??????? Original Message ??????? On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> > On 10 April 2019 23:13 Laura Smith via dovecot dovecot at dovecot.org wrote: > > Sent with ProtonMail Secure Email. > > ??????? Original Message ??????? > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi aki.tuomi at open-xchange.com wrote: > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot at dovecot.org wrote: > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi aki.tuomi at open-xchange.com wrote: > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot at dovecot.org wrote: > > > > > > =========================================================================> > > > > > dsync(foobar at example.com): Error: imapc(foobar.example.com:993): dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: Connection reset by peer > > > > > > > > > > This is dovecot's internal dns-client, and something goes wrong when talking to the service. > > > > > > > > > > > dsync(foobar at example.com): Error: Failed to initialize user: imapc: Login to foobar.example.com failed: Disconnected from server > > > > > > > > > > This is btw dsync service, not imap service. > > > > > > > > > > > ==> > > > > > Initially I thought "oh no, not another AppArmor block". > > > > > > But then surely the second message would not appear if the DNS lookup was not successful ? > > > > > > Also "dig foobar.example.com" works fine. > > > > > > How should I be troubleshooting this ? And if it is still likely to be AppArmor, what is calling it ? "doveadm" itself or something else ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS calls like everyone else ? > > > > > > > > > > Because the "standard OS call" is blocking and we would prefer it to not block everything else. > > > > > > > > > > > So many questions ! > > > > > > > > > > Aki > > > > > > > > Thanks for your reply, but both those message are generated from a simple : > > > > doveadm -v -o mail_fsync=never backup -R -u foobar at example.com imapc: > > > > So I don't know what you mean about dsync service failing ? Surely the DNS lookup succeeded if the 'dsync service' failed due to remote disconnect ? > > > > I'm still none the wiser as to where to start looking for troubleshoting ? > > > > > > Did you check dovecot logs? Maybe there is something useful? > > > Aki > > > > Only the same old cryptic message about dns-client ? > > master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied > > Something prevents executing the dns-client binary. > > > master: Error: service(dns_client): command startup failed, throttling for 16 secs > > dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 (exec() failed) > > AkiYes but is it being called by doveadm directly or by some other dovecot program ? If I'm going to have to go down the AppArmor route, then I would prefer if you told me what was calling it instead of me having to un-necessarily spend time doing straces ! Also, should I be able to call dns-client directly myself ? (or is there a way to do so to enable testing ?) # /usr/lib/dovecot/dns-client Panic: BUG: No IOs or timeouts set. Not waiting for infinity. Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xd879e) [0x7f582c65f79e] -> /usr/lib64/dovecot/libdovecot.so.0(+0xd87e1) [0x7f582c65f7e1] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f582c5c9024] -> /usr/lib64/dovecot/libdovecot.so.0(+0xf045c) [0x7f582c67745c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x36) [0x7f582c679e96] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x4c) [0x7f582c6786ec] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f582c678908] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f582c5ee203] -> /usr/lib/dovecot/dns-client(main+0x8d) [0x55866c96050d] -> /lib64/libc.so.6(__libc_start_main+0xea) [0x7f582c1edf4a] -> /usr/lib/dovecot/dns-client(_start+0x2a) [0x55866c96055a]
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 10 April 2019 23:56 Laura Smith via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ </div> <div> On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < <a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>> wrote: </div> <div> <br> </div> <blockquote type="cite"> <blockquote type="cite"> <div> On 10 April 2019 23:13 Laura Smith via dovecot <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a> wrote: </div> <div> Sent with ProtonMail Secure Email. </div> <div> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ </div> <div> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi <a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a> wrote: </div> </blockquote> <blockquote type="cite"> <blockquote type="cite"> <blockquote type="cite"> <div> On 10 April 2019 22:13 Laura Smith via dovecot <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a> wrote: </div> <div> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi <a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a> wrote: </div> </blockquote> <blockquote type="cite"> <blockquote type="cite"> <blockquote type="cite"> <div> On 10 April 2019 21:26 Laura Smith via dovecot <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a> wrote: </div> <div> ========================================================================= </div> <div> dsync( <a href="mailto:foobar@example.com">foobar@example.com</a>): Error: imapc(foobar.example.com:993): dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: Connection reset by peer </div> </blockquote> </blockquote> <blockquote type="cite"> <div> This is dovecot's internal dns-client, and something goes wrong when talking to the service. </div> </blockquote> <blockquote type="cite"> <blockquote type="cite"> <div> dsync( <a href="mailto:foobar@example.com">foobar@example.com</a>): Error: Failed to initialize user: imapc: Login to foobar.example.com failed: Disconnected from server </div> </blockquote> </blockquote> <blockquote type="cite"> <div> This is btw dsync service, not imap service. </div> </blockquote> <blockquote type="cite"> <blockquote type="cite"> <div> == </div> <div> Initially I thought "oh no, not another AppArmor block". </div> <div> But then surely the second message would not appear if the DNS lookup was not successful ? </div> <div> Also "dig foobar.example.com" works fine. </div> <div> How should I be troubleshooting this ? And if it is still likely to be AppArmor, what is calling it ? "doveadm" itself or something else ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS calls like everyone else ? </div> </blockquote> </blockquote> <blockquote type="cite"> <div> Because the "standard OS call" is blocking and we would prefer it to not block everything else. </div> </blockquote> <blockquote type="cite"> <blockquote type="cite"> <div> So many questions ! </div> </blockquote> </blockquote> <blockquote type="cite"> <div> Aki </div> </blockquote> </blockquote> <blockquote type="cite"> <div> Thanks for your reply, but both those message are generated from a simple : </div> <div> doveadm -v -o mail_fsync=never backup -R -u <a href="mailto:foobar@example.com">foobar@example.com</a> imapc: </div> <div> So I don't know what you mean about dsync service failing ? Surely the DNS lookup succeeded if the 'dsync service' failed due to remote disconnect ? </div> <div> I'm still none the wiser as to where to start looking for troubleshoting ? </div> </blockquote> </blockquote> <blockquote type="cite"> <div> Did you check dovecot logs? Maybe there is something useful? </div> <div> Aki </div> </blockquote> </blockquote> <blockquote type="cite"> <div> Only the same old cryptic message about dns-client ? </div> <div> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied </div> </blockquote> </blockquote> <blockquote type="cite"> <div> Something prevents executing the dns-client binary. </div> </blockquote> <blockquote type="cite"> <blockquote type="cite"> <div> master: Error: service(dns_client): command startup failed, throttling for 16 secs </div> <div> dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 (exec() failed) </div> </blockquote> </blockquote> <blockquote type="cite"> <div> Aki </div> </blockquote> <div> <br> </div> <div> Yes but is it being called by doveadm directly or by some other dovecot program ? If I'm going to have to go down the AppArmor route, then I would prefer if you told me what was calling it instead of me having to un-necessarily spend time doing straces ! </div> <div> <br> </div> <div> Also, should I be able to call dns-client directly myself ? (or is there a way to do so to enable testing ? </div> </blockquote> <div> <br> </div> <div> It is started by dovecot's master process when you connect to dns-client unix socket. You can try </div> <div> <br> </div> <div> socat stdio unix-connect:/var/run/dovecot/dns-client </div> <div> <br> </div> <div> I thought apparmor tells when something is blocked into kernel log? have you checked dmesg? </div> <div> <br> </div> <div> Apologies for your frustration. </div> <div> --- <br> </div> <div class="io-ox-signature"> <pre>Aki Tuomi</pre> </div> </body> </html>
??????? Original Message ??????? On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> > On 10 April 2019 23:56 Laura Smith via dovecot < dovecot at dovecot.org> wrote: > > > > ??????? Original Message ??????? > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < aki.tuomi at open-xchange.com> wrote: > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot dovecot at dovecot.org wrote: > > > > Sent with ProtonMail Secure Email. > > > > ??????? Original Message ??????? > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi aki.tuomi at open-xchange.com wrote: > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot at dovecot.org wrote: > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi aki.tuomi at open-xchange.com wrote: > > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot at dovecot.org wrote: > > > > > > > > =========================================================================> > > > > > > > dsync( foobar at example.com): Error: imapc(foobar.example.com:993): dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: Connection reset by peer > > > > > > > > > > > > > This is dovecot's internal dns-client, and something goes wrong when talking to the service. > > > > > > > > > > > > > > dsync( foobar at example.com): Error: Failed to initialize user: imapc: Login to foobar.example.com failed: Disconnected from server > > > > > > > > > > > > > This is btw dsync service, not imap service. > > > > > > > > > > > > > > ==> > > > > > > > Initially I thought "oh no, not another AppArmor block". > > > > > > > > But then surely the second message would not appear if the DNS lookup was not successful ? > > > > > > > > Also "dig foobar.example.com" works fine. > > > > > > > > How should I be troubleshooting this ? And if it is still likely to be AppArmor, what is calling it ? "doveadm" itself or something else ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS calls like everyone else ? > > > > > > > > > > > > > Because the "standard OS call" is blocking and we would prefer it to not block everything else. > > > > > > > > > > > > > > So many questions ! > > > > > > > > > > > > > Aki > > > > > > > > > > > Thanks for your reply, but both those message are generated from a simple : > > > > > > doveadm -v -o mail_fsync=never backup -R -u foobar at example.com imapc: > > > > > > So I don't know what you mean about dsync service failing ? Surely the DNS lookup succeeded if the 'dsync service' failed due to remote disconnect ? > > > > > > I'm still none the wiser as to where to start looking for troubleshoting ? > > > > > > > > > Did you check dovecot logs? Maybe there is something useful? > > > > > Aki > > > > > > > Only the same old cryptic message about dns-client ? > > > > master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied > > > > > Something prevents executing the dns-client binary. > > > > > > master: Error: service(dns_client): command startup failed, throttling for 16 secs > > > > dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 (exec() failed) > > > > > Aki > > > > Yes but is it being called by doveadm directly or by some other dovecot program ? If I'm going to have to go down the AppArmor route, then I would prefer if you told me what was calling it instead of me having to un-necessarily spend time doing straces ! > > > > Also, should I be able to call dns-client directly myself ? (or is there a way to do so to enable testing ? > > It is started by dovecot's master process when you connect to dns-client unix socket. You can try > > socat stdio unix-connect:/var/run/dovecot/dns-client > > I thought apparmor tells when something is blocked into kernel log? have you checked dmesg? > > Apologies for your frustration.? > ---Yeah nothing in dmesg.? I'm still hunting around to find some log somewhere but so far silence. "socat stdio unix-connect:/var/run/dovecot/dns-client" runs but returns nothing. Is that expected ? When you say "dovecot's master process", so? doveadm sync talks to the master process ?? So in terms of apparmor I would therefore be looking at /usr/sbin/dovecot ?? If that's the case, the relevant apparmor permisssions are already provided : ? /{,var/}run/dovecot/ rw, ? /{,var/}run/dovecot/** rw,