Bug 1570017

Summary: Premature LOGOUT disconnect on SSL connections - BYE not flushed / correctly sent
Product: Red Hat Enterprise Linux 7 Reporter: Graham Leggett <minfrin>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7Keywords: Patch
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-07 18:27:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Leggett 2018-04-20 12:51:50 UTC 
Description of problem:

When an IMAP client connecting to dovecot sends the LOGOUT command, dovecot immediately terminates the connection, and the BYE response is not sent to the client.

This in turn triggers further bugs in Limilabs IMAP client / Docuware, which in turn renders it impossible for Docuware v6.12 to log in successfully to a Redhat SSL IMAP server.

Version-Release number of selected component (if applicable):

dovecot-2.2.10-8.el7.x86_64



How reproducible:


Steps to Reproduce:
1. Using Docuware (or the embedded Limilabs IMAP client), attempt to connect and login to a RHEL7 dovecot server.
2.
3.

Actual results:

Docuware complains "Not able to establish connection. Please verify your input!".

The underlying Limilabs library logs the following: "Limilabs.Client.ServerException: Tried to read a line. No data received."


Expected results:

The IMAP login works successfully.

Additional info:

By enabling a trace of the conversation using dovecot rawlog, and by monitoring the behaviour of the SSL at the same time using ssldump, we find the following:

- SSL handshake completes successfully.

- Dovecot says hello:

1 12   0.6355   (0.2349)    S>C      application_data
1 13   0.6355   (0.0000)    S>C      application_data

1524225651.163802 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

- Limilabs says ID:

1524225651.397017 ea6c9b67cbcf4776 ID ("name" "Mail.dll" "version" "3.0.14050.1215" "vendor" "www.limilabs.com" "contact" "support")

1 14   0.8178   (0.1822)    C>S      application_data
1 15   0.8178   (0.0000)    C>S      application_data

- Dovecot says ID completed:

1524225651.397148 * ID ("name" "Dovecot")
1524225651.397161 ea6c9b67cbcf4776 OK ID completed.

1 16   0.8182   (0.0004)    S>C      application_data
1 17   0.8182   (0.0000)    S>C      application_data

- Limilabs says LOGOUT:

1524225651.580768 bcc40b4680cc43ed LOGOUT

1 18   0.9993   (0.1810)    C>S      application_data
1 19   0.9993   (0.0000)    C>S      application_data

- Dovecot *thinks* it says BYE but this is never flushed or sent over the network, the connection is terminated prematurely.

1524225651.580815 * BYE Logging out
1524225651.580826 bcc40b4680cc43ed OK Logout completed.

1 20   0.9997   (0.0003)    S>C      Alert
  1      0.9998   (0.0000)    S>C    TCP FIN
  1      1.1814   (0.1816)    C>S    TCP FIN

- Limilabs complains that "Tried to read a line. No data received."

As a workaround, if stunnel is used to do SSL in front of dovecot instead of dovecot native SSL, the connection termination works properly, and Limilabs/Docuware works.
Comment 2 Graham Leggett 2018-04-20 13:01:43 UTC 
A fix for this bug appears to have been applied to dovecot in 2014:

https://dovecot.org/list/dovecot-cvs/2014-June/024504.html

The fix was distributed in Debian here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751682

Redhat appeared to not distribute the fix for CVE-2015-3420:

https://access.redhat.com/security/cve/cve-2015-3420

The following bug report claimed that the dovecot fix described above caused the CVE, which doesn't seem to make sense:

https://bugzilla.redhat.com/show_bug.cgi?id=1216057
Comment 3 Graham Leggett 2018-04-20 13:52:57 UTC 
Downloaded the SRPM for dovecot and applied the following two patches, and the problem was fixed:

https://dovecot.org/list/dovecot-cvs/2014-June/024504.html
https://www.dovecot.org/list/dovecot-cvs/2014-June/024509.html
Comment 4 Michal Hlavinka 2020-02-07 18:27:12 UTC 
Upstream fixed this for dovecot 2.2.17, we have updated to dovecot 2.2.36 that contains that fix.