On 06/08/2019 06:46, Aki Tuomi via dovecot wrote:> > On 2.8.2019 13.45, James via dovecot wrote: >> My auth process is dumping core. This happens several times per day...> There is an easy fix for this, attached.Patch applied; no core dump in 24 hours. This appears to have fixed the problem. I found that it crashed when the policy server responded too quickly. As the before and after auth command=allow request are the same I cache the first, leading to a fast second response. Removing the cache (nginx proxy_cache ...) must change the timings and circumvented the crash. Why use both check before and after auth? roundcube webmail reports an error with only auth_policy_check_before_auth. I cannot see why. The simple and lazy solution is to use double auth_policy_check_! Thank you Aki for looking at this and finding a solution so quickly.
On 7.8.2019 11.51, James via dovecot wrote:> On 06/08/2019 06:46, Aki Tuomi via dovecot wrote: >> >> On 2.8.2019 13.45, James via dovecot wrote: >>> My auth process is dumping core.? This happens several times per day > ... > >> There is an easy fix for this, attached. > > Patch applied; no core dump in 24 hours. > > This appears to have fixed the problem.? I found that it crashed when > the policy server responded too quickly.? As the before and after auth > command=allow request are the same I cache the first, leading to a > fast second response.? Removing the cache (nginx proxy_cache ...) must > change the timings and circumvented the crash.? Why use both check > before and after auth?? roundcube webmail reports an error with only > auth_policy_check_before_auth.? I cannot see why.? The simple and lazy > solution is to use double auth_policy_check_! > > Thank you Aki for looking at this and finding a solution so quickly.The double-check is for places which want to implement something like COS or want to perform validations in policy server *after* we know the user identity. The first check is done before we even know if the user or the credential(s) are valid. Aki
On 07/08/2019 11:02, Aki Tuomi via dovecot wrote:>> before and after auth? roundcube webmail reports an error with only >> auth_policy_check_before_auth. I cannot see why. The simple and lazy >> solution is to use double auth_policy_check_!...> The double-check is for places which want to implement something like > COS or want to perform validations in policy server *after* we know the > user identity. The first check is done before we even know if the user > or the credential(s) are valid.I can see why both before and after are options. My more simplistic policy does not need both. I perform whitelist, blacklist, geo and greylist and do not cross reference these with the user. I can't see why roundcubemail fails without both. The IMAP exchange with roundcubemail should not be aware of the policy server. I was spending [wasting] too much time on looking for an answer and gave up.