monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with latest dovecot

From: Martin Pala
Subject: Re: Problems with latest dovecot
Date: Mon, 16 Jun 2014 11:03:18 +0200 
Hi,

the root cause of the error is, that dovecot 2.2.13 closes the connection if 
SSL is used in response to LOGOUT command instead of sending usual response. 
When no SSL is enabled, dovecot responses to LOGOUT command normally.

The mentioned dovecot 2.2.13 DoS-attack changelog entry doesn't match, as in 
Monit's case the SSL connection is established correctly, Monit gets and checks 
IMAP greeting and tries to LOGOUT:
--8<--
        * Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS
          handshake was started but wasn't finished, the login process
          attempted to eventually forcibly disconnect the client, but failed
          to do it correctly. This could have left the connections hanging
          arond for a long time. (Affected Dovecot v1.1+)
--8<--

According to RFC 3501 (http://tools.ietf.org/html/rfc3501), LOGOUT is any-state 
command, where the server MUST send response before closing the connection:
http://tools.ietf.org/html/rfc3501#section-3.4

=> the problem is caused by dovecot 2.2.13 bug ... its behaviour is 
inconsistent (LOGOUT in non-authenticated state works per RFC requirement if no 
SSL is used and doesn't conform to RFC if SSL is used). It is possible that the 
problem is related to their DoS-attack modification, which has most probably 
unexpected side-effect.

Regards,
Martin

P.S. the Monit error messages are improved in the development version to make 
the error more clear 



On 15 Jun 2014, at 17:03, Hanno Böck <address@hidden> wrote:

> Hi,
> 
> I recently had some monit alerts on a server when I updated to the
> latest dovecot version 2.2.13 (no such problem with 2.2.9).
> 
> 
> The monit config lines are these:
> check host milch-mailserver with address milch.schokokeks.org
>   if failed host milch.schokokeks.org port 993 type tcpssl sslauto
> protocol imap for 5 cycles then alert
> 
> I get 
> [CEST Jun 15 16:59:20] debug    : 'milch-mailserver' succeeded
> connecting to INET[milch.schokokeks.org:993] via TCPSSL [CEST Jun 15
> 16:59:20] error    : 'milch-mailserver' failed protocol test [IMAP] at
> INET[milch.schokokeks.org:993] via TCPSSL -- IMAP: error receiving data
> -- Success
> 
> It seems dovecot itself is up and running, this seems to be a monit
> problem to me. The configuration line above is the example from the
> monit wiki, so it should work.
> 
> This only happens for the ssl-ports. If anyone needs to do tests on our
> server milch.schokokeks.org feel free to do so (but I may decide to go
> back to the older dovecot version when I can't resolve this issue soon).
> 
> Dovecot 2.2.13 introduces some new protection against DoS-attacks on
> SSL [1], I assume it may have something to do with that.
> 
> Any help apprechiated.
> 
> 
> [1]
> http://news.softpedia.com/news/IMAP-Server-Dovecot-2-2-13-Brings-a-Fix-for-a-Potential-DoS-Attack-Issue-441771.shtml
> 
> cu,
> -- 
> Hanno Böck
> http://hboeck.de/
> 
> mail/jabber: address@hidden
> GPG: BBB51E42
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general
reply via email to
[Prev in Thread] Current Thread [Next in Thread]