[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting

[Nathan M]

Traditionally this server has only accepted plaintext authentications;
however, we want to change that and enable TLS/SSL.  The challenge is
the server has hundreds of IP addresses it binds to to listen on ports
110/143.

Enabling TLS/SSL is not an option because as this is a virtual hosting
environment, if a connection comes in on any other hostname other than
the specific one tied to the crt all mail clients will throw a
mis-matched certificate error if TLS is initiated by the client, and a
surprisingly large number of customers have "use TLS if available"
selected in their clients.

According to most of the suggestions on the list, I've setup 2 dovecot
instances. The first listening on *:110 and *:143, and the second
listening on 10.0.0.2:993 and 10.0.0.2:995.  This works great for SSL
support; however, I would also like to offer TLS to connections coming
in on a single IP address.

Because the server has hundreds of IPs, with new IPs adding all the
time, seemingly the only way would be to configure every one of these
IPs (as they occur) into the primary dovecot.conf file, and then only
setup the single IP that's handling SSL/TLS in the dovecot-ssl.conf
(the conf file the SSL/TLS instance loads).  This can be time
consuming and has no way to automate.  It would be terrific if one of
the following exists, or potentially could exist:

1. Ideal scenario.  A config option which tells TLS to only respond on
certain IPs.  In our case if a connection attempts to initiate TLS on
any IP address except 10.0.0.2, it would respond with no TLS support.
This would be ideal as we could continue running just a single dovecot
instance.

2. Secondary scenario.  A way to exclude an IP from being bound to.
Something like the following to bind to all except 10.0.0.2
  listen = *:110, -10.0.0.2

As is, based on my understanding of the config neither of these are
options.  Any support for adding either of these options, or alternate
ideas anyone might have?

- N

Re: [Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting

[Nathan M]

On Thu, Aug 27, 2009 at 12:03 AM, Michael Orlitzky wrote:
> Nathan M wrote:
>>
>> Traditionally this server has only accepted plaintext authentications;
>> however, we want to change that and enable TLS/SSL.  The challenge is
>> the server has hundreds of IP addresses it binds to to listen on ports
>> 110/143.
>
> It may be 3am, but I'm pretty sure that this is the part of your setup that
> doesn't make sense. Why does your POP/IMAP server need to be accessed via so
> many addresses?
>

Because everybody wants to check email at mail.$theirdomain.com.
Also, some users "need" to check email with username only, so the
local_ip variable is used within the dovecot-sql query to lookup some
virtual users by  username only + match the local_ip to a table with
domain+ip lookup.

- N

Re: [Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting

[Nathan M]

On Thu, Aug 27, 2009 at 6:54 AM, Timo Sirainen wrote:
> On Wed, 2009-08-26 at 18:27 -0700, Nathan M wrote:
>> 1. Ideal scenario.  A config option which tells TLS to only respond on
>> certain IPs.  In our case if a connection attempts to initiate TLS on
>> any IP address except 10.0.0.2, it would respond with no TLS support.
>> This would be ideal as we could continue running just a single dovecot
>> instance.
>
> Dovecot v2.0 supports this. I'm hoping to get the first alpha version
> out in a month or two.
>

Timo, that's terrific to hear!! I think we'll just support SSL only
for now, and when 2.0 is stable we can offer SSL+TLS.  Thanks for the
absolutely incredible software.

- N

Re: [Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting

[Nathan M]

On Thu, Aug 27, 2009 at 8:55 AM, Michael Orlitzky wrote:
>> Also, some users "need" to check email with username only, so the
>> local_ip variable is used within the dovecot-sql query to lookup some
>> virtual users by  username only + match the local_ip to a table with
>> domain+ip lookup.
>
> Ok, you got me. How many users need that ability? Would anyone notice if you
> killed them?
>
> I started writing a long and involved migration plan to work around this
> requirement, but honestly, "wait for v2.0" is probably a better one.
>

We "assimilate" a lot of existing hosting customers, and in order to
successfully transfer a domain from X server to our server, if they
were logging in previously with username only, we try to accommodate
that and not require all the users to change their settings (it's a
customer service thing I guess).  Because dovecot supports a very
flexible SQL lookup function, it's easy to do by assigning the domain
in particular a static IP and pointing mail.$domain at the static IP.

On any given server, it could be between 200 and 2000 email accounts
which are logging in with username only.  So, really the "need" is
ours to not have to have all those accounts change their settings in
order to use our servers.

I think I'm OK providing SSL only for now, and offering TLS once 2.0
is stable as a solution.  It's still better than plaintext. =)

- N

Re: [Dovecot] Active IMAP sessions per server?

[Nathan M]

On Mon, Aug 31, 2009 at 11:29 AM, Brent Bloxam wrote:
> Hi,
>
> I'm curious about some of the larger dovecot installs out there and what
> your current active user load looks like per server. Realistically, how many
> active IMAP sessions are some of you maintaining? At what point did you find
> the load became unmanageable? I know there's a lot of different factors
> involved in this, but I'm just looking to get a rough idea of what I can
> expect to be able to handle with dovecot.
>
> Any help is appreciated
>
> Regards,
> Brent

We see anywhere from 70-200 active IMAP sessions open at any given
time it would seem. That's for a server with roughly 5000 mailboxes.
All in all, they use little to no system resources because most of
them are simply sitting there idle.  Although, most customers use POP3
not IMAP because it's most mail client's default option.

It's the POP3/leave messages on server people that seem to cause us problems.

- N

Re: [Dovecot] dovecot-auth stops responding

[Nathan M]

On Thu, Sep 10, 2009 at 11:43 AM, Timo Sirainen  wrote:
> On Thu, 2009-09-10 at 14:32 -0400, Jonathan Siegle wrote:
>> It only helps when I kill dovecot-auth, not dovecot-auth -w.
>
> Interesting..
>
>> > What if you kill imap-login processes instead?
>> >
>>
>> I don't have imap-login processes associated with inetd spawned
>> dovecot.
>
> Why do you use inetd? I'm currently wondering if I should bother adding
> inetd support to Dovecot v2.0.
>
>> Yes I have truss. So tomorrow when this happens I'll do truss -f -p on
>> the dovecot-auth process?
>
> Yes. Also having auth_debug=yes enabled might show something useful.
> What does it log last before it stops responding?
>

I've run across what seems to be the same issue with 1.2.4.  I
upgraded from a 1.0 release which was not having any issues; however,
I'm very afraid to revert because the server gets killed if it has to
rebuild caches/indexes.  I don't have this issue on lesser loaded
1.2.4 installations, only this server which handles roughly 6000
mailboxes and maintains a higher overall load.

The difference is we aren't doing PAM, we have it disabled.  We do SQL
authentication only.  Exact same symptoms, the server and all active
connections remain online; however, new connections coming in via
POP3/IMAP hang.  The connection is made, but the banner is never
shown.

The log, with auth_debug enabled doesn't seem to show anything useful,
it only shows a ton of connections being dropped for remaining idle
for too long when this begins happening.  ie.  POP3/IMAP clients are
connecting, never getting a banner, and therefore never sending login
credentials, then dovecot drops the connection eventually.

System affected is linux 2.6.18 (centos 5.2).  Any help diagnosing and
fixing this would be greatly appreciated.  I'm not sure where to go
from here.

- N

Re: [Dovecot] dovecot-auth stops responding

[Nathan M]

On Thu, Sep 10, 2009 at 12:47 PM, Timo Sirainen  wrote:
>
> So killing dovecot-auth fixes the problem? What if you set
> login_process_per_connection=no?
>
>

Next time it happens I'll just try killing dovecot-auth.  Thus far the
fix has been fairly crude:

killall dovecot
/usr/local/sbin/dovecot

That always gets it answering.  I believe by killing dovecot it takes
down dovecot-auth as well.

I will also set login_process_per_connection=no and see if that clears
anything up.

The issue is very random, can't predict it at all, but typically 2-3
times per day, so hopefully I'll know quickly if we're making
progress.

- N

Re: [Dovecot] dovecot-auth stops responding

[Nathan M]

On Thu, Sep 10, 2009 at 12:47 PM, Timo Sirainen  wrote:
> On Thu, 2009-09-10 at 12:22 -0700, Nathan M wrote:
>> The difference is we aren't doing PAM, we have it disabled.  We do SQL
>> authentication only.  Exact same symptoms, the server and all active
>> connections remain online; however, new connections coming in via
>> POP3/IMAP hang.  The connection is made, but the banner is never
>> shown.
>
> So killing dovecot-auth fixes the problem? What if you set
> login_process_per_connection=no?
>
>

Timo,  setting login_process_per_connection=no significantly stablized
the system.  It was locking up 3-4 times a day, and now it seems to
only lockup about once per month.  Still something wrong, but much
less significant.  I also need to update to the latest release when
time allows since two point releases have come out since this
discussion.

- N