<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 28 March 2019 21:31 Robert Kudyba <rkudyba@fordham.edu> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
<blockquote type="cite">
<div class="">
On Mar 28, 2019, at 10:29 AM, Aki Tuomi via dovecot <
<a class="" href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div class="">
<div class="">
<div class="">
<br class="">
</div>
<blockquote type="cite">
<div class="">
On 28 March 2019 16:08 Robert Kudyba via dovecot <
<a class="" href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div class="">
<br class="">
</div>
<div class="">
<br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">dovecot-2.3.3-1.fc29.x86_64</span>
</div>
</div>
<div class="">
<br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 (http_client_request_unref): assertion failed: (req->refcount > 0)</span>
</div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">Mar 28 10:04:47 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] -> /usr/lib64/dovecot/libdovecot.so.0(+0xe3597) [0x7fe76e083597] -> /usr/lib64/dovecot/libdovecot.so.0(+0x51207) [0x7fe76dff1207] -> /usr/lib64/dovecot/libdovecot.so.0(+0x4972b) [0x7fe76dfe972b] -> /usr/lib64/dovecot/libdovecot.so.0(http_client_request_destroy+0x107) [0x7fe76e02cf87] -> /usr/lib64/dovecot/libdovecot.so.0(http_client_deinit+0x4c) [0x7fe76e03b9ec] -> dovecot/auth(auth_policy_deinit+0x1e) [0x55facfdb350e] -> dovecot/auth(main+0x3e1) [0x55facfdae3c1] -> /lib64/libc.so.6(__libc_start_main+0xf3) [0x7fe76dd93413] -> dovecot/auth(_start+0x2e) [0x55facfdae57e]</span>
</div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">Mar 28 10:04:47 auth: Fatal: master: service(auth): child 31162 killed with signal 6 (core not dumped - <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__dovecot.org_bugreport.html-23coredumps&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=IGBmGF0IssHPP5aIO3xrxNm2mUwwDP12018rdFC0vuo&s=IoU3mYEwgiux42XqobrYw4SyE39GjhvuBXoXWA42HKY&e=" class="">https://dovecot.org/bugreport.html#coredumps</a> - set /proc/sys/fs/suid_dumpable to 2)</span>
</div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class="">
<span style="font-variant-ligatures: no-common-ligatures;" class="">Mar 28 10:04:48 master: Info: Dovecot v2.3.3 (dcead646b) starting up for imap, pop3</span>
</div>
</div>
<div class="">
<span style="font-variant-ligatures: no-common-ligatures;" class=""><br class=""></span>
</div>
</blockquote>
<div class="">
Hi,
</div>
<div class="">
<br class="">
</div>
<div class="">
this is a known issue as DOV-3019 and we are fixing this. It happens during auth process shutdown if there are pending requests.
</div>
</div>
</div>
</blockquote>
</div>
<div class="">
<br class="">
</div>Another issue is that the dovecot logs always report the offending URL or IP as what’s in
<span class="" style="font-family: Menlo; font-size: 11px;">/etc/dovecot/conf.d/95-auth.conf</span>
<span class="" style="font-family: Menlo; font-size: 11px;"> in our case:</span>
<div class="">
<span class="" style="font-family: Menlo; font-size: 11px;">auth_policy_server_url = </span>
<a class="" style="font-family: Menlo; font-size: 11px;" href="https://dsm.dsm.fordham.edu:8084/"><span class="" style="-webkit-font-kerning: none; color: #3586ff;">https://ourdomain:8084/</span></a>
<div class="">
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;">
<br class="">
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">These are HTTP errors in the logs:</span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;">
<br class="">
</div>
<div class="" style="margin: 0px; font-stretch: normal; line-height: normal; min-height: 14px;">
<span class="" style="font-family: Menlo; font-size: 11px;">Mar 28 09:58:04 auth: Debug: client in: AUTH</span>
<span class="" style="font-family: Menlo; font-size: 11px;">1</span>
<span class="" style="font-family: Menlo; font-size: 11px;">PLAIN</span>
<span class="" style="font-family: Menlo; font-size: 11px;">service=imap</span>
<span class="" style="font-family: Menlo; font-size: 11px;">secured</span>
<span class="" style="font-family: Menlo; font-size: 11px;">session=lmNw8SeFoMl/AAAB</span>
<span class="" style="font-family: Menlo; font-size: 11px;">lip=127.0.0.1</span>
<span class="" style="font-family: Menlo; font-size: 11px;">rip=127.0.0.1</span>
<span class="" style="font-family: Menlo; font-size: 11px;">lport=143</span>
<span class="" style="font-family: Menlo; font-size: 11px;">rport=51616</span>
<span class="" style="font-family: Menlo; font-size: 11px;">resp=<hidden></span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">Mar 28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy request <a class="" href="https://dsm.dsm.fordham.edu:8084/?command=allow"><span class="" style="-webkit-font-kerning: none; color: #3586ff;">https://ourdomain:8084/?command=allow</span></a></span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">Mar 28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy server request JSON: {"device_id":"","login":"unclroot","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}</span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a class="" href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span class="" style="-webkit-font-kerning: none; color: #3586ff;">https://ourdomain:8084/?command=allow]:</span></a> Error: 9003 Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)</span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a class="" href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span class="" style="-webkit-font-kerning: none; color: #3586ff;">https://ourdomain:8084/?command=allow]:</span></a> Submitted (requests left=3)</span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">Mar 28 09:58:04 auth: Error: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy server HTTP error: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)</span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a class="" href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span class="" style="-webkit-font-kerning: none; color: #3586ff;">https://ourdomain:8084/?command=allow]:</span></a> Destroy (requests left=3)</span>
</div>
<div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">
<span class="" style="font-kerning: none;">Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a class="" href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span class="" style="-webkit-font-kerning: none; color: #3586ff;">https://ourdomain:8084/?command=allow]:</span></a> Free (requests left=2)</span>
</div>
</div>
<div class="">
<span class="" style="font-kerning: none;"><br class=""></span>
</div>
</div>
<div class="">
<span class="" style="font-kerning: none;"><br class=""></span>
</div>
<div class="">
<span class="" style="font-kerning: none;">So wforce is always recording the “bad” IP as 127.0.0.1 or the FQDN, and not the actual user IP. Is there another place to set this?</span>
</div>
<div class="">
<span class="" style="font-kerning: none;"><br class=""></span>
</div>
<div class="">
<span class="" style="font-kerning: none;">Perhaps I have to set this in wforce.conf?</span>
</div>
<div class="">
<span class="" style="font-kerning: none;">webserver("0.0.0.0:8084", “ourpassword")</span>
</div>
</blockquote>
<div>
<br>
</div>
<div>
Set
</div>
<div>
<br>
</div>
<div>
ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
</div>
<div>
<br>
</div>
<div>
Are you using haproxy or something in front of dovecot?
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>