Bug 553011 - Missing user_deny.db causes IMAP client disconnect
Summary: Missing user_deny.db causes IMAP client disconnect
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: cyrus-imapd
Version: 11
Hardware: i686
OS: Linux
low
high
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-06 19:57 UTC by Carl Roth
Modified: 2010-02-02 01:15 UTC (History)
2 users (show)

Fixed In Version: 2.3.16-2.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-02 01:06:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Posted fix from Cyrus mailing list. (7.98 KB, patch)
2010-01-08 20:22 UTC, Philip Prindeville 		no flags Details | Diff
View All

Description Carl Roth 2010-01-06 19:57:58 UTC 
Description of problem:

The newly-released 2.3.16 version of cyrus-imapd adds a user_deny.db file that is accessed to see if users should be rejected (duh).  This file is not created by cyrus-imapd by default, and if it is missing, I notice that all IMAP clients get rejected by default.

There is some discussion of this new feature:

http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg38696.html
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg38705.html

The workaround I used was to create an empty user_deny.db file, and to make sure that the imapd.conf file specifies 'userdeny_db: flat'.  As per the mailing-list discussion, there are still lots of spurious user_deny.db lookup messages in the mail logs, but the clients are now able to connect.

For the short-term, it would be good to have the cyrus-imapd RPM provide this empty user_deny.db so that RPM upgrades to not go awry.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Philip Prindeville 2010-01-08 20:22:14 UTC 
Created attachment 382539 [details]
Posted fix from Cyrus mailing list.

Here's the fix posted in:

http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg38697.html

Also requires:

--- ../SOURCES/cyrus-imapd.imap-2.3.x-conf.orig	2006-02-28 12:04:01.000000000 -0800
+++ ../SOURCES/cyrus-imapd.imap-2.3.x-conf	2010-01-08 11:13:03.000000000 -0800
@@ -9,3 +9,4 @@
 tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
 tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
 tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
+userdeny_db: dummy
Comment 2 Michal Hlavinka 2010-01-11 13:12:05 UTC 
hi guys, thanks for reporting this

I don't want to use solution A) nor solution B), because it's not clear (yet) what upstream preferences are. So I've prepared solution C (temporary) 

How it (should) work:

when it initialize access_ok check, it tests if user_denny.db exists. If it does not exists, it returns true (user allowed) and remembering this it's not doing any tests next time (until service restart). Please test if it works for you.

Packages can be found here:

x86_64:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1913749

i586:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1913751

If it does not work, please attach log (one line :

DENYDB_ERROR: databaze '<path to user_denny.db>' does not exist, ignoring...

in log is expected).
Comment 3 Philip Prindeville 2010-01-11 17:53:51 UTC 
FYI:  I tried running the patch in Comment #2 locally, and I get as much logging anyway:

...
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'
Jan 11 10:51:08 mail imaps[24018]: fetching user_deny.db entry for 'philipp'

so in terms of exploding my /var/log/maillog, it's a tie... about the same either way.
Comment 4 Michal Hlavinka 2010-01-14 13:11:36 UTC 
ooops, I can't see my last comment, I've probably put it under wrong bug number :D

anyway, I've had more time, so I've tested it myself. Patch I've created has wrong if condition. This should be fixed now with some workaround - user_denny.db is not used (without complains) if it does not exist. This is only temporary till upstream comes up with something official
Comment 5 Fedora Update System 2010-01-14 13:22:13 UTC 
cyrus-imapd-2.3.16-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.16-2.fc11
Comment 6 Fedora Update System 2010-01-14 13:22:18 UTC 
cyrus-imapd-2.3.16-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cyrus-imapd-2.3.16-2.fc12
Comment 7 Fedora Update System 2010-01-15 22:05:16 UTC 
cyrus-imapd-2.3.16-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cyrus-imapd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0574
Comment 8 Fedora Update System 2010-01-15 22:10:05 UTC 
cyrus-imapd-2.3.16-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cyrus-imapd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0611
Comment 9 Fedora Update System 2010-02-02 01:06:17 UTC 
cyrus-imapd-2.3.16-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-02-02 01:15:18 UTC 
cyrus-imapd-2.3.16-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.