> On Mar 28, 2019, at 10:29 AM, Aki Tuomi via dovecot <dovecot@dovecot.org> > wrote: > >> On 28 March 2019 16:08 Robert Kudyba via dovecot <dovecot@dovecot.org> wrote: >> >> >> dovecot-2.3.3-1.fc29.x86_64 >> >> Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 >> (http_client_request_unref): assertion failed: (req->refcount > 0) >> Mar 28 10:04:47 auth: Error: Raw backtrace: >> /usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] -> >> /usr/lib64/dovecot/libdovecot.so.0(+0xe3597) [0x7fe76e083597] -> >> /usr/lib64/dovecot/libdovecot.so.0(+0x51207) [0x7fe76dff1207] -> >> /usr/lib64/dovecot/libdovecot.so.0(+0x4972b) [0x7fe76dfe972b] -> >> /usr/lib64/dovecot/libdovecot.so.0(http_client_request_destroy+0x107) >> [0x7fe76e02cf87] -> >> /usr/lib64/dovecot/libdovecot.so.0(http_client_deinit+0x4c) [0x7fe76e03b9ec] >> -> dovecot/auth(auth_policy_deinit+0x1e) [0x55facfdb350e] -> >> dovecot/auth(main+0x3e1) [0x55facfdae3c1] -> >> /lib64/libc.so.6(__libc_start_main+0xf3) [0x7fe76dd93413] -> >> dovecot/auth(_start+0x2e) [0x55facfdae57e] >> Mar 28 10:04:47 auth: Fatal: master: service(auth): child 31162 killed with >> signal 6 (core not dumped - https://dovecot.org/bugreport.html#coredumps >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__dovecot.org_bugreport.html-23coredumps&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=IGBmGF0IssHPP5aIO3xrxNm2mUwwDP12018rdFC0vuo&s=IoU3mYEwgiux42XqobrYw4SyE39GjhvuBXoXWA42HKY&e=> >> - set /proc/sys/fs/suid_dumpable to 2) >> Mar 28 10:04:48 master: Info: Dovecot v2.3.3 (dcead646b) starting up for >> imap, pop3 >> > Hi, > > this is a known issue as DOV-3019 and we are fixing this. It happens during > auth process shutdown if there are pending requests.
Another issue is that the dovecot logs always report the offending URL or IP as what’s in /etc/dovecot/conf.d/95-auth.conf in our case: auth_policy_server_url = https://ourdomain:8084/ <https://dsm.dsm.fordham.edu:8084/> These are HTTP errors in the logs: Mar 28 09:58:04 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=lmNw8SeFoMl/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=51616 resp=<hidden> Mar 28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy request https://ourdomain:8084/?command=allow <https://dsm.dsm.fordham.edu:8084/?command=allow> Mar 28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy server request JSON: {"device_id":"","login":"unclroot","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false} Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=allow]: <https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Error: 9003 Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=allow]: <https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Submitted (requests left=3) Mar 28 09:58:04 auth: Error: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy server HTTP error: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=allow]: <https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Destroy (requests left=3) Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=allow]: <https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Free (requests left=2) So wforce is always recording the “bad” IP as 127.0.0.1 or the FQDN, and not the actual user IP. Is there another place to set this? Perhaps I have to set this in wforce.conf? webserver("0.0.0.0:8084", “ourpassword")
