Bug 218693

Summary: [PATCH] mail/dovecot2: dovecot/auth hangs when child ntlm_auth crashes while processing an authentication request
Product: Ports & Packages Reporter: andriys
Component: Individual Port(s)Assignee: Adam Weinberger <adamw>
Status: Closed FIXED    
Severity: Affects Some People CC: adamw, pi
Priority: --- Keywords: patch
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch none

Description andriys 2017-04-16 22:44:59 UTC
Created attachment 181830 [details]
Patch

I use the following lines in my Dovecot configuration to authenticate Active Directory users:

auth_use_winbind = yes
auth_winbind_helper_path = /usr/local/bin/ntlm_auth

The problem is ntlm_auth has started to crash recently, and when it happens the dovecot/auth process hangs, making further authentication attempts impossible (using either authentication method). I'm going to investigate and report the ntlm_auth crashes to Samba team separately. Hanging dovecot/auth process, however, is not something that should be happening anyways.

I'm attaching a patch that solves the problem with hanging dovecot/auth process for me.

I have already submitted a similar pull-request upstream. I'm reporting it here in a hope that the fix will also find its way into the quarterly branch (the quarter has just begun).
Comment 1 Adam Weinberger freebsd_committer freebsd_triage 2017-04-30 22:34:14 UTC
I'm not sure why this didn't get auto-assigned. Sorry, I would have got on this sooner!
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-04-30 22:40:56 UTC
A commit references this bug:

Author: adamw
Date: Sun Apr 30 22:40:01 UTC 2017
New revision: 439854
URL: https://svnweb.freebsd.org/changeset/ports/439854

Log:
  Add an alread-upstreamed patch to fix dovecot-auth wedging with
  NTLM authentication.

  PR:		218693
  Submitted by:	Andriy Syrovenko
  Obtained from:	https://github.com/dovecot/core/commit/a319c3201bff1ea7bae3e7ab1fae42e9c4759056
  MFH:		2017Q2

Changes:
  head/mail/dovecot2/Makefile
  head/mail/dovecot2/files/patch-fix-ntlm_auth
Comment 3 Adam Weinberger freebsd_committer freebsd_triage 2017-04-30 22:44:27 UTC
Okay so this has been committed to HEAD, and I'll MFH once ports-secteam looks it over. I never merged 2.2.29 to 2017Q2, which I definitely should have, so this is a good opportunity to kill two birds with one stone.
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-05-01 00:59:45 UTC
A commit references this bug:

Author: adamw
Date: Mon May  1 00:59:30 UTC 2017
New revision: 439856
URL: https://svnweb.freebsd.org/changeset/ports/439856

Log:
  MFH: r438222 r438323 r438365 r439618 r439854

  This contains updates to both dovecot2 and dovecot2-pigeonhole that
  fix bugs and, in dovecot2, a CVE.

  Update dovecot to 2.2.29, and bump PORTREVISION for the plugins. Add a
  warning to the pkg-message that security.bsd.see_other_uids/gids should
  not be enabled if dovecot is storing mail for multiple users concurrently
  (PR 218392, submitted by topical).

   * passdb/userdb dict: Don't double-expand %variables in keys. If dict
     was used as the authentication passdb, using specially crafted
     %variables in the username could be used to cause DoS (CVE-2017-2669)
   * When Dovecot encounters an internal error, it logs the real error and
     usually logs another line saying what function failed. Previously the
     second log line's error message was a rather uninformative "Internal
     error occurred. Refer to server log for more information." Now the
     real error message is duplicated in this second log line.
   * lmtp: If a delivery has multiple recipients, run autoexpunging only
     for the last recipient. This avoids a problem where a long
     autoexpunge run causes LMTP client to timeout between the DATA
     replies, resulting in duplicate mail deliveries.
   * config: Don't stop the process due to idling. Otherwise the
     configuration is reloaded when the process restarts.
   * mail_log plugin: Differentiate autoexpunges from regular expunges
   * imapc: Use LOGOUT to cleanly disconnect from server.
   * lib-http: Internal status codes (>9000) are no longer visible in logs
   * director: Log vhost count changes and HOST-UP/DOWN

   + quota: Add plugin { quota_max_mail_size } setting to limit the
     maximum individual mail size that can be saved.
   + imapc: Add imapc_features=delay-login. If set, connecting to the
     remote IMAP server isn't done until it's necessary.
   + imapc: Add imapc_connection_retry_count and
     imapc_connection_retry_interval settings.
   + imap, pop3, indexer-worker: Add (deinit) to process title before
     autoexpunging runs.
   + Added %{encrypt} and %{decrypt} variables
   + imap/pop3 proxy: Log proxy state in errors as human-readable string.
   + imap/pop3-login: All forward_* extra fields returned by passdb are
     sent to the next hop when proxying using ID/XCLIENT commands. On the
     receiving side these fields are imported and sent to auth process
     where they're accessible via %{passdb:forward_*}. This is done only
     if the sending IP address matches login_trusted_networks.
   + imap-login: If imap_id_retain=yes, send the IMAP ID string to
     auth process. %{client_id} expands to it in auth process. The ID
     string is also sent to the next hop when proxying.
   + passdb imap: Use ssl_client_ca_* settings for CA validation.
   - fts-tika: Fixed crash when parsing attachment without
     Content-Disposition header. Broken by 2.2.28. (fixed in FreeBSD ports)
   - trash plugin was broken in 2.2.28 (fixed in FreeBSD ports)
   - auth: When passdb/userdb lookups were done via auth-workers, too much
     data was added to auth cache. This could have resulted in wrong
     replies when using multiple passdbs/userdbs.
   - auth: passdb { skip & mechanisms } were ignored for the first passdb
   - oauth2: Various fixes, including fixes to crashes
   - dsync: Large Sieve scripts (or other large metadata) weren't always
     synced.
   - Index rebuild (e.g. doveadm force-resync) set all mails as \Recent
   - imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix
   - doveadm: Exit codes weren't preserved when proxying commands via
     doveadm-server. Almost all errors used exit code 75 (tempfail).
   - ACLs weren't applied to not-yet-existing autocreated mailboxes.
   - Fixed a potential crash when parsing a broken message header.
   - cassandra: Fallback consistency settings weren't working correctly.
   - doveadm director status <user>: "Initial config" was always empty
   - imapc: Various reconnection fixes.

  Upgrade mail/dovecot2-pigeonhole to 0.4.18.

  Changelog v0.4.18:

  + imapsieve plugin: Implemented the copy_source_after rule action. When
    this is enabled for a mailbox rule, the specified Sieve script is
    executed for the message in the source mailbox during a "COPY" event.
    This happens only after the Sieve script that is executed for the
    corresponding message in the destination mailbox finishes running
    successfully.
  + imapsieve plugin: Added non-standard Sieve environment items for the
    source and destination mailbox.
  - multiscript: The execution of the discard script had an implicit
    "keep", rather than an implicit "discard".

  Approved by:	adamw (mentor)
  Differential Revision:	https://reviews.freebsd.org/D10366

  Update to 2.2.29.1.

    - imapc reconnection fix was forgotten from 2.2.29 release, which also
      made "make check" fail in a unit test
    - dict-sql: Merging multiple UPDATEs to a single statement wasn't
      actually working.
    - Fixed building with vpopmail

  Upon continuing the deferred implicit keep, the implicit side-effects
  (such as imap flags) were not applied.

  Obtained from:	https://github.com/dovecot/pigeonhole/commit/3e1a17a286ab0e084577fc267a442cb12aed1cbc
  Approved by: adamw (mentor, implicit)

  Add an alread-upstreamed patch to fix dovecot-auth wedging with
  NTLM authentication.

  PR:		218693
  Submitted by:	Andriy Syrovenko
  Obtained from:	https://github.com/dovecot/core/commit/a319c3201bff1ea7bae3e7ab1fae42e9c4759056

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2017Q2/
  branches/2017Q2/mail/dovecot2/Makefile
  branches/2017Q2/mail/dovecot2/distinfo
  branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth
  branches/2017Q2/mail/dovecot2/files/patch-src_plugins_fts_fts-parser-tika.c
  branches/2017Q2/mail/dovecot2/files/patch-trash_plugin
  branches/2017Q2/mail/dovecot2/files/pkg-message.in
  branches/2017Q2/mail/dovecot2/pkg-plist
  branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile
  branches/2017Q2/mail/dovecot2-pigeonhole/Makefile
  branches/2017Q2/mail/dovecot2-pigeonhole/distinfo
  branches/2017Q2/mail/dovecot2-pigeonhole/files/
Comment 5 Adam Weinberger freebsd_committer freebsd_triage 2017-05-01 01:10:42 UTC
MFH is done. Thanks for this, Andriy.