dovecot - Jan 2009 - troubles with 1.1.8 and squirrelmail over HTTPS

Hello

I noticed a problem after upgrading to 1.1.8

Users that access to their mailboxes using webmail squirrelmail and HTTPS
using HTTP seems to work correctly but it not safe enough ...

There is an error message saying the imap server send a BYE command ...

I downgraded our Dovecot server to 1.1.7 then it works again ...

Does somebody has the same problem ?


-- 
Cordialement
Frank Bonnet
ESIEE Paris

Frank Bonnet schreef:
> Hello
> 
> I noticed a problem after upgrading to 1.1.8
> 
> Users that access to their mailboxes using webmail squirrelmail and HTTPS
> using HTTP seems to work correctly but it not safe enough ...
> 
> There is an error message saying the imap server send a BYE command ...
> 
> I downgraded our Dovecot server to 1.1.7 then it works again ...
> 
> Does somebody has the same problem ?
> 
> 
Communication between Dovecot and Squirrelmail has nothing to do with
communication between Squirrelmail/Apache and the end user.

Did you also upgrade Squirrelmail or its config files in the process?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090114/5eb2f0d7/attachment-0002.bin>

On Wed, 2009-01-14 at 16:28 +0100, Frank Bonnet wrote:
> Hello
> 
> I noticed a problem after upgrading to 1.1.8
> 
> Users that access to their mailboxes using webmail squirrelmail and HTTPS
> using HTTP seems to work correctly but it not safe enough ...
> 
> There is an error message saying the imap server send a BYE command ...
> 
> I downgraded our Dovecot server to 1.1.7 then it works again ...
Like Tom said, the http vs https difference shouldn't be visible to
Dovecot. Anyway do you see any errors in Dovecot's log files?
http://wiki.dovecot.org/Logging

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090114/8c96eb82/attachment-0002.bin>

Timo Sirainen wrote:
> On Wed, 2009-01-14 at 16:28 +0100, Frank Bonnet wrote:
>> Hello
>>
>> I noticed a problem after upgrading to 1.1.8
>>
>> Users that access to their mailboxes using webmail squirrelmail and
HTTPS
>> using HTTP seems to work correctly but it not safe enough ...
>>
>> There is an error message saying the imap server send a BYE command ...
>>
>> I downgraded our Dovecot server to 1.1.7 then it works again ...
> 
> Like Tom said, the http vs https difference shouldn't be visible to
> Dovecot. Anyway do you see any errors in Dovecot's log files?
> http://wiki.dovecot.org/Logging
> 
I KNOW all of this ... but that happen

I'll carefully read logfiles tomorrow then tell what I'll find.

Timo Sirainen wrote:
> On Wed, 2009-01-14 at 16:28 +0100, Frank Bonnet wrote:
>> Hello
>>
>> I noticed a problem after upgrading to 1.1.8
>>
>> Users that access to their mailboxes using webmail squirrelmail and
HTTPS
>> using HTTP seems to work correctly but it not safe enough ...
>>
>> There is an error message saying the imap server send a BYE command ...
>>
>> I downgraded our Dovecot server to 1.1.7 then it works again ...
> 
> Like Tom said, the http vs https difference shouldn't be visible to
> Dovecot. Anyway do you see any errors in Dovecot's log files?
> http://wiki.dovecot.org/Logging
> 
Well ... I apologize !

I finally found the problem but it sounds a bit strange

I had to increase the  max_mail_processes to 8192
to have a functionnal IMAP server with normal clients AND
squirrelmail clients

8192 sounds enormous to me , any infos welcome !

the machine run Debian etch 64 bits , dovecot has been
re-compiled on the machine. it is an IBM X3650 with 7Gb of RAM.

Hello Jack

Setting up imapproxy on a third machine greatly improve
performances on my mailhub which doesn't refuse connexions
anymore.

Thanks a lot for your help !

Frank



Jack Stewart wrote:
> 
> 
> Frank Bonnet wrote:
>> Timo Sirainen wrote:
>>> On Thu, 2009-01-15 at 16:25 +0100, Frank Bonnet wrote:
>>>> I had to increase the  max_mail_processes to 8192
>>>> to have a functionnal IMAP server with normal clients AND
>>>> squirrelmail clients
>>>>
>>>> 8192 sounds enormous to me , any infos welcome !
>>>
>>> How many imap processes have you running typically?
>>>
>>
> 
> Hi,
> 
> I don't know if this will help or not - I'm taking my comments
offline
> because it isn't clear if they are related to your core problem. Also, 
> they seem to be specific to high usage servers/people.
> 
> We're not 1.1.8 yet but I've spent a reasonable amount of time
tweaking
> the Linux side.
> 
> We run at about ~1300 processes per server.
> 
> Squirrelmail does a login/logout on every single page that is clicked. 
> So I've found that running an imap proxy (such as the one at 
> imapproxy.org really helps). It creates some additional connections but 
> they get re-used pretty frequently.
> 
> If 1.1.8 isn't logging out quickly, or not cleanly shutting down the 
> connection, or something similar, that could explain additional 
> connections. What does netstat -an show? On some O/S's the process will
> disappear from ps but not be fully released until the socket/connection 
> disappears (in this case tcp). If you have a bunch of WAIT/FIN_WAIT's 
> something like this seems pretty likely.
> 
> I've found that going through localhost allows you to bypass TLS while 
> still enforcing TLS for non-localhost connections. It's pretty nice for
> overhead/connect speed. Also, an imap proxy may need a non-encrypted 
> connection.
> 
> Besides the dovecot max_ ... settings, in our system you need to tweak 
> limits.conf and bump up the limits via the ulimit command in the dovecot 
> init script. Open file descriptors and process limits seem to be the 
> main settings.
> 
> After this, you get into kernel tuning such as inotify settings.
> 
> Let me know if you have any questions. If some of this helps, we might 
> want to feed it back into the list.
> 
> ---Jack
> 
>