Ludovic Pouzenc
2018-Dec-20 17:09 UTC
Authentication/Penalty disabled (socket mode=0) introduces constant 5 sec delays (2.27 on debian 9)
Hi, I hit a bizare problem with dovecot 2.2.7 on debian 9 with LMTP enabled and auth/penalty disabled as documented here : https://wiki.dovecot.org/Authentication/Penalty Use case : I run a swaks command to send an email to an exim4 that tries to make a callout to dovecot-lmtp. At RCPT TO: swaks hangs 5.0<something-small> seconds then process normally (exim is waiting for callout completion). with strace, I see 5 second delay with many tries to socket connection. (PID 9652 was an auth process freshly forked) [pid 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 [pid 9652] fcntl(14, F_GETFL) = 0x2 (flags O_RDWR) [pid 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 9652] connect(14, {sa_family=AF_UNIX, sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection refused) [pid 9652] close(14) = 0 [pid 9652] nanosleep({tv_sec=0, tv_nsec=20000000}, NULL) = 0 [pid 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 [pid 9652] fcntl(14, F_GETFL) = 0x2 (flags O_RDWR) [pid 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 9652] connect(14, {sa_family=AF_UNIX, sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection refused) [pid 9652] close(14) = 0 [pid 9652] nanosleep({tv_sec=0, tv_nsec=50000000}, NULL) = 0 [pid 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 [pid 9652] fcntl(14, F_GETFL) = 0x2 (flags O_RDWR) [pid 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 9652] connect(14, {sa_family=AF_UNIX, sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection refused) [pid 9652] close(14) = 0 [pid 9652] nanosleep({tv_sec=0, tv_nsec=90000000}, NULL) = 0 with ddd I get to: src/lib-master/anvil-client.c: int anvil_client_connect(struct anvil_client *client, bool retry) { //[...] fd = retry ? net_connect_unix_with_retries(client->path, 5000) : net_connect_unix(client->path); //[...] and retry is forced to TRUE by the caller and net_connect_unix_with_retries retries in case of ECONNREFUSED. How I get into it : ssh -X root at telegraphe-test apt install dovecot-dbg cd /dev/shm apt source dovecot cd dovecot-2.2.27 pidof dovecot ddd /usr/sbin/dovecot set follow-fork-mode child attach 11833 cont # Send an e-mail from swaks to exim that use transport=smtp in LMTP mode to dovecot-lmtp, press interrupt while exim is blocking after RCPT TO: (gdb) bt #0 0x00007f81528af270 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:84 #1 0x00007f81528d8b84 in usleep (useconds=<optimized out>) at ../sysdeps/posix/usleep.c:32 #2 0x00007f815329368e in net_connect_unix_with_retries (path=0x562dc200ce10 <error: Cannot access memory at address 0x562dc200ce10>, msecs=msecs at entry=5000) at net.c:347 #3 0x00007f815320ce0d in anvil_client_connect (client=0x562dc200cda0, retry=retry at entry=true) at anvil-client.c:136 #4 0x0000562dc1429f5d in auth_penalty_init (path=0x562dc1451846 <error: Cannot access memory at address 0x562dc1451846>) at auth-penalty.c:37 #5 0x0000562dc1424166 in main_preinit () at main.c:202 #6 main (argc=<optimized out>, argv=<optimized out>) at main.c:396 (gdb) bt full #1 0x00007f81528d8b84 in usleep (useconds=<optimized out>) at ../sysdeps/posix/usleep.c:32 ts = {tv_sec = 0, tv_nsec = 80000000} #2 0x00007f815329368e in net_connect_unix_with_retries (path=0x562dc200ce10 <error: Cannot access memory at address 0x562dc200ce10>, msecs=msecs at entry=5000) at net.c:347 start = {tv_sec = 1545319486, tv_usec = 241864} now = {tv_sec = 1545319490, tv_usec = 198061} fd = -1 #3 0x00007f815320ce0d in anvil_client_connect (client=0x562dc200cda0, retry=retry at entry=true) at anvil-client.c:136 fd = <optimized out> __FUNCTION__ = <error reading variable __FUNCTION__ (Cannot access memory at address 0x7f81532a8260)> #4 0x0000562dc1429f5d in auth_penalty_init (path=0x562dc1451846 <error: Cannot access memory at address 0x562dc1451846>) at auth-penalty.c:37 No locals. #5 0x0000562dc1424166 in main_preinit () at main.c:202 mod_set = <error reading variable mod_set (Cannot access memory at address 0x7ffda885db80)> #6 main (argc=<optimized out>, argv=<optimized out>) at main.c:396 c = <optimized out> Backtrace stopped: Cannot access memory at address 0x7ffda885dbf8 (gdb) Code I've read : src/auth/main.c: static void main_preinit(void) if (!worker) auth_penalty = auth_penalty_init(AUTH_PENALTY_ANVIL_PATH); auth_request_stats_init(); src/auth/auth-penalty.c: struct auth_penalty *auth_penalty_init(const char *path) if (anvil_client_connect(penalty->client, TRUE) < 0) penalty->disabled = TRUE; else { src/lib-master/anvil-client.c: int anvil_client_connect(struct anvil_client *client, bool retry) fd = retry ? net_connect_unix_with_retries(client->path, 5000) : net_connect_unix(client->path); src/lib/net.c : int net_connect_unix_with_retries(const char *path, unsigned int msecs) { struct timeval start, now; int fd; if (gettimeofday(&start, NULL) < 0) i_panic("gettimeofday() failed: %m"); do { fd = net_connect_unix(path); if (fd != -1 || (errno != EAGAIN && errno != ECONNREFUSED)) // <------------------ HERE, I go into ECONNREFUSED case during 5 seconds break; /* busy. wait for a while. */ usleep(((rand() % 10) + 1) * 10000); if (gettimeofday(&now, NULL) < 0) i_panic("gettimeofday() failed: %m"); } while (timeval_diff_msecs(&now, &start) < (int)msecs); return fd; } Additionnal environment infos (mailboxes are NFS-backed) : lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.2 (stretch) Release: 9.2 Codename: stretch mount | grep ^/ /dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) mount | grep nfs nfs1:/mail/maildir on /var/maildir type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.28,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.28) nfs1:/mail on /var/mail type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.28,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.28) cifs1:/homepermanents/info/lpouzenc on /home/lpouzenc type nfs (rw,nosuid,nodev,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.29,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.29) telegraphe-test:~# apt-cache policy dovecot-core dovecot-core: Install??: 1:2.2.27-3+deb9u2 Candidat?: 1:2.2.27-3+deb9u2 Table de version?: *** 1:2.2.27-3+deb9u2 500 500 http://miroir/debian stretch/main amd64 Packages 500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages 100 /var/lib/dpkg/status telegraphe-test:~# dovecot -n # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) doveconf: Warning: service auth { client_limit=10000 } is lower than required under max. load (10240) # OS: Linux 4.9.0-4-amd64 x86_64 Debian 9.2 nfs auth_verbose = yes default_client_limit = 10000 default_process_limit = 2048 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_debug = yes mail_fsync = always mail_location = maildir:/var/mail/maildir/%u managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext mmap_disable = yes namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix separator = / } passdb { driver = pam } plugin { sieve = file:/var/mail/mailconf/%1u/%u/sieve;active=/var/mail/mailconf/%1u/%u/.dovecot.sieve sieve_before = /var/mail/mailconf/global/sieve/before.d sieve_global = /var/mail/mailconf/global/sieve sieve_vacation_dont_check_recipient = yes } protocols = " imap lmtp sieve sieve" service anvil { unix_listener anvil-auth-penalty { mode = 00 } } service lmtp { inet_listener lmtp { port = 24 } } service managesieve { process_limit = 16 } ssl_cert = </etc/ssl/certs/telegraphe7_cert.pem ssl_key = # hidden, use -P to show it syslog_facility = local0 userdb { driver = passwd } verbose_proctitle = yes protocol lmtp { auth_username_format = %n mail_plugins = " sieve" } protocol imap { mail_max_userip_connections = 20 } Could you see a config tuning that keeps auth-penalty out of the way (it seems to behaves badly here, because we have perdition IMAP proxy in front, and it keeps track only of his IP and adds 2/4/8/15s delays to "random" legit clients. Could it be saved with a dedicated config entry to disable auth-penalty ? Is there solution to have auth-penalty working while having perdition IMAP proxy ? Regards, Ludovic Pouzenc -- Ludovic POUZENC - Ing?nieur Syst?me IMT Mines Albi (http://www.imt-mines-albi.fr) 81013 ALBI CT Cedex 09 - Tel : 05 63 49 33 56 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181220/b2942a3b/attachment.html>
Stephan Bosch
2019-Jan-06 19:04 UTC
Authentication/Penalty disabled (socket mode=0) introduces constant 5 sec delays (2.27 on debian 9)
Op 20/12/2018 om 18:09 schreef Ludovic Pouzenc:> Hi, > > I hit a bizare problem with dovecot 2.2.7 on debian 9 with LMTP enabled and auth/penalty disabled as documented here : > https://wiki.dovecot.org/Authentication/Penalty > > Use case : I run a swaks command to send an email to an exim4 that tries to make a callout to dovecot-lmtp. > At RCPT TO: swaks hangs 5.0<something-small> seconds then process normally (exim is waiting for callout completion). > > with strace, I see 5 second delay with many tries to socket connection.The sources confirm this behavior, but only for the first connection attempt (i.e. the first 5 seconds of reconnections), which happens at auth startup (which then takes 5 seconds longer). After that, it will mark auth-penalty as disabled and it will not try connecting to it again. Is that what you're referring to? Regards, Stephan.> > (PID 9652 was an auth process freshly forked) > > [pid 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 > [pid 9652] fcntl(14, F_GETFL) = 0x2 (flags O_RDWR) > [pid 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > [pid 9652] connect(14, {sa_family=AF_UNIX, sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection refused) > [pid 9652] close(14) = 0 > [pid 9652] nanosleep({tv_sec=0, tv_nsec=20000000}, NULL) = 0 > [pid 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 > [pid 9652] fcntl(14, F_GETFL) = 0x2 (flags O_RDWR) > [pid 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > [pid 9652] connect(14, {sa_family=AF_UNIX, sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection refused) > [pid 9652] close(14) = 0 > [pid 9652] nanosleep({tv_sec=0, tv_nsec=50000000}, NULL) = 0 > [pid 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 > [pid 9652] fcntl(14, F_GETFL) = 0x2 (flags O_RDWR) > [pid 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > [pid 9652] connect(14, {sa_family=AF_UNIX, sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection refused) > [pid 9652] close(14) = 0 > [pid 9652] nanosleep({tv_sec=0, tv_nsec=90000000}, NULL) = 0 > > > with ddd I get to: > src/lib-master/anvil-client.c: int anvil_client_connect(struct anvil_client *client, bool retry) { > //[...] > fd = retry ? net_connect_unix_with_retries(client->path, 5000) : net_connect_unix(client->path); > //[...] > > and retry is forced to TRUE by the caller and net_connect_unix_with_retries retries in case of ECONNREFUSED. > > > How I get into it : > > ssh -X root at telegraphe-test > > apt install dovecot-dbg > cd /dev/shm > apt source dovecot > cd dovecot-2.2.27 > pidof dovecot > ddd /usr/sbin/dovecot > set follow-fork-mode child > attach 11833 > cont > > # Send an e-mail from swaks to exim that use transport=smtp in LMTP mode to dovecot-lmtp, press interrupt while exim is blocking after RCPT TO: > > > (gdb) bt > #0 0x00007f81528af270 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:84 > #1 0x00007f81528d8b84 in usleep (useconds=<optimized out>) at ../sysdeps/posix/usleep.c:32 > #2 0x00007f815329368e in net_connect_unix_with_retries (path=0x562dc200ce10 <error: Cannot access memory at address 0x562dc200ce10>, msecs=msecs at entry=5000) at net.c:347 > #3 0x00007f815320ce0d in anvil_client_connect (client=0x562dc200cda0, retry=retry at entry=true) at anvil-client.c:136 > #4 0x0000562dc1429f5d in auth_penalty_init (path=0x562dc1451846 <error: Cannot access memory at address 0x562dc1451846>) at auth-penalty.c:37 > #5 0x0000562dc1424166 in main_preinit () at main.c:202 > #6 main (argc=<optimized out>, argv=<optimized out>) at main.c:396 > > (gdb) bt full > #1 0x00007f81528d8b84 in usleep (useconds=<optimized out>) at ../sysdeps/posix/usleep.c:32 > ts = {tv_sec = 0, tv_nsec = 80000000} > #2 0x00007f815329368e in net_connect_unix_with_retries (path=0x562dc200ce10 <error: Cannot access memory at address 0x562dc200ce10>, msecs=msecs at entry=5000) at net.c:347 > start = {tv_sec = 1545319486, tv_usec = 241864} > now = {tv_sec = 1545319490, tv_usec = 198061} > fd = -1 > #3 0x00007f815320ce0d in anvil_client_connect (client=0x562dc200cda0, retry=retry at entry=true) at anvil-client.c:136 > fd = <optimized out> > __FUNCTION__ = <error reading variable __FUNCTION__ (Cannot access memory at address 0x7f81532a8260)> > #4 0x0000562dc1429f5d in auth_penalty_init (path=0x562dc1451846 <error: Cannot access memory at address 0x562dc1451846>) at auth-penalty.c:37 > No locals. > #5 0x0000562dc1424166 in main_preinit () at main.c:202 > mod_set = <error reading variable mod_set (Cannot access memory at address 0x7ffda885db80)> > #6 main (argc=<optimized out>, argv=<optimized out>) at main.c:396 > c = <optimized out> > Backtrace stopped: Cannot access memory at address 0x7ffda885dbf8 > (gdb) > > Code I've read : > > src/auth/main.c: static void main_preinit(void) > > if (!worker) > auth_penalty = auth_penalty_init(AUTH_PENALTY_ANVIL_PATH); > auth_request_stats_init(); > > src/auth/auth-penalty.c: struct auth_penalty *auth_penalty_init(const char *path) > > if (anvil_client_connect(penalty->client, TRUE) < 0) > penalty->disabled = TRUE; > else { > > src/lib-master/anvil-client.c: int anvil_client_connect(struct anvil_client *client, bool retry) > > fd = retry ? net_connect_unix_with_retries(client->path, 5000) : > net_connect_unix(client->path); > > src/lib/net.c : int net_connect_unix_with_retries(const char *path, unsigned int msecs) { > struct timeval start, now; > int fd; > > if (gettimeofday(&start, NULL) < 0) > i_panic("gettimeofday() failed: %m"); > > do { > fd = net_connect_unix(path); > if (fd != -1 || (errno != EAGAIN && errno != ECONNREFUSED)) // <------------------ HERE, I go into ECONNREFUSED case during 5 seconds > break; > > /* busy. wait for a while. */ > usleep(((rand() % 10) + 1) * 10000); > if (gettimeofday(&now, NULL) < 0) > i_panic("gettimeofday() failed: %m"); > } while (timeval_diff_msecs(&now, &start) < (int)msecs); > return fd; > } > > Additionnal environment infos (mailboxes are NFS-backed) : > > lsb_release -a > No LSB modules are available. > Distributor ID: Debian > Description: Debian GNU/Linux 9.2 (stretch) > Release: 9.2 > Codename: stretch > > > mount | grep ^/ > /dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) > > mount | grep nfs > nfs1:/mail/maildir on /var/maildir type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.28,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.28) > nfs1:/mail on /var/mail type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.28,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.28) > cifs1:/homepermanents/info/lpouzenc on /home/lpouzenc type nfs (rw,nosuid,nodev,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.29,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.29) > > > > telegraphe-test:~# apt-cache policy dovecot-core > dovecot-core: > Install??: 1:2.2.27-3+deb9u2 > Candidat?: 1:2.2.27-3+deb9u2 > Table de version?: > *** 1:2.2.27-3+deb9u2 500 > 500http://miroir/debian stretch/main amd64 Packages > 500http://security.debian.org/debian-security stretch/updates/main amd64 Packages > 100 /var/lib/dpkg/status > > telegraphe-test:~# dovecot -n > # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.16 (fed8554) > doveconf: Warning: service auth { client_limit=10000 } is lower than required under max. load (10240) > # OS: Linux 4.9.0-4-amd64 x86_64 Debian 9.2 nfs > auth_verbose = yes > default_client_limit = 10000 > default_process_limit = 2048 > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > mail_debug = yes > mail_fsync = always > mail_location = maildir:/var/mail/maildir/%u > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext > mmap_disable = yes > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > separator = / > } > passdb { > driver = pam > } > plugin { > sieve =file:/var/mail/mailconf/%1u/%u/sieve;active=/var/mail/mailconf/%1u/%u/.dovecot.sieve > sieve_before = /var/mail/mailconf/global/sieve/before.d > sieve_global = /var/mail/mailconf/global/sieve > sieve_vacation_dont_check_recipient = yes > } > protocols = " imap lmtp sieve sieve" > service anvil { > unix_listener anvil-auth-penalty { > mode = 00 > } > } > service lmtp { > inet_listener lmtp { > port = 24 > } > } > service managesieve { > process_limit = 16 > } > ssl_cert = </etc/ssl/certs/telegraphe7_cert.pem > ssl_key = # hidden, use -P to show it > syslog_facility = local0 > userdb { > driver = passwd > } > verbose_proctitle = yes > protocol lmtp { > auth_username_format = %n > mail_plugins = " sieve" > } > protocol imap { > mail_max_userip_connections = 20 > } > > > > Could you see a config tuning that keeps auth-penalty out of the way (it seems to behaves badly here, because we have perdition IMAP proxy in front, and it keeps track only of his IP and adds 2/4/8/15s delays to "random" legit clients. > > Could it be saved with a dedicated config entry to disable auth-penalty ? > > Is there solution to have auth-penalty working while having perdition IMAP proxy ? > > Regards, > Ludovic Pouzenc > -- > Ludovic POUZENC - Ing?nieur Syst?me > IMT Mines Albi (http://www.imt-mines-albi.fr) > 81013 ALBI CT Cedex 09 - Tel : 05 63 49 33 56
Ludovic Pouzenc
2019-Jan-08 10:05 UTC
Authentication/Penalty disabled (socket mode=0) introduces constant 5 sec delays (2.27 on debian 9)
Hi, I can confirm that in the bad behavior, the 5 second delay occurs at each AUTH in our case. I think the configuration we have kill auth process at each end of AUTH (and fork a new one for next next AUTH). I think the "disable" flag is local to the process that is killed / respawned. A collegue of mine, Laurent Guerby, has found a workaround for us and it's findings seems very valuable for this ticket. We now know how to not having the troubles in our setup : by manual removing the auth-penalty socket with "rm" (or by rebooting the whole VM because the socket is in a tmpfs). The rm is needed only one time. I think now a clean reproducer of the problem is : (I go through a fairly similar one but not this exact one) * take a vanilla Debian 9 (probably not limited this particular version/distro) * make sure use have non-root local unix user account (adduser testimap for instance) * apt install dovecot-imapd * keep default config (it may need TLS certificate addition, default config make uses of auth-penalty and system auth, don't touch that now) * let it start at least one time (should be already started after install) * try at least 1 auth via IMAP (against a local unix user account * verify that auth-penalty socket exists * check with lsof if some process have opened it o Should see 1 dovecot process * change dovecot config to not use penalty o service anvil { ?? unix_listener anvil-auth-penalty { ???? mode = 00 ?? } } * restart dovecot * check if the auth-penalty socket exists o For me it persists and it seems now to be the root problem * (here you can do anything like dovecot stop / start, dovecot will never remove the auth-penalty socket by itself) * check with lsof if some process have opened it o No process * try at least 2 auth (against a a local unix user account) via IMAP o You should have 5 second penalty twice The socket open retries loop happens if the socket exists but noone "listen" on it. The socket open retries loop don't happen if the socket does not exists at all. (I think there is 1 try, the system returns non existing error, this bails out) Regards, Ludovic On 06/01/2019 20:04, Stephan Bosch wrote:> > Op 20/12/2018 om 18:09 schreef Ludovic Pouzenc: >> Hi, >> >> I hit a bizare problem with dovecot 2.2.7 on debian 9 with LMTP >> enabled and auth/penalty disabled as documented here : >> ? https://wiki.dovecot.org/Authentication/Penalty >> >> Use case : I run a swaks command to send an email to an exim4 that >> tries to make a callout to dovecot-lmtp. >> At RCPT TO: swaks hangs 5.0<something-small> seconds then process >> normally (exim is waiting for callout completion). >> >> with strace, I see 5 second delay with many tries to socket connection. > > The sources confirm this behavior, but only for the first connection > attempt (i.e. the first 5 seconds of reconnections), which happens at > auth startup (which then takes 5 seconds longer). After that, it will > mark auth-penalty as disabled and it will not try connecting to it > again. Is that what you're referring to? > > > Regards, > > Stephan. > > > > >> >> (PID 9652 was an auth process freshly forked) >> >> [pid? 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 >> [pid? 9652] fcntl(14, F_GETFL)????????? = 0x2 (flags O_RDWR) >> [pid? 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 >> [pid? 9652] connect(14, {sa_family=AF_UNIX, >> sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection >> refused) >> [pid? 9652] close(14)?????????????????? = 0 >> [pid? 9652] nanosleep({tv_sec=0, tv_nsec=20000000}, NULL) = 0 >> [pid? 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 >> [pid? 9652] fcntl(14, F_GETFL)????????? = 0x2 (flags O_RDWR) >> [pid? 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 >> [pid? 9652] connect(14, {sa_family=AF_UNIX, >> sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection >> refused) >> [pid? 9652] close(14)?????????????????? = 0 >> [pid? 9652] nanosleep({tv_sec=0, tv_nsec=50000000}, NULL) = 0 >> [pid? 9652] socket(AF_UNIX, SOCK_STREAM, 0) = 14 >> [pid? 9652] fcntl(14, F_GETFL)????????? = 0x2 (flags O_RDWR) >> [pid? 9652] fcntl(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 >> [pid? 9652] connect(14, {sa_family=AF_UNIX, >> sun_path="anvil-auth-penalty"}, 110) = -1 ECONNREFUSED (Connection >> refused) >> [pid? 9652] close(14)?????????????????? = 0 >> [pid? 9652] nanosleep({tv_sec=0, tv_nsec=90000000}, NULL) = 0 >> >> >> with ddd I get to: >> src/lib-master/anvil-client.c: int anvil_client_connect(struct >> anvil_client *client, bool retry) { >> //[...] >> fd = retry ? net_connect_unix_with_retries(client->path, 5000) : >> net_connect_unix(client->path); >> //[...] >> >> and retry is forced to TRUE by the caller and >> net_connect_unix_with_retries retries in case of ECONNREFUSED. >> >> >> How I get into it : >> >> ssh -X root at telegraphe-test >> >> apt install dovecot-dbg >> cd /dev/shm >> apt source dovecot >> cd dovecot-2.2.27 >> pidof dovecot >> ddd /usr/sbin/dovecot >> set follow-fork-mode child >> attach 11833 >> cont >> >> # Send an e-mail from swaks to exim that use transport=smtp in LMTP >> mode to dovecot-lmtp, press interrupt while exim is blocking after >> RCPT TO: >> >> >> (gdb) bt >> #0? 0x00007f81528af270 in __nanosleep_nocancel () at >> ../sysdeps/unix/syscall-template.S:84 >> #1? 0x00007f81528d8b84 in usleep (useconds=<optimized out>) at >> ../sysdeps/posix/usleep.c:32 >> #2? 0x00007f815329368e in net_connect_unix_with_retries >> (path=0x562dc200ce10 <error: Cannot access memory at address >> 0x562dc200ce10>, msecs=msecs at entry=5000) at net.c:347 >> #3? 0x00007f815320ce0d in anvil_client_connect >> (client=0x562dc200cda0, retry=retry at entry=true) at anvil-client.c:136 >> #4? 0x0000562dc1429f5d in auth_penalty_init (path=0x562dc1451846 >> <error: Cannot access memory at address 0x562dc1451846>) at >> auth-penalty.c:37 >> #5? 0x0000562dc1424166 in main_preinit () at main.c:202 >> #6? main (argc=<optimized out>, argv=<optimized out>) at main.c:396 >> >> (gdb) bt full >> #1? 0x00007f81528d8b84 in usleep (useconds=<optimized out>) at >> ../sysdeps/posix/usleep.c:32 >> ???????? ts = {tv_sec = 0, tv_nsec = 80000000} >> #2? 0x00007f815329368e in net_connect_unix_with_retries >> (path=0x562dc200ce10 <error: Cannot access memory at address >> 0x562dc200ce10>, msecs=msecs at entry=5000) at net.c:347 >> ???????? start = {tv_sec = 1545319486, tv_usec = 241864} >> ???????? now = {tv_sec = 1545319490, tv_usec = 198061} >> ???????? fd = -1 >> #3? 0x00007f815320ce0d in anvil_client_connect >> (client=0x562dc200cda0, retry=retry at entry=true) at anvil-client.c:136 >> ???????? fd = <optimized out> >> ???????? __FUNCTION__ = <error reading variable __FUNCTION__ (Cannot >> access memory at address 0x7f81532a8260)> >> #4? 0x0000562dc1429f5d in auth_penalty_init (path=0x562dc1451846 >> <error: Cannot access memory at address 0x562dc1451846>) at >> auth-penalty.c:37 >> No locals. >> #5? 0x0000562dc1424166 in main_preinit () at main.c:202 >> ???????? mod_set = <error reading variable mod_set (Cannot access >> memory at address 0x7ffda885db80)> >> #6? main (argc=<optimized out>, argv=<optimized out>) at main.c:396 >> ???????? c = <optimized out> >> Backtrace stopped: Cannot access memory at address 0x7ffda885dbf8 >> (gdb) >> >> Code I've read : >> >> src/auth/main.c: static void main_preinit(void) >> >> ???????? if (!worker) >> ???????????????? auth_penalty = >> auth_penalty_init(AUTH_PENALTY_ANVIL_PATH); >> ???????? auth_request_stats_init(); >> >> src/auth/auth-penalty.c: struct auth_penalty *auth_penalty_init(const >> char *path) >> >> ???????? if (anvil_client_connect(penalty->client, TRUE) < 0) >> ???????????????? penalty->disabled = TRUE; >> ???????? else { >> >> src/lib-master/anvil-client.c: int anvil_client_connect(struct >> anvil_client *client, bool retry) >> >> ???????? fd = retry ? net_connect_unix_with_retries(client->path, >> 5000) : >> ???????????????? net_connect_unix(client->path); >> >> src/lib/net.c : int net_connect_unix_with_retries(const char *path, >> unsigned int msecs) { >> ???????? struct timeval start, now; >> ???????? int fd; >> ???? ???????? if (gettimeofday(&start, NULL) < 0) >> ???????????????? i_panic("gettimeofday() failed: %m"); >> ???? ???????? do { >> ???????????????? fd = net_connect_unix(path); >> ???????????????? if (fd != -1 || (errno != EAGAIN && errno != >> ECONNREFUSED))? // <------------------ HERE, I go into ECONNREFUSED >> case during 5 seconds >> ???????????????????????? break; >> ???? ???????????????? /* busy. wait for a while. */ >> ???????????????? usleep(((rand() % 10) + 1) * 10000); >> ???????????????? if (gettimeofday(&now, NULL) < 0) >> ???????????????????????? i_panic("gettimeofday() failed: %m"); >> ???????? } while (timeval_diff_msecs(&now, &start) < (int)msecs); >> ???????? return fd; >> } >> >> Additionnal environment infos (mailboxes are NFS-backed) : >> >> lsb_release -a >> No LSB modules are available. >> Distributor ID:??? Debian >> Description:??? Debian GNU/Linux 9.2 (stretch) >> Release:??? 9.2 >> Codename:??? stretch >> >> >> mount | grep ^/ >> /dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) >> >> mount | grep nfs >> nfs1:/mail/maildir on /var/maildir type nfs >> (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.28,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.28) >> nfs1:/mail on /var/mail type nfs >> (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.28,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.28) >> cifs1:/homepermanents/info/lpouzenc on /home/lpouzenc type nfs >> (rw,nosuid,nodev,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=172.16.2.29,mountvers=3,mountport=635,mountproto=udp,local_lock=none,addr=172.16.2.29) >> >> >> >> telegraphe-test:~# apt-cache policy dovecot-core >> dovecot-core: >> ?? Install??: 1:2.2.27-3+deb9u2 >> ?? Candidat?: 1:2.2.27-3+deb9u2 >> ? Table de version?: >> ? *** 1:2.2.27-3+deb9u2 500 >> ???????? 500http://miroir/debian? stretch/main amd64 Packages >> ???????? 500http://security.debian.org/debian-security >> stretch/updates/main amd64 Packages >> ???????? 100 /var/lib/dpkg/status >> >> telegraphe-test:~# dovecot -n >> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf >> # Pigeonhole version 0.4.16 (fed8554) >> doveconf: Warning: service auth { client_limit=10000 } is lower than >> required under max. load (10240) >> # OS: Linux 4.9.0-4-amd64 x86_64 Debian 9.2 nfs >> auth_verbose = yes >> default_client_limit = 10000 >> default_process_limit = 2048 >> lda_mailbox_autocreate = yes >> lda_mailbox_autosubscribe = yes >> mail_debug = yes >> mail_fsync = always >> mail_location = maildir:/var/mail/maildir/%u >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress comparator-i;ascii-numeric >> relational regex imap4flags copy include variables body enotify >> environment mailbox date index ihave duplicate mime foreverypart >> extracttext >> mmap_disable = yes >> namespace inbox { >> ?? inbox = yes >> ?? location >> ?? mailbox Drafts { >> ???? special_use = \Drafts >> ?? } >> ?? mailbox Junk { >> ???? special_use = \Junk >> ?? } >> ?? mailbox Sent { >> ???? special_use = \Sent >> ?? } >> ?? mailbox "Sent Messages" { >> ???? special_use = \Sent >> ?? } >> ?? mailbox Trash { >> ???? special_use = \Trash >> ?? } >> ?? prefix >> ?? separator = / >> } >> passdb { >> ?? driver = pam >> } >> plugin { >> ?? sieve >> =file:/var/mail/mailconf/%1u/%u/sieve;active=/var/mail/mailconf/%1u/%u/.dovecot.sieve >> ?? sieve_before = /var/mail/mailconf/global/sieve/before.d >> ?? sieve_global = /var/mail/mailconf/global/sieve >> ?? sieve_vacation_dont_check_recipient = yes >> } >> protocols = " imap lmtp sieve sieve" >> service anvil { >> ?? unix_listener anvil-auth-penalty { >> ???? mode = 00 >> ?? } >> } >> service lmtp { >> ?? inet_listener lmtp { >> ???? port = 24 >> ?? } >> } >> service managesieve { >> ?? process_limit = 16 >> } >> ssl_cert = </etc/ssl/certs/telegraphe7_cert.pem >> ssl_key =? # hidden, use -P to show it >> syslog_facility = local0 >> userdb { >> ?? driver = passwd >> } >> verbose_proctitle = yes >> protocol lmtp { >> ?? auth_username_format = %n >> ?? mail_plugins = " sieve" >> } >> protocol imap { >> ?? mail_max_userip_connections = 20 >> } >> >> >> >> Could you see a config tuning that keeps auth-penalty out of the way >> (it seems to behaves badly here, because we have perdition IMAP proxy >> in front, and it keeps track only of his IP and adds 2/4/8/15s delays >> to "random" legit clients. >> >> Could it be saved with a dedicated config entry to disable >> auth-penalty ? >> >> Is there solution to have auth-penalty working while having perdition >> IMAP proxy ? >> >> Regards, >> Ludovic Pouzenc >> -- >> Ludovic POUZENC - Ing?nieur Syst?me >> IMT Mines Albi? (http://www.imt-mines-albi.fr) >> 81013 ALBI CT Cedex 09 - Tel : 05 63 49 33 56-- Ludovic POUZENC - Ing?nieur Syst?me IMT Mines Albi (http://www.imt-mines-albi.fr) 81013 ALBI CT Cedex 09 - Tel : 05 63 49 33 56 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190108/8500768b/attachment-0001.html>
Possibly Parallel Threads
- Authentication/Penalty disabled (socket mode=0) introduces constant 5 sec delays (2.27 on debian 9)
- Authentication/Penalty disabled (socket mode=0) introduces constant 5 sec delays (2.27 on debian 9)
- "sieve: failed to store into mailbox 'Junk': Read-only mbox" over root_squashed NFS, lmtp : euid/egid set and access() don't mix together for me
- dovecot 2.0 vs. SELinux
- 2.2.34 fails to build on OpenBSD