvp(/usr/libexec/dovecot/managesieve) failed: Argument list too long
>> >> > > > Oct 30 09:59:11 riot.<domain>.com dovecot[1515]: doveconf: Error: managesieve-login: dump-capability process returned 89
>> >> > > > Oct 30 09:59:11 riot.<domain>.com dovecot[1515]: doveconf: Fatal: execvp(/usr/sbin/dovecot) failed: Argument list too long
>> >> > > > Oct 30 09:59:11 riot.<domain>.com systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
>> >> > > > Oct 30 09:59:11 riot.<domain>.com systemd[1]: dovecot.service: Failed with result 'exit-code'.
>> >> > > > Oct 30 09:59:11 riot.<domain>.com systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
>> >> > > >
>> >> > > > This seems to be like a bug as no configuration was changed by me in the middle of the night.
>> >> > > > I recall there were similar errors/bug reports in the past were it seemed it was managesieve but wasn't, people had some misconfigurations in the dovecot.conf. I did not change my dovecot.conf since April.
>> >> > > > But maybe here it is a pigeonhole issue.
>> >> > > >
>> >> > > > As I did not find any reason for it I changed the repo and downgraded to 2.3.16-2 now and it runs without any flaws, like all the time before. I had no time to investigate this any longer thand 2 hours with 2.3.17 installed as this is a production server and I need the email access. I also did not find anything adressable in the logs.
>> >> > > >
>> >> > > > [root at riot dovecot]# systemctl status dovecot
>> >> > > > ● dovecot.service - Dovecot IMAP/POP3 email server
>> >> > > > Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
>> >> > > > Active: active (running) since Sat 2021-10-30 10:18:11 CEST; 2s ago
>> >> > > > Docs: man:dovecot(1)
>> >> > > > https://doc.dovecot.org/
>> >> > > > Process: 32398 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS)
>> >> > > > Main PID: 32452 (dovecot)
>> >> > > > Status: "v2.3.16 (7e2e900c1a) running"
>> >> > > > Tasks: 4 (limit: 99912)
>> >> > > > Memory: 4.4M
>> >> > > > CGroup: /system.slice/dovecot.service
>> >> > > > ├─32452 /usr/sbin/dovecot -F
>> >> > > > ├─32507 dovecot/anvil
>> >> > > > ├─32508 dovecot/log
>> >> > > > └─32513 dovecot/config
>> >> > > >
>> >> > > > Oct 30 10:18:11 riot.<domain>.com systemd[1]: Starting Dovecot IMAP/POP3 email server...
>> >> > > > Oct 30 10:18:11 riot.<domain>.com dovecot[32452]: Warning: Corrected permissions for login directory /var/run/dovecot/token-login
>> >> > > > Oct 30 10:18:11 riot.<domain>.com dovecot[32452]: master: Warning: Corrected permissions for login directory /var/run/dovecot/token-login
>> >> > > > Oct 30 10:18:11 riot.<domain>.com dovecot[32452]: master: Dovecot v2.3.16 (7e2e900c1a) starting up for imap, lmtp, sieve
>> >> > > > Oct 30 10:18:11 riot.<domain>.com systemd[1]: Started Dovecot IMAP/POP3 email server.
>> >> > > >
>> >> > > >
>> >> > > > This is the configuration
>> >> > > > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
>> >> > > > # Pigeonhole version 0.5.16 (09c29328)
>> >> > > > # OS: Linux 4.18.0-305.19.1.el8_4.x86_64 x86_64 AlmaLinux release 8.4 (Electric Cheetah)
>> >> > > > # Hostname: riot.<domain>.com
>> >> > > > auth_mechanisms = plain login
>> >> > > > auth_verbose = yes
>> >> > > > listen = *
>> >> > > > mail_gid = vmail
>> >> > > > mail_home = /var/vmail/mailboxes/%d/%n
>> >> > > > mail_location = maildir:~/mail:LAYOUT=fs
>> >> > > > mail_plugins = " quota fts fts_solr"
>> >> > > > mail_privileged_group = vmail
>> >> > > > mail_uid = vmail
>> >> > > > managesieve_notify_capability = mailto
>> >> > > > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
>> >> > > > namespace inbox {
>> >> > > > inbox = yes
>> >> > > > location =
>> >> > > > mailbox Drafts {
>> >> > > > auto = subscribe
>> >> > > > special_use = \Drafts
>> >> > > > }
>> >> > > > mailbox Sent {
>> >> > > > auto = subscribe
>> >> > > > special_use = \Sent
>> >> > > > }
>> >> > > > mailbox Spam {
>> >> > > > auto = subscribe
>> >> > > > special_use = \Junk
>> >> > > > }
>> >> > > > mailbox Trash {
>> >> > > > auto = subscribe
>> >> > > > special_use = \Trash
>> >> > > > }
>> >> > > > prefix =
>> >> > > > separator = .
>> >> > > > type = private
>> >> > > > }
>> >> > > > passdb {
>> >> > > > args = /etc/dovecot/dovecot-sql.conf
>> >> > > > driver = sql
>> >> > > > }
>> >> > > > plugin {
>> >> > > > fts = solr
>> >> > > > fts_autoindex = yes
>> >> > > > fts_solr = url=http://localhost:<solr_port>/solr/dovecot/
>> >> > > > imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
>> >> > > > imapsieve_mailbox1_causes = COPY
>> >> > > > imapsieve_mailbox1_name = Spam
>> >> > > > imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
>> >> > > > imapsieve_mailbox2_causes = COPY
>> >> > > > imapsieve_mailbox2_from = Spam
>> >> > > > imapsieve_mailbox2_name = *
>> >> > > > quota = maildir:User quota
>> >> > > > quota_exceeded_message = User %u is over the storage quota
>> >> > > > sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve
>> >> > > > sieve_before = /var/vmail/sieve/global/spam-global.sieve
>> >> > > > sieve_global_extensions = +vnd.dovecot.pipe
>> >> > > > sieve_pipe_bin_dir = /usr/bin
>> >> > > > sieve_plugins = sieve_imapsieve sieve_extprograms
>> >> > > > }
>> >> > > > protocols = imap lmtp sieve
>> >> > > > service auth {
>> >> > > > unix_listener /var/spool/postfix/private/auth {
>> >> > > > group = postfix
>> >> > > > mode = 0660
>> >> > > > user = postfix
>> >> > > > }
>> >> > > > unix_listener auth-userdb {
>> >> > > > group = vmail
>> >> > > > mode = 0660
>> >> > > > user = vmail
>> >> > > > }
>> >> > > > }
>> >> > > > service imap-login {
>> >> > > > inet_listener imap {
>> >> > > > port = 0
>> >> > > > }
>> >> > > > inet_listener imaps {
>> >> > > > port = 993
>> >> > > > }
>> >> > > > }
>> >> > > > service lmtp {
>> >> > > > unix_listener /var/spool/postfix/private/dovecot-lmtp {
>> >> > > > group = postfix
>> >> > > > mode = 0660
>> >> > > > user = postfix
>> >> > > > }
>> >> > > > user = vmail
>> >> > > > }
>> >> > > > service managesieve-login {
>> >> > > > inet_listener sieve {
>> >> > > > port = 4190
>> >> > > > }
>> >> > > > }
>> >> > > > ssl = required
>> >> > > > ssl_ca = </etc/ssl/certs/ca-bundle.crt
>> >> > > > ssl_cert = </etc/ssl/certs/<domain>.com_chain.crt
>> >> > > > ssl_cipher_list = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:EECDH+AESGCM:EDH+AESGCM:@SECLEVEL=2
>> >> > > > ssl_client_ca_dir = /etc/ssl/certs
>> >> > > > ssl_client_ca_file = /etc/ssl/certs/ca-bundle.crt
>> >> > > > ssl_dh = # hidden, use -P to show it
>> >> > > > ssl_key = # hidden, use -P to show it
>> >> > > > ssl_prefer_server_ciphers = yes
>> >> > > > userdb {
>> >> > > > args = /etc/dovecot/dovecot-sql.conf
>> >> > > > driver = sql
>> >> > > > }
>> >> > > > protocol imap {
>> >> > > > imap_idle_notify_interval = 24 mins
>> >> > > > mail_max_userip_connections = 20
>> >> > > > mail_plugins = " quota fts fts_solr imap_quota imap_sieve"
>> >> > > > }
>> >> > > > protocol lmtp {
>> >> > > > mail_plugins = " quota fts fts_solr sieve"
>> >> > > > postmaster_address = postmaster@<domain>.com
>> >> > > > }
>> >> > > > local_name mail.<domain_3>.com {
>> >> > > > ssl_cert = </etc/ssl/certs/<domain_3>.com_chain.crt
>> >> > > > ssl_key = # hidden, use -P to show it
>> >> > > > }
>> >> > > > local_name mail.<domain_2>.net {
>> >> > > > ssl_cert = </etc/ssl/certs/<domain_2>.net_chain.crt
>> >> > > > ssl_key = # hidden, use -P to show it
>> >> > > > }
>> >> > > > local_name mail.<domain>.com {
>> >> > > > ssl_cert = </etc/ssl/certs/<domain>.com_chain.crt
>> >> > > > ssl_key = # hidden, use -P to show it
>> >> > > > }
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > >
>> >> > >
>> >> >
>> >> >
More information about the dovecot
mailing list