Dear all,
A lot of doveadm commands (e.g. backup/sync, deduplicate, mailbox) support a
`-S` (a.k.a `socket-path`) argument that allows to run the command remotely.
Unfortunately, I think that there is a bug in the handling of the TLS
configuration for this feature.
After a bit of debugging, I think it's simply due to
doveadm_mail_server_user_get_host
(https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server.c#L179)
bailing out too quickly: It's used by doveadm_mail_server_user
(https://github.com/dovecot/core/blob/master/src/doveadm/doveadm-mail-server.c#L286)
to set its `user`, `host`, `hostip`, `port` and `ssl_flags`. When doveadm_port
is not (or set to 0):
- `user` is set to `input->username`: OK
- `host` is set to `ctx->set->doveadm_socket_path` (the content of the
`-S`
option): OK
- `hostip` is not set: OK (Later on, the `host` is used in that case)
- `port` is set to 0: This is OK, as when the `hostip` (or rather the
`server->ip` later in the code) is not set, this is only the default, the
port
is extracted from the `host` (or rather `server->name`)
- `ssl_flags` is not modified: this is not OK as there is nothing else
modifying it!
Bailing out just a few line later (as in
https://patch-diff.githubusercontent.com/raw/dovecot/core/pull/145.patch)
fixes the issue for me.
To reproduce the issue, with dovecot-2.3.11.3-4, you will need two systems, A
& B: A needs to have dovecot configured and port 9091 open in its firewall
for
B. B just need dovecot to be installed.
- Testing without TLS:
- Add the following to A's dovecot configuration (and reload it):
```
service doveadm {
inet_listener {
port = 9091
}
}
doveadm_password=VeryRandomString
```
- On B, create a file X containing (only):
```
doveadm_password=VeryRandomString
```
- On B, running `doveadm -c X mailbox list -u ${existing_user} -S
${A}:9091` should return the mailbox list
- Switching to TLS:
- Replace what was added to A's dovecot configuration (and reload it)
with:
```
service doveadm {
inet_listener {
port = 9091
ssl = yes
}
}
doveadm_password=VeryRandomString
doveadm_ssl = ssl # Not strictly required
```
- On B, create a file Y containing (only):
```
doveadm_password=VeryRandomString
doveadm_ssl=yes
```
- On B, running `doveadm -c Y mailbox list -u ${existing_user} -S
${A}:9091` will not work.
- On A, you should see in the logs: `dovecot[16435]: doveadm(${B}): Error:
SSL handshake failed: SSL_accept() failed: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol`
Applying the patch mentioned above makes the 2nd case work.
What do you think?
Cheers,
Vincent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201111/d9528c6e/attachment-0001.sig>
