View Issue Details

IDProjectCategoryView StatusLast Update
0005175SOGoBackend Mailpublic2020-09-27 01:00
Reporterzhb Assigned To 
PriorityhighSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0005175: tlsVerifyMode=allowInsecureLocalhost for IMAP service may have some serious issue
Description

Dear developers,

The "tlsVerifyMode=allowInsecureLocalhost" setting used in SMTP/IMAP/Sieve server address is great, but while running in production, i found it may have some serious issue with the IMAP service:

SOGoIMAPServer = "imap://127.0.0.1:143/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";

Running sogo for a while with this setting, SOGo will become unstable and not able to access mailbox, and produced error like below:

Sep 15 14:27:51 sogod [30092]: [ERROR] <0x55f4888aff30[SOGoMailAccount]:0> Could not connect IMAP4
Sep 15 14:27:51 sogod [30092]: 112.202.238.14 "POST /SOGo/so/<email>/Mail/0/folderINBOX/view HTTP/1.0" 500 72/126 0.007 - - -
Sep 15 14:27:51 sogod [30091]: 112.202.238.14 "GET /SOGo/so/<email>/Calendar/alarmslist?browserTime=1600151270 HTTP/1.0" 200 63/0 0.007 - - -
2020-09-15 14:27:52.053 sogod[30091:30091] -[NSProcessInfo(misc) procStatDictionary]: couldn't scan /proc-info ...
Sep 15 14:27:52 sogod [30091]: [ERROR] <0x0x55f488570e00[NGImap4ConnectionManager]> IMAP4 login failed:
  host=127.0.0.1, user=<email>, pwd=yes
  url=imaps://<email>@127.0.0.1/?tls=YES&tlsVerifyMode=allowInsecureLocalhost
  base=(null)
  base-class=(null))
  = <0x0x55f4891a9e60[NGImap4Client]: login=<email>(pwd) address=<0x0x55f48a3036e0[NGInternetSocketAddress]: host=127.0.0.1 not-filled>>
Sep 15 14:27:52 sogod [30091]: <0x55f48a659aa0[SOGoMailAccount]:0> renewing imap4 password
Sep 15 14:27:52 sogod [30091]: [ERROR] <0x0x55f488570e00[NGImap4ConnectionManager]> IMAP4 login failed:
  host=127.0.0.1, user=<emal>, pwd=yes
  url=imaps://<email>@127.0.0.1/?tls=YES&tlsVerifyMode=allowInsecureLocalhost
  base=(null)
  base-class=(null))

Could you please help check the issue?

This issue was reported by 2 of my clients as private issues: #5166, #5171. You may be able to find more log in those tickets.

TagsNo tags attached.

Activities

zhb

zhb

2020-09-24 21:50

reporter   ~0014832

Additional info:

  • Revert SOGoIMAPServer to smtp://127.0.0.1:143 fixes the issue. IMAP server is Dovecot.
  • MySQL/MariaDB server is running well on same server, Postfix/Dovecot are configured to query SQL server too, both working fine when issue occurs in SOGo.
zhb

zhb

2020-09-24 21:50

reporter   ~0014833

hi @the_nic, could you help check this issue too? :)

the_nic

the_nic

2020-09-25 02:43

reporter   ~0014840

Sure, I can have a look, but the logs would be helpful for me, too I suppose. Do you have more Information available?

Other than that I'd suspect a resource leak (like file descriptors) to be causing this.

zhb

zhb

2020-09-25 06:07

reporter   ~0014842

No more info yet.

If you keep SOGo running with SOGoIMAPServer = "imap://127.0.0.1:143/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";, the more IMAP commands it operates, the sooner it occurs.
I guess SOGoSMTPServer and SOGoSieveServer have same issue with tlsVerifyMode=allowInsecureLocalhost enabled, but no enough smtp + sieve commands to produce the issue sooner than IMAP, so SOGo has issue with IMAP first.

On 3rd client of mine, he runs a server with 64GB RAM, but not a lot traffic, SOGo had same issue + error log after upgraded to SOGo v5 with the tlsVerifyMode=allowInsecureLocalhost enabled for SMTP+IMAP+Sieve, Amavisd-new + Postfix + Dovecot produced "Too many files open" error at the same time. Reverting just SOGoIMAPServer to old setting with tlsVerifyMode=allowInsecureLocalhost fixes the issue. So it looks like SOGo didn't free used file descriptors and caused the issue.

zhb

zhb

2020-09-25 06:09

reporter   ~0014843

Typo in my previous reply, it should be "Reverting just SOGoIMAPServer to old setting withOUT tlsVerifyMode=allowInsecureLocalhost fixes the issue."

the_nic

the_nic

2020-09-25 06:25

reporter   ~0014845

Is this build using OpenSSL or GnuTLS? And what versions? What other OS information is there? Does it happen with imaps aswell?

zhb

zhb

2020-09-25 07:44

reporter   ~0014848

hi @the_nic,

  • Not sure it's openssl or gnutls, we use official nightly builds: http://packages.inverse.ca/SOGo/nightly/5/
  • The latest nightly build.
  • Didn't try imaps yet, all 3 servers used smtp://127.0.0.1:143/?tls=YES&tlsVerifyMode=allowInsecureLocalhost.
the_nic

the_nic

2020-09-26 14:09

reporter   ~0014851

@zhb This fix might help. Can you try this out: https://github.com/inverse-inc/sope/pull/60

zhb

zhb

2020-09-27 01:00

reporter   ~0014852

Dear @the_nic,

Thank you very much for helping.
I have to wait for next nightly build and test it later. Will keep you informed. :)

Issue History

Date Modified Username Field Change
2020-09-24 21:48 zhb New Issue
2020-09-24 21:50 zhb Note Added: 0014832
2020-09-24 21:50 zhb Note Added: 0014833
2020-09-25 02:43 the_nic Note Added: 0014840
2020-09-25 06:07 zhb Note Added: 0014842
2020-09-25 06:09 zhb Note Added: 0014843
2020-09-25 06:25 the_nic Note Added: 0014845
2020-09-25 07:44 zhb Note Added: 0014848
2020-09-26 14:09 the_nic Note Added: 0014851
2020-09-27 01:00 zhb Note Added: 0014852