Re: [Dovecot] imap-login hanging when firewall blocks ssl handshaking
At 10AM -0800 on 1/12/12 Erik A Johnson wrote: > > On November 29, 2012 at 2:39:51 PM PST, Timo Sirainen wrote: > > Yes, that sounds like it would work better: > > > > if (!proxy->client && net_getpeername(proxy->fd_ssl, NULL, NULL) < > > 0 && errno == ENOTCONN) { > > Using getpeername or net_getpeername, errno is set to EINVAL = "socket > has been shut down", so we could instead use > >if (!proxy->client && net_getpeername(proxy->fd_ssl, NULL, NULL) < >0 && errno == EINVAL) { > > So it seems that we have the following options: > > 1. net_geterror(proxy->fd_ssl) == EBADF > 2. read(proxy->fd_ssl, &err, 0) < 0 && errno == ENOTCONN > 3. net_getpeername(proxy->fd_ssl, NULL, NULL) < 0 && errno == EINVAL > > Which is preferable? I think the djb page I mentioned before comes down in favour of if (!proxy->client && net_getpeername(...) < 0 && read(proxy->fd_ssl, &err, 1) < 0 && errno == ENOTCONN) { where the read is of 1 byte rather than 0 since a read of 0 apparently sometimes succeeds even if the socket isn't connected, and the getpeername is to protect against actually reading from a connected socket. However, doing all that every time we try to read seems like a lot of wasted effort; if possible, it would be better to identify the circumstances when it might happen (for instance, is it true that if we've done at least one successful SSL read on this socket that this error won't occur?). > Should the "#ifdef __APPLE__" remain? or would any of these tests be > appropriate for other platforms as well? I had a go at reproducing this on FreeBSD and failed, but I don't believe we've seen a packet trace yet so I wasn't entirely sure what might provoke it. There is definitely a bug in the OS here somewhere, unless the socket never gets as far as SYN-SYN/ACK-ACK, since ENOTCONN should only be returned *before* the socket has connected successfully. An ordinary disconnected socket should simply return EOF from read, and a socket that got RST should return ECONNRESET. Are you able to reproduce this and get a tcpdump packet trace (on the dovecot side of any firewalls)? Also, when this happens, does it happen straight away or is there a delay until the connection times out? (I don't suppose you know if the source for the OSX network stack is online anywhere? I'd be interested to see how different it is from FreeBSD's.) Ben
Re: [Dovecot] imap-login hanging when firewall blocks ssl handshaking
On Nov 29, 2012, at 7:42 AM, Erik A Johnson wrote: No, the test to bug out doesn't work because net_geterror(proxy->fd_ssl) returns 0 in the statement if (!proxy->client_proxy && net_geterror(proxy->fd_ssl) == ENOTCONN) { I was wrong here: the FIRST time, net_geterror returns EBADF = "The argument socket is not a valid file descriptor" (and then 0 on subsequent calls). On November 29, 2012 at 12:43:42 PM PST, Timo Sirainen wrote: >>> I wonder if something like would work: >>> >>> if (!proxy->client && read(proxy->fd_ssl, &err, 0) < 0 && errno == >>> ENOTCONN) { On November 29, 2012 at 2:12:18 PM PST, Ben Morrow wrote: >> How about calling getpeername on fd_ssl? That should reliably tell you >> if the socket is connected or not. http://cr.yp.to/docs/connect.html >> suggests that read is not always a reliable test for that. Thanks, Ben. On November 29, 2012 at 2:39:51 PM PST, Timo Sirainen wrote: > Yes, that sounds like it would work better: > > if (!proxy->client && net_getpeername(proxy->fd_ssl, NULL, NULL) < 0 && > errno == ENOTCONN) { Using getpeername or net_getpeername, errno is set to EINVAL = "socket has been shut down", so we could instead use if (!proxy->client && net_getpeername(proxy->fd_ssl, NULL, NULL) < 0 && errno == EINVAL) { So it seems that we have the following options: 1. net_geterror(proxy->fd_ssl) == EBADF 2. read(proxy->fd_ssl, &err, 0) < 0 && errno == ENOTCONN 3. net_getpeername(proxy->fd_ssl, NULL, NULL) < 0 && errno == EINVAL Which is preferable? Should the "#ifdef __APPLE__" remain? or would any of these tests be appropriate for other platforms as well? On Nov 28, 2012, at 10:18PM PST, Timo Sirainen wrote: > This is either OSX bug or OpenSSL bug.. Apparently what happens is: > > 1. Client sends SYN packet to Dovecot > 2. Dovecot accept()s the connection (sends SYN-ACK) and goes into OpenSSL > code > 3. Client doesn't send ACK to Dovecot. Does it send RST or nothing or > something else? I don't know. > 4. OSX notices anyway that something is wrong with the socket, and kqueue > says that the socket is ready for reading > 5. OpenSSL read()s, which fails with ENOTCONN. But OpenSSL thinks this is > a non-fatal error and simply asks to be notified again when something can > be read > 6. goto 4 > > So, whose bug is it? OpenSSL's ENOTCONN handling probably makes sense for > client connections where connect() hasn't finished yet. But then again, > this is accept()ed connection where it typically should fail like that. > Except I guess it might be correct behavior if read() is done after > SYN-ACK but before receiving ACK. > > While OSX is receiving ACK from the client, it shouldn't say that the fd > is readable. It probably doesn't. But after it receives it > realizes that the socket is disconnected. So read() probably shouldn't be > returning ENOTCONN anymore at this point, but instead ECONNRESET or > ETIMEDOUT. > > See if the attached patch helps. > > > On 29.11.2012, at 7.45, Erik A Johnson wrote: >> Here's the log: >> >> Nov 28 21:28:11 macbookpro-e17d.home dovecot[54139]: master: Dovecot >> v2.1.10 starting up (core dumps disabled) >> Nov 28 21:30:19 macbookpro-e17d.home dovecot[54141]: imap-login: Debug: >> ssl_step() >> Nov 28 21:30:19 macbookpro-e17d.home dovecot[54141]: imap-login: Debug: >> ssl_handshake: SSL_accept()=-1 >> Nov 28 21:30:19 macbookpro-e17d.home dovecot[54141]: imap-login: Debug: >> SSL_get_error() = 2 >> Nov 28 21:30:19 macbookpro-e17d.home dovecot[54141]: imap-login: Debug: >> - want_read >> Nov 28 21:30:19 macbookpro-e17d.home dovecot[54141]: imap-login: Debug: >> ssl_set_io(0) >> [last 5 lines are repeated until process is killed] >> >> On Nov 26, 2012, as 11:38PM PST, Timo Sirainen wrote: >>> >>> Could you try with the attached patch, and with only the problematic >>> client running? What does it log (the beginning of the session until it >>> starts repeating the same lines)? >>> >>> On 10.11.2012, at 12.44, Erik A Johnson wrote: imap-login processes are hanging (using 100% of CPU) when connected from a client that is partially blocked by a firewall. It appears that imap-login is stuck in a loop trying to complete an ssl handshake. imap-login is working fine for other clients not blocked by the firewall (including localhost). This is dovecot 2.1.10 under Mac OS X 10.8.2 (compiled from sources); the firewall is Little Snitch 3.0.1 blocking port 993, which appears to let the connection initiate but then squashes and disconnects the socket during ssl handshaking. gdb backtrace and Activity Monitor's "Sample Process" show that imap-login
[Dovecot] Undeserved permissions error with g+s folder permissions
I have a (mbox/IMAP) directory under my mail directory with these permissions: drwxrws--- 4 tlhackque mail 4096 Dec 1 10:34 Vendors/ It contains a subdirectory: -rw-rw 1 thlackque mail 84805345 Dec 1 10:34 Vendors/AVendor If I try to rename the AVendor folder (client is Thunderbird 17.0), I get this error: Unable to rename across conflicting directory permisssions If I chmod g-s Vendors, the RENAME command succeeds. I shouldn't have to do this... Version and configuration information: dovecot --version 2.1.10 # OS: Linux 2.6.22.14-72.fc6 i686 Fedora Core release 6 (Zod) first_valid_gid = 4000 first_valid_uid = 4000 hostname = example.net login_greeting = Dovecot ready. Unauthorized access is prohibited. mail_access_groups = mail mail_location = mbox:~/mail:INBOX=/var/mail/%n mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / } passdb { driver = pam } plugin { autocreate = Trash autocreate2 = Train As Spam autocreate3 = Train As Ham autocreate4 = Train As Forgotten autosubscribe = Trash autosubscribe2 = Train As Spam autosubscribe3 = Train As Ham autosubscribe4 = Train As Forgotten } service imap-login { inet_listener imap { address = imap.v4.example.net imap.v6.example.net port = 143 } inet_listener imaps { address = imap.v4.example.net imap.v6.example.net port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { address = pop.v4.example.net pop.v6.example.net port = 110 } inet_listener pop3s { address = pop.v4.example.net pop.v6.example.net port = 995 ssl = yes } } ssl_ca =
Re: [Dovecot] 回复: 2.1.12 - Pigeonhole 0.3.3 build failed: /usr/bin/ld: cannot find -lssl -lcrypto
On Saturday 01 December 2012 08:34:09 Sam DWH wrote: > Did you installed openssh? Well, no, I have installed libssl-dev (Ubuntu Precise). What I have really done is to add the libssl-dev to the dependencies of my dovecot-dev package. This dovecot-dev package is a dependency of my pigeonhole package. Regards, Tobias