Summary: | [PATCH] mail/dovecot2: dovecot/auth hangs when child ntlm_auth crashes while processing an authentication request | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | andriys | ||||
Component: | Individual Port(s) | Assignee: | Adam Weinberger <adamw> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | adamw, pi | ||||
Priority: | --- | Keywords: | patch | ||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
I'm not sure why this didn't get auto-assigned. Sorry, I would have got on this sooner! A commit references this bug: Author: adamw Date: Sun Apr 30 22:40:01 UTC 2017 New revision: 439854 URL: https://svnweb.freebsd.org/changeset/ports/439854 Log: Add an alread-upstreamed patch to fix dovecot-auth wedging with NTLM authentication. PR: 218693 Submitted by: Andriy Syrovenko Obtained from: https://github.com/dovecot/core/commit/a319c3201bff1ea7bae3e7ab1fae42e9c4759056 MFH: 2017Q2 Changes: head/mail/dovecot2/Makefile head/mail/dovecot2/files/patch-fix-ntlm_auth Okay so this has been committed to HEAD, and I'll MFH once ports-secteam looks it over. I never merged 2.2.29 to 2017Q2, which I definitely should have, so this is a good opportunity to kill two birds with one stone. A commit references this bug: Author: adamw Date: Mon May 1 00:59:30 UTC 2017 New revision: 439856 URL: https://svnweb.freebsd.org/changeset/ports/439856 Log: MFH: r438222 r438323 r438365 r439618 r439854 This contains updates to both dovecot2 and dovecot2-pigeonhole that fix bugs and, in dovecot2, a CVE. Update dovecot to 2.2.29, and bump PORTREVISION for the plugins. Add a warning to the pkg-message that security.bsd.see_other_uids/gids should not be enabled if dovecot is storing mail for multiple users concurrently (PR 218392, submitted by topical). * passdb/userdb dict: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS (CVE-2017-2669) * When Dovecot encounters an internal error, it logs the real error and usually logs another line saying what function failed. Previously the second log line's error message was a rather uninformative "Internal error occurred. Refer to server log for more information." Now the real error message is duplicated in this second log line. * lmtp: If a delivery has multiple recipients, run autoexpunging only for the last recipient. This avoids a problem where a long autoexpunge run causes LMTP client to timeout between the DATA replies, resulting in duplicate mail deliveries. * config: Don't stop the process due to idling. Otherwise the configuration is reloaded when the process restarts. * mail_log plugin: Differentiate autoexpunges from regular expunges * imapc: Use LOGOUT to cleanly disconnect from server. * lib-http: Internal status codes (>9000) are no longer visible in logs * director: Log vhost count changes and HOST-UP/DOWN + quota: Add plugin { quota_max_mail_size } setting to limit the maximum individual mail size that can be saved. + imapc: Add imapc_features=delay-login. If set, connecting to the remote IMAP server isn't done until it's necessary. + imapc: Add imapc_connection_retry_count and imapc_connection_retry_interval settings. + imap, pop3, indexer-worker: Add (deinit) to process title before autoexpunging runs. + Added %{encrypt} and %{decrypt} variables + imap/pop3 proxy: Log proxy state in errors as human-readable string. + imap/pop3-login: All forward_* extra fields returned by passdb are sent to the next hop when proxying using ID/XCLIENT commands. On the receiving side these fields are imported and sent to auth process where they're accessible via %{passdb:forward_*}. This is done only if the sending IP address matches login_trusted_networks. + imap-login: If imap_id_retain=yes, send the IMAP ID string to auth process. %{client_id} expands to it in auth process. The ID string is also sent to the next hop when proxying. + passdb imap: Use ssl_client_ca_* settings for CA validation. - fts-tika: Fixed crash when parsing attachment without Content-Disposition header. Broken by 2.2.28. (fixed in FreeBSD ports) - trash plugin was broken in 2.2.28 (fixed in FreeBSD ports) - auth: When passdb/userdb lookups were done via auth-workers, too much data was added to auth cache. This could have resulted in wrong replies when using multiple passdbs/userdbs. - auth: passdb { skip & mechanisms } were ignored for the first passdb - oauth2: Various fixes, including fixes to crashes - dsync: Large Sieve scripts (or other large metadata) weren't always synced. - Index rebuild (e.g. doveadm force-resync) set all mails as \Recent - imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix - doveadm: Exit codes weren't preserved when proxying commands via doveadm-server. Almost all errors used exit code 75 (tempfail). - ACLs weren't applied to not-yet-existing autocreated mailboxes. - Fixed a potential crash when parsing a broken message header. - cassandra: Fallback consistency settings weren't working correctly. - doveadm director status <user>: "Initial config" was always empty - imapc: Various reconnection fixes. Upgrade mail/dovecot2-pigeonhole to 0.4.18. Changelog v0.4.18: + imapsieve plugin: Implemented the copy_source_after rule action. When this is enabled for a mailbox rule, the specified Sieve script is executed for the message in the source mailbox during a "COPY" event. This happens only after the Sieve script that is executed for the corresponding message in the destination mailbox finishes running successfully. + imapsieve plugin: Added non-standard Sieve environment items for the source and destination mailbox. - multiscript: The execution of the discard script had an implicit "keep", rather than an implicit "discard". Approved by: adamw (mentor) Differential Revision: https://reviews.freebsd.org/D10366 Update to 2.2.29.1. - imapc reconnection fix was forgotten from 2.2.29 release, which also made "make check" fail in a unit test - dict-sql: Merging multiple UPDATEs to a single statement wasn't actually working. - Fixed building with vpopmail Upon continuing the deferred implicit keep, the implicit side-effects (such as imap flags) were not applied. Obtained from: https://github.com/dovecot/pigeonhole/commit/3e1a17a286ab0e084577fc267a442cb12aed1cbc Approved by: adamw (mentor, implicit) Add an alread-upstreamed patch to fix dovecot-auth wedging with NTLM authentication. PR: 218693 Submitted by: Andriy Syrovenko Obtained from: https://github.com/dovecot/core/commit/a319c3201bff1ea7bae3e7ab1fae42e9c4759056 Approved by: ports-secteam (feld) Changes: _U branches/2017Q2/ branches/2017Q2/mail/dovecot2/Makefile branches/2017Q2/mail/dovecot2/distinfo branches/2017Q2/mail/dovecot2/files/patch-fix-ntlm_auth branches/2017Q2/mail/dovecot2/files/patch-src_plugins_fts_fts-parser-tika.c branches/2017Q2/mail/dovecot2/files/patch-trash_plugin branches/2017Q2/mail/dovecot2/files/pkg-message.in branches/2017Q2/mail/dovecot2/pkg-plist branches/2017Q2/mail/dovecot2-antispam-plugin/Makefile branches/2017Q2/mail/dovecot2-pigeonhole/Makefile branches/2017Q2/mail/dovecot2-pigeonhole/distinfo branches/2017Q2/mail/dovecot2-pigeonhole/files/ MFH is done. Thanks for this, Andriy. |
Created attachment 181830 [details] Patch I use the following lines in my Dovecot configuration to authenticate Active Directory users: auth_use_winbind = yes auth_winbind_helper_path = /usr/local/bin/ntlm_auth The problem is ntlm_auth has started to crash recently, and when it happens the dovecot/auth process hangs, making further authentication attempts impossible (using either authentication method). I'm going to investigate and report the ntlm_auth crashes to Samba team separately. Hanging dovecot/auth process, however, is not something that should be happening anyways. I'm attaching a patch that solves the problem with hanging dovecot/auth process for me. I have already submitted a similar pull-request upstream. I'm reporting it here in a hope that the fix will also find its way into the quarterly branch (the quarter has just begun).