Bug 553011

Summary: Missing user_deny.db causes IMAP client disconnect
Product: [Fedora] Fedora Reporter: Carl Roth <roth>
Component: cyrus-imapdAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 11CC: mhlavink, philipp
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: 2.3.16-2.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-02 01:06:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Posted fix from Cyrus mailing list. none

Description Carl Roth 2010-01-06 19:57:58 UTC 
Description of problem:

The newly-released 2.3.16 version of cyrus-imapd adds a user_deny.db file that is accessed to see if users should be rejected (duh).  This file is not created by cyrus-imapd by default, and if it is missing, I notice that all IMAP clients get rejected by default.

There is some discussion of this new feature:

http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg38696.html
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg38705.html

The workaround I used was to create an empty user_deny.db file, and to make sure that the imapd.conf file specifies 'userdeny_db: flat'.  As per the mailing-list discussion, there are still lots of spurious user_deny.db lookup messages in the mail logs, but the clients are now able to connect.

For the short-term, it would be good to have the cyrus-imapd RPM provide this empty user_deny.db so that RPM upgrades to not go awry.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Philip Prindeville 2010-01-08 20:22:14 UTC 
Created attachment 382539 [details]
Posted fix from Cyrus mailing list.

Here's the fix posted in:

http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg38697.html

Also requires:

--- ../SOURCES/cyrus-imapd.imap-2.3.x-conf.orig	2006-02-28 12:04:01.000000000 -0800
+++ ../SOURCES/cyrus-imapd.imap-2.3.x-conf	2010-01-08 11:13:03.000000000 -0800
@@ -9,3 +9,4 @@
 tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
 tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
 tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
+userdeny_db: dummy
Comment 2 Michal Hlavinka 2010-01-11 13:12:05 UTC 
hi guys, thanks for reporting this

I don't want to use solution A) nor solution B), because it's not clear (yet) what upstream preferences are. So I've prepared solution C (temporary) 

How it (should) work:

when it initialize access_ok check, it tests if user_denny.db exists. If it does not exists, it returns true (user allowed) and remembering this it's not doing any tests next time (until service restart). Please test if it works for you.

Packages can be found here:

x86_64:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1913749

i586:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1913751

If it does not work, please attach log (one line :

DENYDB_ERROR: databaze '<path to user_denny.db>' does not exist, ignoring...

in log is expected).
Comment 3 Philip Prindeville 2010-01-11 17:53:51 UTC 
FYI:  I tried running the patch in Comment #2 locally, and I get as much logging anyway:

...
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'

so in terms of exploding my /var/log/maillog, it's a tie... about the same either way.
Comment 4 Michal Hlavinka 2010-01-14 13:11:36 UTC 
ooops, I can't see my last comment, I've probably put it under wrong bug number :D

anyway, I've had more time, so I've tested it myself. Patch I've created has wrong if condition. This should be fixed now with some workaround - user_denny.db is not used (without complains) if it does not exist. This is only temporary till upstream comes up with something official
Comment 5 Fedora Update System 2010-01-14 13:22:13 UTC 
cyrus-imapd-2.3.16-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.16-2.fc11
Comment 6 Fedora Update System 2010-01-14 13:22:18 UTC 
cyrus-imapd-2.3.16-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.16-2.fc12
Comment 7 Fedora Update System 2010-01-15 22:05:16 UTC 
cyrus-imapd-2.3.16-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cyrus-imapd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0574
Comment 8 Fedora Update System 2010-01-15 22:10:05 UTC 
cyrus-imapd-2.3.16-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cyrus-imapd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0611
Comment 9 Fedora Update System 2010-02-02 01:06:17 UTC 
cyrus-imapd-2.3.16-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-02-02 01:15:18 UTC 
cyrus-imapd-2.3.16-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.