>>>>> "Aki" == Aki Tuomi <aki.tu...@open-xchange.com> writes:
Aki> You are correct that the problem is not fully fixed yet. It, Aki> however, only affects practically cases where you do doveadm -c Aki> /path <command> Thanks for the update. Aki> We will fix it properly in a future release, now it has been Aki> fixed to work as it used to before, so no new regression is Aki> introduced. As long as no one trips over this issue with too long certs some other way. >> On 03/11/2021 14:54 John Stoffel <j...@stoffel.org> wrote: >> >> >> >>>>> "Aki" == Aki Tuomi <aki.tu...@open-xchange.com> writes: >> Aki> This issue is now fixed for Dovecot on master with Aki> https://github.com/dovecot/core/compare/ca2237e%5E..6fff8d5.patch >> >> Looking at the patch, I've got a couple of comments. >> >> 1. Even your added comment says this issue could still happen is >> doveadm reads the config setting through doveconf, instead of the >> config socket. To me that smells like the problem isn't really where >> you patched it, but more in the parsing of options in doveadm. >> >> 2. This is much more bike-shedding, but you have the following: >> >> - if (input->module != NULL || input->extra_modules != NULL) { >> + if ((service->flags & MASTER_SERVICE_FLAG_DISABLE_SSL_SET) == >> 0 && >> + (input->module != NULL || input->extra_modules != NULL)) { >> >> And I would think that the last line would be more readable with: >> >> (input->module || input->extra_modules)) { >> >> The != NULL test just seems really redundant. I haven't looked at the >> rest of the main.c to see if this pattern is repeated all over the >> place or not. >> >> John >> >> Aki> and for pigeonhole master with >> Aki> https://github.com/dovecot/pigeonhole/commit/29750ba54c20eea0afd4ca436ddc1325723ce93f.patch >> Aki> Regards, Aki> Aki >> >> >> On 01/11/2021 08:38 Aki Tuomi <aki.tu...@open-xchange.com> wrote: >> >> >> >> >> >> Hi all! >> >> >> >> We are looking into this issue. >> >> >> >> Aki >> >> >> >> > On 30/10/2021 19:36 TG Servers <sr...@prvtmail.net> wrote: >> >> > >> >> > >> >> > Thanks Robert, I read that. I will also wait for a patch and stay >> >> > >> >> > Cheers >> >> > >> >> > >> >> > On 30/10/2021 12:59, Robert Nowotny wrote: >> >> > >> >> > > the reason is : >> >> > > >> >> > > ssl_ca = </etc/ssl/certs/ca-bundle.crt >> >> > > >> >> > > if "ca-bundle.crt"is too big, You will get that error. >> >> > > this should be fixed, but as a workaround You might pull out the >> >> > > certificates You need. >> >> > > I personally wait for the patch and stay at 2.3.16 for the time >> >> > > beeing. >> >> > > >> >> > > yours sincerely >> >> > > Robert >> >> > > >> >> > > >> >> > > >> >> > > Am 30.10.2021 um 10:34 schrieb TG Servers: >> >> > > >> >> > > > Hello, >> >> > > > >> >> > > > tonight my dovecot upgraded to 2.3.17 and completely broke on >> >> > > > recent CentOS 8 installation. >> >> > > > >> >> > > > I found the service in status >> >> > > > >> >> > > > [root@riot ~]# systemctl status dovecot >> >> > > > ● dovecot.service - Dovecot IMAP/POP3 email server >> >> > > > Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; >> >> > > > vendor preset: disabled) >> >> > > > Active: failed (Result: exit-code) since Sat 2021-10-30 09:59:11 >> >> > > > CEST; 58s ago >> >> > > > Docs: man:dovecot(1) >> >> > > > https://doc.dovecot.org/ >> >> > > > Process: 1515 ExecStart=/usr/sbin/dovecot -F (code=exited, >> >> > > > status=89) >> >> > > > Process: 1429 ExecStartPre=/usr/libexec/dovecot/prestartscript >> >> > > > (code=exited, status=0/SUCCESS) >> >> > > > Main PID: 1515 (code=exited, status=89) >> >> > > > >> >> > > > Oct 30 09:59:10 riot.<domain>.com systemd[1]: Starting Dovecot >> >> > > > IMAP/POP3 email server... >> >> > > > Oct 30 09:59:11 riot.<domain>.com dovecot[1515]: doveconf: Fatal: >> >> > > > execvp(/usr/libexec/dovecot/managesieve) failed: Argument list too >> >> > > > long >> >> > > > Oct 30 09:59:11 riot.<domain>.com dovecot[1515]: doveconf: Error: >> >> > > > managesieve-login: dump-capability process returned 89 >> >> > > > Oct 30 09:59:11 riot.<domain>.com dovecot[1515]: doveconf: Fatal: >> >> > > > execvp(/usr/sbin/dovecot) failed: Argument list too long >> >> > > > Oct 30 09:59:11 riot.<domain>.com systemd[1]: dovecot.service: >> >> > > > Main process exited, code=exited, status=89/n/a >> >> > > > Oct 30 09:59:11 riot.<domain>.com systemd[1]: dovecot.service: >> >> > > > Failed with result 'exit-code'. >> >> > > > Oct 30 09:59:11 riot.<domain>.com systemd[1]: Failed to start >> >> > > > Dovecot IMAP/POP3 email server. >> >> > > > >> >> > > > This seems to be like a bug as no configuration was changed by me >> >> > > > in the middle of the night. >> >> > > > I recall there were similar errors/bug reports in the past were it >> >> > > > seemed it was managesieve but wasn't, people had some >> >> > > > misconfigurations in the dovecot.conf. I did not change my >> >> > > > dovecot.conf since April. >> >> > > > But maybe here it is a pigeonhole issue. >> >> > > > >> >> > > > As I did not find any reason for it I changed the repo and >> >> > > > downgraded to 2.3.16-2 now and it runs without any flaws, like all >> >> > > > the time before. I had no time to investigate this any longer thand >> >> > > > 2 hours with 2.3.17 installed as this is a production server and I >> >> > > > need the email access. I also did not find anything adressable in >> >> > > > the logs. >> >> > > > >> >> > > > [root@riot dovecot]# systemctl status dovecot >> >> > > > ● dovecot.service - Dovecot IMAP/POP3 email server >> >> > > > Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; >> >> > > > vendor preset: disabled) >> >> > > > Active: active (running) since Sat 2021-10-30 10:18:11 CEST; 2s ago >> >> > > > Docs: man:dovecot(1) >> >> > > > https://doc.dovecot.org/ >> >> > > > Process: 32398 ExecStartPre=/usr/libexec/dovecot/prestartscript >> >> > > > (code=exited, status=0/SUCCESS) >> >> > > > Main PID: 32452 (dovecot) >> >> > > > Status: "v2.3.16 (7e2e900c1a) running" >> >> > > > Tasks: 4 (limit: 99912) >> >> > > > Memory: 4.4M >> >> > > > CGroup: /system.slice/dovecot.service >> >> > > > ├─32452 /usr/sbin/dovecot -F >> >> > > > ├─32507 dovecot/anvil >> >> > > > ├─32508 dovecot/log >> >> > > > └─32513 dovecot/config >> >> > > > >> >> > > > Oct 30 10:18:11 riot.<domain>.com systemd[1]: Starting Dovecot >> >> > > > IMAP/POP3 email server... >> >> > > > Oct 30 10:18:11 riot.<domain>.com dovecot[32452]: Warning: >> >> > > > Corrected permissions for login directory >> >> > > > /var/run/dovecot/token-login >> >> > > > Oct 30 10:18:11 riot.<domain>.com dovecot[32452]: master: Warning: >> >> > > > Corrected permissions for login directory >> >> > > > /var/run/dovecot/token-login >> >> > > > Oct 30 10:18:11 riot.<domain>.com dovecot[32452]: master: Dovecot >> >> > > > v2.3.16 (7e2e900c1a) starting up for imap, lmtp, sieve >> >> > > > Oct 30 10:18:11 riot.<domain>.com systemd[1]: Started Dovecot >> >> > > > IMAP/POP3 email server. >> >> > > > >> >> > > > >> >> > > > This is the configuration >> >> > > > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf >> >> > > > # Pigeonhole version 0.5.16 (09c29328) >> >> > > > # OS: Linux 4.18.0-305.19.1.el8_4.x86_64 x86_64 AlmaLinux release >> >> > > > 8.4 (Electric Cheetah) >> >> > > > # Hostname: riot.<domain>.com >> >> > > > auth_mechanisms = plain login >> >> > > > auth_verbose = yes >> >> > > > listen = * >> >> > > > mail_gid = vmail >> >> > > > mail_home = /var/vmail/mailboxes/%d/%n >> >> > > > mail_location = maildir:~/mail:LAYOUT=fs >> >> > > > mail_plugins = " quota fts fts_solr" >> >> > > > mail_privileged_group = vmail >> >> > > > mail_uid = vmail >> >> > > > managesieve_notify_capability = mailto >> >> > > > managesieve_sieve_capability = fileinto reject envelope >> >> > > > encoded-character vacation subaddress comparator-i;ascii-numeric >> >> > > > relational regex imap4flags copy include variables body enotify >> >> > > > environment mailbox date index ihave duplicate mime foreverypart >> >> > > > extracttext imapsieve vnd.dovecot.imapsieve >> >> > > > namespace inbox { >> >> > > > inbox = yes >> >> > > > location = >> >> > > > mailbox Drafts { >> >> > > > auto = subscribe >> >> > > > special_use = \Drafts >> >> > > > } >> >> > > > mailbox Sent { >> >> > > > auto = subscribe >> >> > > > special_use = \Sent >> >> > > > } >> >> > > > mailbox Spam { >> >> > > > auto = subscribe >> >> > > > special_use = \Junk >> >> > > > } >> >> > > > mailbox Trash { >> >> > > > auto = subscribe >> >> > > > special_use = \Trash >> >> > > > } >> >> > > > prefix = >> >> > > > separator = . >> >> > > > type = private >> >> > > > } >> >> > > > passdb { >> >> > > > args = /etc/dovecot/dovecot-sql.conf >> >> > > > driver = sql >> >> > > > } >> >> > > > plugin { >> >> > > > fts = solr >> >> > > > fts_autoindex = yes >> >> > > > fts_solr = url=http://localhost:<solr_port>/solr/dovecot/ >> >> > > > imapsieve_mailbox1_before = >> >> > > > file:/var/vmail/sieve/global/learn-spam.sieve >> >> > > > imapsieve_mailbox1_causes = COPY >> >> > > > imapsieve_mailbox1_name = Spam >> >> > > > imapsieve_mailbox2_before = >> >> > > > file:/var/vmail/sieve/global/learn-ham.sieve >> >> > > > imapsieve_mailbox2_causes = COPY >> >> > > > imapsieve_mailbox2_from = Spam >> >> > > > imapsieve_mailbox2_name = * >> >> > > > quota = maildir:User quota >> >> > > > quota_exceeded_message = User %u is over the storage quota >> >> > > > sieve = >> >> > > > file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve >> >> > > > sieve_before = /var/vmail/sieve/global/spam-global.sieve >> >> > > > sieve_global_extensions = +vnd.dovecot.pipe >> >> > > > sieve_pipe_bin_dir = /usr/bin >> >> > > > sieve_plugins = sieve_imapsieve sieve_extprograms >> >> > > > } >> >> > > > protocols = imap lmtp sieve >> >> > > > service auth { >> >> > > > unix_listener /var/spool/postfix/private/auth { >> >> > > > group = postfix >> >> > > > mode = 0660 >> >> > > > user = postfix >> >> > > > } >> >> > > > unix_listener auth-userdb { >> >> > > > group = vmail >> >> > > > mode = 0660 >> >> > > > user = vmail >> >> > > > } >> >> > > > } >> >> > > > service imap-login { >> >> > > > inet_listener imap { >> >> > > > port = 0 >> >> > > > } >> >> > > > inet_listener imaps { >> >> > > > port = 993 >> >> > > > } >> >> > > > } >> >> > > > service lmtp { >> >> > > > unix_listener /var/spool/postfix/private/dovecot-lmtp { >> >> > > > group = postfix >> >> > > > mode = 0660 >> >> > > > user = postfix >> >> > > > } >> >> > > > user = vmail >> >> > > > } >> >> > > > service managesieve-login { >> >> > > > inet_listener sieve { >> >> > > > port = 4190 >> >> > > > } >> >> > > > } >> >> > > > ssl = required >> >> > > > ssl_ca = </etc/ssl/certs/ca-bundle.crt >> >> > > > ssl_cert = </etc/ssl/certs/<domain>.com_chain.crt >> >> > > > ssl_cipher_list = >> >> > > > TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:EECDH+AESGCM:EDH+AESGCM:@SECLEVEL=2 >> >> > > > ssl_client_ca_dir = /etc/ssl/certs >> >> > > > ssl_client_ca_file = /etc/ssl/certs/ca-bundle.crt >> >> > > > ssl_dh = # hidden, use -P to show it >> >> > > > ssl_key = # hidden, use -P to show it >> >> > > > ssl_prefer_server_ciphers = yes >> >> > > > userdb { >> >> > > > args = /etc/dovecot/dovecot-sql.conf >> >> > > > driver = sql >> >> > > > } >> >> > > > protocol imap { >> >> > > > imap_idle_notify_interval = 24 mins >> >> > > > mail_max_userip_connections = 20 >> >> > > > mail_plugins = " quota fts fts_solr imap_quota imap_sieve" >> >> > > > } >> >> > > > protocol lmtp { >> >> > > > mail_plugins = " quota fts fts_solr sieve" >> >> > > > postmaster_address = postmaster@<domain>.com >> >> > > > } >> >> > > > local_name mail.<domain_3>.com { >> >> > > > ssl_cert = </etc/ssl/certs/<domain_3>.com_chain.crt >> >> > > > ssl_key = # hidden, use -P to show it >> >> > > > } >> >> > > > local_name mail.<domain_2>.net { >> >> > > > ssl_cert = </etc/ssl/certs/<domain_2>.net_chain.crt >> >> > > > ssl_key = # hidden, use -P to show it >> >> > > > } >> >> > > > local_name mail.<domain>.com { >> >> > > > ssl_cert = </etc/ssl/certs/<domain>.com_chain.crt >> >> > > > ssl_key = # hidden, use -P to show it >> >> > > > } >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > >> >> > > >> >> > >> >> >