<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 10 April 2019 23:56 Laura Smith via dovecot <
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
</div>
<div>
On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi <
<a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>> wrote:
</div>
<div>
<br>
</div>
<blockquote type="cite">
<blockquote type="cite">
<div>
On 10 April 2019 23:13 Laura Smith via dovecot
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a> wrote:
</div>
<div>
Sent with ProtonMail Secure Email.
</div>
<div>
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
</div>
<div>
On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi
<a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a> wrote:
</div>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<div>
On 10 April 2019 22:13 Laura Smith via dovecot
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a> wrote:
</div>
<div>
On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi
<a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a> wrote:
</div>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<div>
On 10 April 2019 21:26 Laura Smith via dovecot
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a> wrote:
</div>
<div>
==========================================================================
</div>
<div>
dsync(
<a href="mailto:foobar@example.com">foobar@example.com</a>): Error: imapc(foobar.example.com:993): dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: Connection reset by peer
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
This is dovecot's internal dns-client, and something goes wrong when talking to the service.
</div>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<div>
dsync(
<a href="mailto:foobar@example.com">foobar@example.com</a>): Error: Failed to initialize user: imapc: Login to foobar.example.com failed: Disconnected from server
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
This is btw dsync service, not imap service.
</div>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<div>
===
</div>
<div>
Initially I thought "oh no, not another AppArmor block".
</div>
<div>
But then surely the second message would not appear if the DNS lookup was not successful ?
</div>
<div>
Also "dig foobar.example.com" works fine.
</div>
<div>
How should I be troubleshooting this ? And if it is still likely to be AppArmor, what is calling it ? "doveadm" itself or something else ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS calls like everyone else ?
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Because the "standard OS call" is blocking and we would prefer it to not block everything else.
</div>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<div>
So many questions !
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Aki
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Thanks for your reply, but both those message are generated from a simple :
</div>
<div>
doveadm -v -o mail_fsync=never backup -R -u
<a href="mailto:foobar@example.com">foobar@example.com</a> imapc:
</div>
<div>
So I don't know what you mean about dsync service failing ? Surely the DNS lookup succeeded if the 'dsync service' failed due to remote disconnect ?
</div>
<div>
I'm still none the wiser as to where to start looking for troubleshoting ?
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Did you check dovecot logs? Maybe there is something useful?
</div>
<div>
Aki
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Only the same old cryptic message about dns-client ?
</div>
<div>
master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Something prevents executing the dns-client binary.
</div>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">
<div>
master: Error: service(dns_client): command startup failed, throttling for 16 secs
</div>
<div>
dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 (exec() failed)
</div>
</blockquote>
</blockquote>
<blockquote type="cite">
<div>
Aki
</div>
</blockquote>
<div>
<br>
</div>
<div>
Yes but is it being called by doveadm directly or by some other dovecot program ? If I'm going to have to go down the AppArmor route, then I would prefer if you told me what was calling it instead of me having to un-necessarily spend time doing straces !
</div>
<div>
<br>
</div>
<div>
Also, should I be able to call dns-client directly myself ? (or is there a way to do so to enable testing ?
</div>
</blockquote>
<div>
<br>
</div>
<div>
It is started by dovecot's master process when you connect to dns-client unix socket. You can try
</div>
<div>
<br>
</div>
<div>
socat stdio unix-connect:/var/run/dovecot/dns-client
</div>
<div>
<br>
</div>
<div>
I thought apparmor tells when something is blocked into kernel log? have you checked dmesg?
</div>
<div>
<br>
</div>
<div>
Apologies for your frustration.
</div>
<div>
---
<br>
</div>
<div class="io-ox-signature">
<pre>Aki Tuomi</pre>
</div>
</body>
</html>