[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problems with latest dovecot
|
From: |
Martin Pala |
|
Subject: |
Re: Problems with latest dovecot |
|
Date: |
Mon, 16 Jun 2014 11:23:25 +0200 |
Yes, one thing ... you can workaround the test error by removing the "protocol
imap" option ... that will do only generic TCP connection test with no IMAP
protocol specific test (greeting verification + logout).
On Monit side we can in theory skip the logout response check in IMAP test, but
as explained (RFC) i think it's dovecot 2.2.13 bug, so the error report is real
issue.
Regards,
Martin
On 16 Jun 2014, at 11:03, Martin Pala <address@hidden> wrote:
> Hi,
>
> the root cause of the error is, that dovecot 2.2.13 closes the connection if
> SSL is used in response to LOGOUT command instead of sending usual response.
> When no SSL is enabled, dovecot responses to LOGOUT command normally.
>
> The mentioned dovecot 2.2.13 DoS-attack changelog entry doesn't match, as in
> Monit's case the SSL connection is established correctly, Monit gets and
> checks IMAP greeting and tries to LOGOUT:
> --8<--
> * Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS
> handshake was started but wasn't finished, the login process
> attempted to eventually forcibly disconnect the client, but failed
> to do it correctly. This could have left the connections hanging
> arond for a long time. (Affected Dovecot v1.1+)
> --8<--
>
> According to RFC 3501 (http://tools.ietf.org/html/rfc3501), LOGOUT is
> any-state command, where the server MUST send response before closing the
> connection:
> http://tools.ietf.org/html/rfc3501#section-3.4
>
> => the problem is caused by dovecot 2.2.13 bug ... its behaviour is
> inconsistent (LOGOUT in non-authenticated state works per RFC requirement if
> no SSL is used and doesn't conform to RFC if SSL is used). It is possible
> that the problem is related to their DoS-attack modification, which has most
> probably unexpected side-effect.
>
> Regards,
> Martin
>
> P.S. the Monit error messages are improved in the development version to make
> the error more clear
>
>
>
> On 15 Jun 2014, at 17:03, Hanno Böck <address@hidden> wrote:
>
>> Hi,
>>
>> I recently had some monit alerts on a server when I updated to the
>> latest dovecot version 2.2.13 (no such problem with 2.2.9).
>>
>>
>> The monit config lines are these:
>> check host milch-mailserver with address milch.schokokeks.org
>> if failed host milch.schokokeks.org port 993 type tcpssl sslauto
>> protocol imap for 5 cycles then alert
>>
>> I get
>> [CEST Jun 15 16:59:20] debug : 'milch-mailserver' succeeded
>> connecting to INET[milch.schokokeks.org:993] via TCPSSL [CEST Jun 15
>> 16:59:20] error : 'milch-mailserver' failed protocol test [IMAP] at
>> INET[milch.schokokeks.org:993] via TCPSSL -- IMAP: error receiving data
>> -- Success
>>
>> It seems dovecot itself is up and running, this seems to be a monit
>> problem to me. The configuration line above is the example from the
>> monit wiki, so it should work.
>>
>> This only happens for the ssl-ports. If anyone needs to do tests on our
>> server milch.schokokeks.org feel free to do so (but I may decide to go
>> back to the older dovecot version when I can't resolve this issue soon).
>>
>> Dovecot 2.2.13 introduces some new protection against DoS-attacks on
>> SSL [1], I assume it may have something to do with that.
>>
>> Any help apprechiated.
>>
>>
>> [1]
>> http://news.softpedia.com/news/IMAP-Server-Dovecot-2-2-13-Brings-a-Fix-for-a-Potential-DoS-Attack-Issue-441771.shtml
>>
>> cu,
>> --
>> Hanno Böck
>> http://hboeck.de/
>>
>> mail/jabber: address@hidden
>> GPG: BBB51E42
>> --
>> To unsubscribe:
>> https://lists.nongnu.org/mailman/listinfo/monit-general
>
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general