thr3ads.net - dovecot - configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed [Mar 2019]

If this information is useful, please help other people find it:
Share via:

Robert Kudyba

2019-Mar-28 19:31 UTC

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

> On Mar 28, 2019, at 10:29 AM, Aki Tuomi via dovecot <dovecot at
dovecot.org> wrote:
> 
>> On 28 March 2019 16:08 Robert Kudyba via dovecot <dovecot at
dovecot.org> wrote:
>> 
>> 
>> dovecot-2.3.3-1.fc29.x86_64
>> 
>> Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283
(http_client_request_unref): assertion failed: (req->refcount > 0)
>> Mar 28 10:04:47 auth: Error: Raw backtrace:
/usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] ->
/usr/lib64/dovecot/libdovecot.so.0(+0xe3597) [0x7fe76e083597] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x51207) [0x7fe76dff1207] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x4972b) [0x7fe76dfe972b] ->
/usr/lib64/dovecot/libdovecot.so.0(http_client_request_destroy+0x107)
[0x7fe76e02cf87] ->
/usr/lib64/dovecot/libdovecot.so.0(http_client_deinit+0x4c) [0x7fe76e03b9ec]
-> dovecot/auth(auth_policy_deinit+0x1e) [0x55facfdb350e] ->
dovecot/auth(main+0x3e1) [0x55facfdae3c1] ->
/lib64/libc.so.6(__libc_start_main+0xf3) [0x7fe76dd93413] ->
dovecot/auth(_start+0x2e) [0x55facfdae57e]
>> Mar 28 10:04:47 auth: Fatal: master: service(auth): child 31162 killed
with signal 6 (core not dumped - https://dovecot.org/bugreport.html#coredumps
<https://urldefense.proofpoint.com/v2/url?u=https-3A__dovecot.org_bugreport.html-23coredumps&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=IGBmGF0IssHPP5aIO3xrxNm2mUwwDP12018rdFC0vuo&s=IoU3mYEwgiux42XqobrYw4SyE39GjhvuBXoXWA42HKY&e=>
- set /proc/sys/fs/suid_dumpable to 2)
>> Mar 28 10:04:48 master: Info: Dovecot v2.3.3 (dcead646b) starting up
for imap, pop3
>> 
> Hi,
> 
> this is a known issue as DOV-3019 and we are fixing this. It happens during
auth process shutdown if there are pending requests.

Another issue is that the dovecot logs always report the offending URL or IP as
what?s in /etc/dovecot/conf.d/95-auth.conf in our case:
auth_policy_server_url = https://ourdomain:8084/
<https://dsm.dsm.fordham.edu:8084/>

These are HTTP errors in the logs:

Mar 28 09:58:04 auth: Debug: client in: AUTH	1	PLAIN	service=imap	secured
session=lmNw8SeFoMl/AAAB	lip=127.0.0.1	rip=127.0.0.1	lport=143	rport=51616
resp=<hidden>
Mar 28 09:58:04 auth: Debug:
policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy request
https://ourdomain:8084/?command=allow
<https://dsm.dsm.fordham.edu:8084/?command=allow>
Mar 28 09:58:04 auth: Debug:
policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy server request JSON:
{"device_id":"","login":"unclroot","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST
https://ourdomain:8084/?command=allow]:
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Error: 9003
Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST
https://ourdomain:8084/?command=allow]:
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Submitted (requests
left=3)
Mar 28 09:58:04 auth: Error:
policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>): Policy server HTTP error:
Couldn't initialize SSL context: Can't verify remote server certs
without trusted CAs (ssl_client_ca_* settings)
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST
https://ourdomain:8084/?command=allow]:
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Destroy (requests
left=3)
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST
https://ourdomain:8084/?command=allow]:
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Free (requests
left=2)


So wforce is always recording the ?bad? IP as 127.0.0.1 or the FQDN, and not the
actual user IP. Is there another place to set this?

Perhaps I have to set this in wforce.conf?
webserver("0.0.0.0:8084", ?ourpassword")
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190328/636313e2/attachment.html>

Aki Tuomi

2019-Mar-28 19:44 UTC

head link

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 28 March 2019 21:31 Robert Kudyba <rkudyba@fordham.edu> wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    <blockquote type="cite">
     <div class="">
      On Mar 28, 2019, at 10:29 AM, Aki Tuomi via dovecot <
      <a class=""
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
     </div>
     <div class="">
      <div class="">
       <div class="">
        <br class="">
       </div>
       <blockquote type="cite">
        <div class="">
         On 28 March 2019 16:08 Robert Kudyba via dovecot <
         <a class=""
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
        </div>
        <div class="">
         <br class="">
        </div>
        <div class="">
         <br class="">
        </div>
        <div class="">
         <div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class="">
          <span style="font-variant-ligatures:
no-common-ligatures;"
class="">dovecot-2.3.3-1.fc29.x86_64</span>
         </div>
        </div>
        <div class="">
         <br class="">
        </div>
        <div class="">
         <div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class="">
          <span style="font-variant-ligatures:
no-common-ligatures;" class="">Mar 28 10:04:47 auth: Panic:
file http-client-request.c: line 283 (http_client_request_unref): assertion
failed: (req->refcount > 0)</span>
         </div>
         <div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class="">
          <span style="font-variant-ligatures:
no-common-ligatures;" class="">Mar 28 10:04:47 auth: Error:
Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb]
-> /usr/lib64/dovecot/libdovecot.so.0(+0xe3597) [0x7fe76e083597] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x51207) [0x7fe76dff1207] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x4972b) [0x7fe76dfe972b] ->
/usr/lib64/dovecot/libdovecot.so.0(http_client_request_destroy+0x107)
[0x7fe76e02cf87] ->
/usr/lib64/dovecot/libdovecot.so.0(http_client_deinit+0x4c) [0x7fe76e03b9ec]
-> dovecot/auth(auth_policy_deinit+0x1e) [0x55facfdb350e] ->
dovecot/auth(main+0x3e1) [0x55facfdae3c1] ->
/lib64/libc.so.6(__libc_start_main+0xf3) [0x7fe76dd93413] ->
dovecot/auth(_start+0x2e) [0x55facfdae57e]</span>
         </div>
         <div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class="">
          <span style="font-variant-ligatures:
no-common-ligatures;" class="">Mar 28 10:04:47 auth: Fatal:
master: service(auth): child 31162 killed with signal 6 (core not dumped - <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__dovecot.org_bugreport.html-23coredumps&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=IGBmGF0IssHPP5aIO3xrxNm2mUwwDP12018rdFC0vuo&s=IoU3mYEwgiux42XqobrYw4SyE39GjhvuBXoXWA42HKY&e="
class="">https://dovecot.org/bugreport.html#coredumps</a> -
set /proc/sys/fs/suid_dumpable to 2)</span>
         </div>
         <div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class="">
          <span style="font-variant-ligatures:
no-common-ligatures;" class="">Mar 28 10:04:48 master: Info:
Dovecot v2.3.3 (dcead646b) starting up for imap, pop3</span>
         </div>
        </div>
        <div class="">
         <span style="font-variant-ligatures: no-common-ligatures;"
class=""><br class=""></span>
        </div>
       </blockquote>
       <div class="">
        Hi,
       </div>
       <div class="">
        <br class="">
       </div>
       <div class="">
        this is a known issue as DOV-3019 and we are fixing this. It happens
during auth process shutdown if there are pending requests.
       </div>
      </div>
     </div>
    </blockquote>
   </div>
   <div class="">
    <br class="">
   </div>Another issue is that the dovecot logs always report the
offending URL or IP as what’s in
   <span class="" style="font-family: Menlo; font-size:
11px;">/etc/dovecot/conf.d/95-auth.conf</span>
   <span class="" style="font-family: Menlo; font-size:
11px;"> in our case:</span>
   <div class="">
    <span class="" style="font-family: Menlo; font-size:
11px;">auth_policy_server_url = </span>
    <a class="" style="font-family: Menlo; font-size:
11px;" href="https://dsm.dsm.fordham.edu:8084/"><span
class="" style="-webkit-font-kerning: none; color:
#3586ff;">https://ourdomain:8084/</span></a>
    <div class="">
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo; min-height:
13px;">
      <br class="">
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">These
are HTTP errors in the logs:</span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo; min-height:
13px;">
      <br class="">
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
line-height: normal; min-height: 14px;">
      <span class="" style="font-family: Menlo; font-size:
11px;">Mar 28 09:58:04 auth: Debug: client in: AUTH</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">1</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">PLAIN</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">service=imap</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">secured</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">session=lmNw8SeFoMl/AAAB</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">lip=127.0.0.1</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">rip=127.0.0.1</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">lport=143</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">rport=51616</span>
      <span class="" style="font-family: Menlo; font-size:
11px;">resp=<hidden></span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">Mar
28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>):
Policy request <a class=""
href="https://dsm.dsm.fordham.edu:8084/?command=allow"><span
class="" style="-webkit-font-kerning: none; color:
#3586ff;">https://ourdomain:8084/?command=allow</span></a></span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">Mar
28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>):
Policy server request JSON:
{"device_id":"","login":"unclroot","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}</span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">Mar
28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a
class=""
href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span
class="" style="-webkit-font-kerning: none; color:
#3586ff;">https://ourdomain:8084/?command=allow]:</span></a>
Error: 9003 Couldn't initialize SSL context: Can't verify remote server
certs without trusted CAs (ssl_client_ca_* settings)</span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">Mar
28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a
class=""
href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span
class="" style="-webkit-font-kerning: none; color:
#3586ff;">https://ourdomain:8084/?command=allow]:</span></a>
Submitted (requests left=3)</span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">Mar
28 09:58:04 auth: Error: policy(unclroot,127.0.0.1,<lmNw8SeFoMl/AAAB>):
Policy server HTTP error: Couldn't initialize SSL context: Can't verify
remote server certs without trusted CAs (ssl_client_ca_* settings)</span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">Mar
28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a
class=""
href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span
class="" style="-webkit-font-kerning: none; color:
#3586ff;">https://ourdomain:8084/?command=allow]:</span></a>
Destroy (requests left=3)</span>
     </div>
     <div class="" style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal; font-family: Menlo;">
      <span class="" style="font-kerning: none;">Mar
28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST <a
class=""
href="https://dsm.dsm.fordham.edu:8084/?command=allow%5D:"><span
class="" style="-webkit-font-kerning: none; color:
#3586ff;">https://ourdomain:8084/?command=allow]:</span></a>
Free (requests left=2)</span>
     </div>
    </div>
    <div class="">
     <span class="" style="font-kerning: none;"><br
class=""></span>
    </div>
   </div>
   <div class="">
    <span class="" style="font-kerning: none;"><br
class=""></span>
   </div>
   <div class="">
    <span class="" style="font-kerning: none;">So
wforce is always recording the “bad” IP as 127.0.0.1 or the FQDN, and not the
actual user IP. Is there another place to set this?</span>
   </div>
   <div class="">
    <span class="" style="font-kerning: none;"><br
class=""></span>
   </div>
   <div class="">
    <span class="" style="font-kerning: none;">Perhaps
I have to set this in wforce.conf?</span>
   </div>
   <div class="">
    <span class="" style="font-kerning:
none;">webserver("0.0.0.0:8084",
“ourpassword")</span>
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   Set
  </div>
  <div>
   <br>
  </div>
  <div>
   ssl_client_ca_file=/path/to/cacert.pem to validate the certificate 
  </div>
  <div>
   <br>
  </div>
  <div>
   Are you using haproxy or something in front of dovecot?
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>

Robert Kudyba

2019-Mar-28 19:52 UTC

head link

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

> Set
> 
> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate 
Can this be the Lets Encrypt cert that we already have? In other words we have:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

Can those be used?
> Are you using haproxy or something in front of dovecot?
No. Just Squirrelmail webmail with sendmail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190328/4eb8eaf8/attachment.html>

Apparently Analagous Threads

Search for more possibly parallel threads

dovecot - Mar 2019 - configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

Apparently Analagous Threads