dovecot - Feb 2015 - Dovecot 2.1.7 random login fails

From: Dario Meloni <mellon85 at gmail.com>
Subject: Dovecot 2.1.7 intermittent login issues
Newsgroups: gmane.mail.imap.dovecot
X-Draft-Attribution: 
X-Draft-Attribution-Author: 
X-Draft-Attribution-Date: 
X-Draft-Attribution-Id: 
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Hello,

Dovecot version 2.1.7, running in a debian:stable docker container.

I am having a weird issues with dovecot failing randomly sometimes with 
pop3 sometimes with imap but only in case of SSL for example from the 
logs I can see this:

Feb 17 07:48:32 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 
write session ticket A [172.17.2.5]
Feb 17 07:48:32 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 
write change cipher spec A [172.17.2.5]
Feb 17 07:48:32 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 
write finished A [172.17.2.5]
Feb 17 07:48:32 imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 
flush data [172.17.2.5]
Feb 17 07:48:32 imap-login: Warning: SSL: where=0x20, ret=1: SSL 
negotiation finished successfully [172.17.2.5]
Feb 17 07:48:32 imap-login: Warning: SSL: where=0x2002, ret=1: SSL 
negotiation finished successfully [172.17.2.5]
Feb 17 07:48:32 imap-login: Warning: SSL alert: where=0x4008, ret=256: 
warning close notify [172.17.2.5]
Feb 17 07:48:32 pop3-login: Fatal: read(ssl-params) failed: Permission 
denied



and from the debug log:

Feb 17 07:48:32 auth: Debug: auth client connected (pid=21)
Feb 17 07:48:32 auth: Debug: client in: AUTH    1       PLAIN   
service=pop3    session=[REDACTED]        lip=172.17.2.11 rip=172.17.2.5  
lport=110       rport=38967     resp=[REDACTED]
Feb 17 07:48:32 auth-worker(16): Debug: pam(test,172.17.2.5): lookup 
service=dovecot
Feb 17 07:48:32 auth-worker(16): Debug: pam(test,172.17.2.5): #1/1 
style=1 msg=Password:
Feb 17 07:48:32 auth: Debug: client out: OK     1       user=test
Feb 17 07:48:32 auth: Debug: master in: REQUEST 951582721       21      
1       1fb51b26a3656db28fa3d333bd7568a4
Feb 17 07:48:32 auth: Debug: passwd(test,172.17.2.5,[REDACTED]): lookup
Feb 17 07:48:32 auth: Debug: master out: USER   951582721       test    
system_groups_user=test uid=1000        gid=8   home=/home/test
Feb 17 07:48:32 pop3(test): Debug: Effective uid=1000, gid=8, home=/home/
test
Feb 17 07:48:32 pop3(test): Debug: Namespace inbox: type=private, 
prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes 
location=mbox:~/mail:INBOX=/var/mail/test
Feb 17 07:48:32 pop3(test): Debug: fs: root=/home/test/mail, index=, 
control=, inbox=/var/mail/test, altFeb 17 07:48:32 pop3(test): Debug: Namespace
: Using permissions from /
home/test/mail: mode=0700 gid=-1
Feb 17 07:48:32 auth: Debug: auth client connected (pid=23)


I checked in the code and found that the issue is from ssl-params.c 
apparently not being able to read from a file descriptor that it already 
opened...

Any idea?

On Tue, 17 Feb 2015 10:17:21 +0000, Dario Meloni wrote:

> Dovecot version 2.1.7, running in a debian:stable docker container.
[..]

I also tried using the backport packages and I have the same issues on 
version 2.2.13

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 17 Feb 2015, Dario Meloni wrote:
> Feb 17 07:48:32 pop3-login: Fatal: read(ssl-params) failed: Permission
> denied
>
> I checked in the code and found that the issue is from ssl-params.c
> apparently not being able to read from a file descriptor that it already
> opened...
did you've verified that the file exists and has a reasonable file size?

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVOQ14Hz1H7kL/d9rAQICRAf/fX8WD3zgwdae+U2IH/PHkbiEuIcFrSjh
nqtjpBQ8zcKLfGpVV13+okJ+Yt0uQDGXLoXmwrDuQD0IGZKwpFxAJXzZn1xzG7GM
kma3jtUE5Jw//eTk2e3dLCsnYPU8XA8/pi5zYzpgITtScAA3LitLApT4uGfgLtMD
GHZlxVxryHrRllYlkO8gECeuBBaDwpPHGz6cgImReTrHk1OEAoc61TOlamPxbIR/
PEWrEoohUNqbXY81qsdqtyrRbzmHWpMcJlFT6JvaCIXIZgFzbmIayE54klYSfSqh
J9etOQz/gKdwT1QXT4w6DeVJUbvCTNGv6ZNT+CYDBVr7+DhpnTBjmg==krXV
-----END PGP SIGNATURE-----

On Wed, 18 Feb 2015 07:49:04 +0100, Steffen Kaiser wrote:
 
> did you've verified that the file exists and has a reasonable file
size?
The file in question is actually a unix socket that I guess is used to 
refresh the SSL data from the main privileged process.
I don't know which process is actually logging the error, but the ssl-
params file is root owned and is readable and writable by everyone.