On 11/04/2019 10:02, Laura Smith via dovecot wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot > <dovecot@dovecot.org> wrote: > >> On 11/04/2019 00:51, Laura Smith via dovecot wrote: >> >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot >>> dovecot@dovecot.org wrote: >>> >>>> On 11/04/2019 00:18, Laura Smith via dovecot wrote: >>>> >>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>> On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi >>>>> aki.tu...@open-xchange.com wrote: >>>>> >>>>>>> On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> >>>>>>> wrote: >>>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>>>> On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < >>>>>>> aki.tu...@open-xchange.com> wrote: >>>>>>> >>>>>>>>> On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org >>>>>>>>> wrote: >>>>>>>>> Sent with ProtonMail Secure Email. >>>>>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>>>>>> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi >>>>>>>>> aki.tu...@open-xchange.com wrote: >>>>>>>>> >>>>>>>>>>> On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org >>>>>>>>>>> wrote: >>>>>>>>>>> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi >>>>>>>>>>> aki.tu...@open-xchange.com wrote: >>>>>>>>>>> >>>>>>>>>>>>> On 10 April 2019 21:26 Laura Smith via dovecot >>>>>>>>>>>>> dovecot@dovecot.org wrote: >>>>>>>>>>>>> ========================================================================== >>>>>>>>>>>>> dsync( foo...@example.com): Error: imapc(foobar.example.com:993): >>>>>>>>>>>>> dns_lookup(foobar.example.com) failed: >>>>>>>>>>>>> read(/var/run/dovecot/dns-client) failed: read(size=512) failed: >>>>>>>>>>>>> Connection reset by peer >>>>>>>>>>>>> This is dovecot's internal dns-client, and something goes wrong >>>>>>>>>>>>> when talking to the service. >>>>>>>>>>>>> dsync( foo...@example.com): Error: Failed to initialize user: >>>>>>>>>>>>> imapc: Login to foobar.example.com failed: Disconnected from >>>>>>>>>>>>> server >>>>>>>>>>>>> This is btw dsync service, not imap service. >>>>>>>>>>>>> =============================================================================================================================================================================================================================================================================================================================================================================================================================================================================== >>>>>>>>>>>>> Initially I thought "oh no, not another AppArmor block". >>>>>>>>>>>>> But then surely the second message would not appear if the DNS >>>>>>>>>>>>> lookup was not successful ? >>>>>>>>>>>>> Also "dig foobar.example.com" works fine. >>>>>>>>>>>>> How should I be troubleshooting this ? And if it is still likely >>>>>>>>>>>>> to be AppArmor, what is calling it ? "doveadm" itself or >>>>>>>>>>>>> something else ? What does "/var/run/dovecot/dns-client" do and >>>>>>>>>>>>> why doesn't dovecot use standard OS calls like everyone else ? >>>>>>>>>>>>> Because the "standard OS call" is blocking and we would prefer it >>>>>>>>>>>>> to not block everything else. >>>>>>>>>>>>> So many questions ! >>>>>>>>>>>>> Aki >>>>>>>>>>>>> Thanks for your reply, but both those message are generated from >>>>>>>>>>>>> a simple : >>>>>>>>>>>>> doveadm -v -o mail_fsync=never backup -R -u foo...@example.com >>>>>>>>>>>>> imapc: >>>>>>>>>>>>> So I don't know what you mean about dsync service failing ? >>>>>>>>>>>>> Surely the DNS lookup succeeded if the 'dsync service' failed due >>>>>>>>>>>>> to remote disconnect ? >>>>>>>>>>>>> I'm still none the wiser as to where to start looking for >>>>>>>>>>>>> troubleshoting ? >>>>>>>>>>>>> Did you check dovecot logs? Maybe there is something useful? >>>>>>>>>>>>> Aki >>>>>>>>>>>>> Only the same old cryptic message about dns-client ? >>>>>>>>>>>>> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: >>>>>>>>>>>>> Permission denied >>>>>>>>>>>>> Something prevents executing the dns-client binary. >>>>>>>>>>>>> master: Error: service(dns_client): command startup failed, >>>>>>>>>>>>> throttling for 16 secs >>>>>>>>>>>>> dns_client: Fatal: master: service(dns_client): child 14293 >>>>>>>>>>>>> returned error 84 (exec() failed) >>>>>>>>>>>>> Aki >>>>>>>>>>>>> Yes but is it being called by doveadm directly or by some other >>>>>>>>>>>>> dovecot program ? If I'm going to have to go down the AppArmor >>>>>>>>>>>>> route, then I would prefer if you told me what was calling it >>>>>>>>>>>>> instead of me having to un-necessarily spend time doing straces ! >>>>>>>>>>>>> Also, should I be able to call dns-client directly myself ? (or >>>>>>>>>>>>> is there a way to do so to enable testing ? >>>>>>>>>>>>> It is started by dovecot's master process when you connect to >>>>>>>>>>>>> dns-client unix socket. You can try >>>>>>>>>>>>> socat stdio unix-connect:/var/run/dovecot/dns-client >>>>>>>>>>>>> I thought apparmor tells when something is blocked into kernel >>>>>>>>>>>>> log? have you checked dmesg? >>>>>> Apologies for your frustration. >>>>> Yeah nothing in dmesg. I'm still hunting around to find some log >>>>> somewhere but so far silence. >>>>> "socat stdio unix-connect:/var/run/dovecot/dns-client" runs but returns >>>>> nothing. Is that expected ? >>>>> When you say "dovecot's master process", so doveadm sync talks to the >>>>> master process ? So in terms of apparmor I would therefore be looking at >>>>> /usr/sbin/dovecot ? If that's the case, the relevant apparmor >>>>> permisssions are already provided : >>>>> /{,var/}run/dovecot/ rw, >>>>> /{,var/}run/dovecot/** rw, >>>>> Laura >>>> Do the above apparmor settings give permission to dovecot to execute >>>> /usr/lib/dovecot/dns-client, assuming that the user under which dovecot >>>> is running already has file system permissions to do that? >>>> John >>> John, >>> Here's the definitive answer to your question (and anyone else thinking of >>> pointing the finger at apparmor): >>> foo:/home/foo # sudo systemctl stop apparmor >>> foo:/home/foo # doveadm -v -o mail_fsync=never backup -R -u >>> foo...@example.com imapc: >>> dsync(foo...@example.com): Error: imapc(foobar.example.com:993): >>> dns_lookup(foobar.example.com) failed: DNS lookup timed out >>> dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login >>> to foobar.example.com failed: Disconnected from server >>> So. Can we move on from the "blame apparmor" ? ;-) >> Laura >> >> I'd suggest doing the test with a restart of dovecot in between stopping >> apparmor and running the doveadm command. Check your logs to see if >> there is no longer any message generated about not being able to execv >> /usr/lib/dovecot/dns-client. >> >> foo:/home/foo # sudo systemctl stop apparmor >> foo:/home/foo # sudo systemctl restart dovecot >> foo:/home/foo # doveadm -v -o mail_fsync=never backup -R -u >> foo...@example.com imapc: >> >> John > > Same again.... > > failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: > Connection reset by peer
do you get any messages in /var/log/audit/audit.log when executing this test? John