Teodor Milkov
2011-Feb-07 21:15 UTC
[Dovecot] vpopmail passdb deadlock if tcprules binary is missing
Hello, I've just found that if vpopmail is compiled with --enable-roaming-users=y, but tcprules binary is missing there is kind of denial of service situation, which is not very obvious for debugging. I know this is result of misconfiguration and I suppose this is more of a vpopmail() bug, but it is somewhat hard to debug and causes greater harm to dovecot long running auth process than vpopmail's short living vchkpw process. Symptoms -------- Login to dovecot imap takes very long time. There are auth processes in D state: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 9873 0.0 0.0 2884 1396 ? D 14:04 0:00 dovecot/auth -w root 11292 0.0 0.0 2884 1396 ? S 14:25 0:00 \_ dovecot/auth -w Cause ----- When new user has to be authenticated from vpopmail, the sequence of events goes something like this: * libexec/dovecot/auth -w process is doing the authentication (passdb-vpopmail.c) * passdb-vpopmail.c: at some point user is authenticated and open_smtp_relay() is called * vpopmail.c: open_smtp_relay() gets a write lock on ~vpopmail/etc/open-smtp.lock adds new IP to ~vpopmail/etc/open-smtp and calls update_rules() etc. to rebuild the tcp.cdb file * vpopmailc: tcprules_open() is called and it fork()s and tries to execv() tcprules * if tcprules is not found, execv() fails silently, and we are left with a forked libexec/dovecot/auth instance, which runs all over again up to the open_smtp_relay() point where it tries to obtain write lock on ~vpopmail/etc/open-smtp.lock again (it is already locked by parent) Hope this helps someone.