Description of problem:
When an IMAP client connecting to dovecot sends the LOGOUT command, dovecot immediately terminates the connection, and the BYE response is not sent to the client.
This in turn triggers further bugs in Limilabs IMAP client / Docuware, which in turn renders it impossible for Docuware v6.12 to log in successfully to a Redhat SSL IMAP server.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Using Docuware (or the embedded Limilabs IMAP client), attempt to connect and login to a RHEL7 dovecot server.
Docuware complains "Not able to establish connection. Please verify your input!".
The underlying Limilabs library logs the following: "Limilabs.Client.ServerException: Tried to read a line. No data received."
The IMAP login works successfully.
By enabling a trace of the conversation using dovecot rawlog, and by monitoring the behaviour of the SSL at the same time using ssldump, we find the following:
- SSL handshake completes successfully.
- Dovecot says hello:
1 12 0.6355 (0.2349) S>C application_data
1 13 0.6355 (0.0000) S>C application_data
1524225651.163802 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
- Limilabs says ID:
1524225651.397017 ea6c9b67cbcf4776 ID ("name" "Mail.dll" "version" "3.0.14050.1215" "vendor" "www.limilabs.com" "contact" "firstname.lastname@example.org")
1 14 0.8178 (0.1822) C>S application_data
1 15 0.8178 (0.0000) C>S application_data
- Dovecot says ID completed:
1524225651.397148 * ID ("name" "Dovecot")
1524225651.397161 ea6c9b67cbcf4776 OK ID completed.
1 16 0.8182 (0.0004) S>C application_data
1 17 0.8182 (0.0000) S>C application_data
- Limilabs says LOGOUT:
1524225651.580768 bcc40b4680cc43ed LOGOUT
1 18 0.9993 (0.1810) C>S application_data
1 19 0.9993 (0.0000) C>S application_data
- Dovecot *thinks* it says BYE but this is never flushed or sent over the network, the connection is terminated prematurely.
1524225651.580815 * BYE Logging out
1524225651.580826 bcc40b4680cc43ed OK Logout completed.
1 20 0.9997 (0.0003) S>C Alert
1 0.9998 (0.0000) S>C TCP FIN
1 1.1814 (0.1816) C>S TCP FIN
- Limilabs complains that "Tried to read a line. No data received."
As a workaround, if stunnel is used to do SSL in front of dovecot instead of dovecot native SSL, the connection termination works properly, and Limilabs/Docuware works.
A fix for this bug appears to have been applied to dovecot in 2014:
The fix was distributed in Debian here:
Redhat appeared to not distribute the fix for CVE-2015-3420:
The following bug report claimed that the dovecot fix described above caused the CVE, which doesn't seem to make sense:
Downloaded the SRPM for dovecot and applied the following two patches, and the problem was fixed:
Upstream fixed this for dovecot 2.2.17, we have updated to dovecot 2.2.36 that contains that fix.