‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot
<dovecot@dovecot.org> wrote:
> On 11/04/2019 00:51, Laura Smith via dovecot wrote:
>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot
> > dovecot@dovecot.org wrote:
> >
> > > On 11/04/2019 00:18, Laura Smith via dovecot wrote:
> > >
> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi
> > > > aki.tu...@open-xchange.com wrote:
> > > >
> > > > > > On 10 April 2019 23:56 Laura Smith via dovecot <
> > > > > > dovecot@dovecot.org> wrote:
> > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi <
> > > > > > aki.tu...@open-xchange.com> wrote:
> > > > > >
> > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot
> > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > Sent with ProtonMail Secure Email.
> > > > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi
> > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > >
> > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot
> > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi
> > > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > > >
> > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot
> > > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > > ==========================================================================
> > > > > > > > > > > > dsync( foo...@example.com): Error:
> > > > > > > > > > > > imapc(foobar.example.com:993):
> > > > > > > > > > > > dns_lookup(foobar.example.com) failed:
> > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed:
> > > > > > > > > > > > read(size=512) failed: Connection reset by peer
> > > > > > > > > > > > This is dovecot's internal dns-client, and something
> > > > > > > > > > > > goes wrong when talking to the service.
> > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to initialize
> > > > > > > > > > > > user: imapc: Login to foobar.example.com failed:
> > > > > > > > > > > > Disconnected from server
> > > > > > > > > > > > This is btw dsync service, not imap service.
> > > > > > > > > > > > ===============================================================================================================================================================================================================================================================================================================================================================================================================================================================================
> > > > > > > > > > > > Initially I thought "oh no, not another AppArmor block".
> > > > > > > > > > > > But then surely the second message would not appear if
> > > > > > > > > > > > the DNS lookup was not successful ?
> > > > > > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > > > > > How should I be troubleshooting this ? And if it is
> > > > > > > > > > > > still likely to be AppArmor, what is calling it ?
> > > > > > > > > > > > "doveadm" itself or something else ? What does
> > > > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't
> > > > > > > > > > > > dovecot use standard OS calls like everyone else ?
> > > > > > > > > > > > Because the "standard OS call" is blocking and we would
> > > > > > > > > > > > prefer it to not block everything else.
> > > > > > > > > > > > So many questions !
> > > > > > > > > > > > Aki
> > > > > > > > > > > > Thanks for your reply, but both those message are
> > > > > > > > > > > > generated from a simple :
> > > > > > > > > > > > doveadm -v -o mail_fsync=never backup -R -u
> > > > > > > > > > > > foo...@example.com imapc:
> > > > > > > > > > > > So I don't know what you mean about dsync service
> > > > > > > > > > > > failing ? Surely the DNS lookup succeeded if the 'dsync
> > > > > > > > > > > > service' failed due to remote disconnect ?
> > > > > > > > > > > > I'm still none the wiser as to where to start looking
> > > > > > > > > > > > for troubleshoting ?
> > > > > > > > > > > > Did you check dovecot logs? Maybe there is something
> > > > > > > > > > > > useful?
> > > > > > > > > > > > Aki
> > > > > > > > > > > > Only the same old cryptic message about dns-client ?
> > > > > > > > > > > > master: Fatal: execv(/usr/lib/dovecot/dns-client)
> > > > > > > > > > > > failed: Permission denied
> > > > > > > > > > > > Something prevents executing the dns-client binary.
> > > > > > > > > > > > master: Error: service(dns_client): command startup
> > > > > > > > > > > > failed, throttling for 16 secs
> > > > > > > > > > > > dns_client: Fatal: master: service(dns_client): child
> > > > > > > > > > > > 14293 returned error 84 (exec() failed)
> > > > > > > > > > > > Aki
> > > > > > > > > > > > Yes but is it being called by doveadm directly or by
> > > > > > > > > > > > some other dovecot program ? If I'm going to have to go
> > > > > > > > > > > > down the AppArmor route, then I would prefer if you
> > > > > > > > > > > > told me what was calling it instead of me having to
> > > > > > > > > > > > un-necessarily spend time doing straces !
> > > > > > > > > > > > Also, should I be able to call dns-client directly
> > > > > > > > > > > > myself ? (or is there a way to do so to enable testing ?
> > > > > > > > > > > > It is started by dovecot's master process when you
> > > > > > > > > > > > connect to dns-client unix socket. You can try
> > > > > > > > > > > > socat stdio unix-connect:/var/run/dovecot/dns-client
> > > > > > > > > > > > I thought apparmor tells when something is blocked into
> > > > > > > > > > > > kernel log? have you checked dmesg?
> > > > >
> > > > > Apologies for your frustration.
> > > >
> > > > Yeah nothing in dmesg. I'm still hunting around to find some log
> > > > somewhere but so far silence.
> > > > "socat stdio unix-connect:/var/run/dovecot/dns-client" runs but returns
> > > > nothing. Is that expected ?
> > > > When you say "dovecot's master process", so doveadm sync talks to the
> > > > master process ? So in terms of apparmor I would therefore be looking
> > > > at /usr/sbin/dovecot ? If that's the case, the relevant apparmor
> > > > permisssions are already provided :
> > > > /{,var/}run/dovecot/ rw,
> > > > /{,var/}run/dovecot/** rw,
> > > > Laura
> > >
> > > Do the above apparmor settings give permission to dovecot to execute
> > > /usr/lib/dovecot/dns-client, assuming that the user under which dovecot
> > > is running already has file system permissions to do that?
> > > John
> >
> > John,
> > Here's the definitive answer to your question (and anyone else thinking of
> > pointing the finger at apparmor):
> > foo:/home/foo # sudo systemctl stop apparmor
> > foo:/home/foo # doveadm -v -o mail_fsync=never backup -R -u
> > foo...@example.com imapc:
> > dsync(foo...@example.com): Error: imapc(foobar.example.com:993):
> > dns_lookup(foobar.example.com) failed: DNS lookup timed out
> > dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login
> > to foobar.example.com failed: Disconnected from server
> > So. Can we move on from the "blame apparmor" ? ;-)
>
> Laura
>
> I'd suggest doing the test with a restart of dovecot in between stopping
> apparmor and running the doveadm command. Check your logs to see if
> there is no longer any message generated about not being able to execv
> /usr/lib/dovecot/dns-client.
>
> foo:/home/foo # sudo systemctl stop apparmor
> foo:/home/foo # sudo systemctl restart dovecot
> foo:/home/foo # doveadm -v -o mail_fsync=never backup -R -u
> foo...@example.com imapc:
>
> John
Same again....
failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed:
Connection reset by peer
