11.0.9 - maildirsize quota header is corrupted

[Nikolay.]

This problem started after upgrading to the new Plesk version 11!

Well, I don't think Plesk 11 causes it. The difference between Plesk 11 and previous versions is the addition of maildirsize file format verification and an attempt to warn about corrupted files. Of course, it doesn't work quite well yet, since solution proposed in the warning message doesn't work. But previous versions would have silently failed on such files and you would never know that some of your users essentially have unlimited mail quota.

I suppose this is either a third-party software issue or an environment issue. And in order to fix the problem you need to track down its source.

 

[P_heck]

Ok, have now enabled an audit rule to watch, which process is changing the file.

For those who want to do the same - here the way to do so (Debian):

1. Install auditd if not yet done:

apt-get install auditd

2. Start auditd:

/etc/init.d/auditd start

3. Adding the rule:

auditctl -w /var/qmail/mailnames/<domain.tld>/<mailname>/Maildir/maildirsize -k maildirsize -p w

(change path to the right one, directing to the maildirsize file)

In case a corruption happens, you can query all events with:

ausearch -k maildirsize

Ciao
Peter

 

[P_heck]

Dragged it now down - no third party sowftware seems to be involved in this problem.

What did I do:

1. Established a cron job which checks the integrity of the "maildirsize" file and write it to a logfile (to get notice, when this happens) - unfortunately, there is a 1-minute gap as the cron checks only every minute

2. Activated auditing on this file to see, what happens.

Problem happened this morning between 09:24:01 and 09:25:01

20120806092401
996680071

20120806092501
mailmng[21647]: maildirsize quota header is corrupted. Please run mail_restore utility to fix.
996685500

Here the output from the audit file:

time->Mon Aug 6 09:24:02 2012
type=CONFIG_CHANGE msg=audit(1344237842.664:761): auid=4294967295 ses=4294967295 op="updated rules" path="/var/qmail/mailnames/peter-heck.de/peter/Maildir/maildirsize" key="maildirsize" list=4 res=1
----
time->Mon Aug 6 09:24:02 2012
type=PATH msg=audit(1344237842.643:760): item=0 name="./Maildir/maildirsize" inode=12468921 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237842.643:760): cwd="/var/qmail/mailnames/peter-heck.de/peter"
type=SYSCALL msg=audit(1344237842.643:760): arch=c000003e syscall=2 success=yes exit=3 a0=a3f010 a1=c02 a2=0 a3=0 items=1 ppid=21634 pid=21635 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="deliverquota" exe="/usr/bin/deliverquota" key="maildirsize"
----
time->Mon Aug 6 09:24:02 2012
type=PATH msg=audit(1344237842.664:762): item=4 name="./Maildir/maildirsize" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=3 name="./Maildir/maildirsize" inode=12468921 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=2 name="./Maildir/tmp/1344237842.21635_NeWmAiLdIrSiZe.ph-internet.de" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=1 name="./Maildir/" inode=12326882 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=0 name="./Maildir/tmp/" inode=12453318 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237842.664:762): cwd="/var/qmail/mailnames/peter-heck.de/peter"
type=SYSCALL msg=audit(1344237842.664:762): arch=c000003e syscall=82 success=yes exit=0 a0=a3f050 a1=a3f010 a2=1b a3=0 items=5 ppid=21634 pid=21635 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="deliverquota" exe="/usr/bin/deliverquota" key="maildirsize"
----
time->Mon Aug 6 09:25:01 2012
type=PATH msg=audit(1344237901.879:764): item=0 name="./maildirsize" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237901.879:764): cwd="/var/qmail/mailnames/peter-heck.de/peter/Maildir"
type=SYSCALL msg=audit(1344237901.879:764): arch=c000003e syscall=2 success=yes exit=3 a0=1995250 a1=c02 a2=0 a3=0 items=1 ppid=4765 pid=21652 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="imapd" exe="/usr/bin/imapd" key="maildirsize"
----
time->Mon Aug 6 09:25:01 2012
type=PATH msg=audit(1344237901.807:763): item=0 name="./.Spam/../maildirsize" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237901.807:763): cwd="/var/qmail/mailnames/peter-heck.de/peter/Maildir"
type=SYSCALL msg=audit(1344237901.807:763): arch=c000003e syscall=2 success=yes exit=4 a0=19928d0 a1=c02 a2=0 a3=3030303030303030 items=1 ppid=4765 pid=21652 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="imapd" exe="/usr/bin/imapd" key="maildirsize"
----

Looking at the complete audit logfile, the following pattern is new:

time->Mon Aug 6 09:24:02 2012
type=PATH msg=audit(1344237842.664:762): item=4 name="./Maildir/maildirsize" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=3 name="./Maildir/maildirsize" inode=12468921 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=2 name="./Maildir/tmp/1344237842.21635_NeWmAiLdIrSiZe.ph-internet.de" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=1 name="./Maildir/" inode=12326882 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=0 name="./Maildir/tmp/" inode=12453318 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237842.664:762): cwd="/var/qmail/mailnames/peter-heck.de/peter"
type=SYSCALL msg=audit(1344237842.664:762): arch=c000003e syscall=82 success=yes exit=0 a0=a3f050 a1=a3f010 a2=1b a3=0 items=5 ppid=21634 pid=21635 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="deliverquota" exe="/usr/bin/deliverquota" key="maildirsize"
----

What we see: It looks, like the file is created newly:

time->Mon Aug 6 09:24:02 2012
type=PATH msg=audit(1344237842.643:760): item=0 name="./Maildir/maildirsize" inode=12468921 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237842.643:760): cwd="/var/qmail/mailnames/peter-heck.de/peter"
type=SYSCALL msg=audit(1344237842.643:760): arch=c000003e syscall=2 success=yes exit=3 a0=a3f010 a1=c02 a2=0 a3=0 items=1 ppid=21634 pid=21635 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="deliverquota" exe="/usr/bin/deliverquota" key="maildirsize"
----
time->Mon Aug 6 09:24:02 2012
type=PATH msg=audit(1344237842.664:762): item=4 name="./Maildir/maildirsize" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=3 name="./Maildir/maildirsize" inode=12468921 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=2 name="./Maildir/tmp/1344237842.21635_NeWmAiLdIrSiZe.ph-internet.de" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=1 name="./Maildir/" inode=12326882 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344237842.664:762): item=0 name="./Maildir/tmp/" inode=12453318 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237842.664:762): cwd="/var/qmail/mailnames/peter-heck.de/peter"
type=SYSCALL msg=audit(1344237842.664:762): arch=c000003e syscall=82 success=yes exit=0 a0=a3f050 a1=a3f010 a2=1b a3=0 items=5 ppid=21634 pid=21635 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="deliverquota" exe="/usr/bin/deliverquota" key="maildirsize"
----
time->Mon Aug 6 09:25:01 2012
type=PATH msg=audit(1344237901.879:764): item=0 name="./maildirsize" inode=12470476 dev=09:02 mode=0100600 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344237901.879:764): cwd="/var/qmail/mailnames/peter-heck.de/peter/Maildir"
type=SYSCALL msg=audit(1344237901.879:764): arch=c000003e syscall=2 success=yes exit=3 a0=1995250 a1=c02 a2=0 a3=0 items=1 ppid=4765 pid=21652 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="imapd" exe="/usr/bin/imapd" key="maildirsize"

So inode was 12468921 until this happens, and now it is 12470476

Will now look, whether this pattern will repeat the next time, the problem happens.

@Nikolay - does this help?

Ciao
Peter

 

[P_heck]

Confirmed!

It happened again this morning:

20120807064601
1012793746

20120807064701
mailmng[10163]: maildirsize quota header is corrupted. Please run mail_restore utility to fix.
1012690965

Audit log file says:

time->Tue Aug 7 06:46:35 2012
type=PATH msg=audit(1344314795.605:990): item=0 name="./maildirsize" inode=12468107 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344314795.605:990): cwd="/var/qmail/mailnames/peter-heck.de/peter/Maildir"
type=SYSCALL msg=audit(1344314795.605:990): arch=c000003e syscall=2 success=yes exit=3 a0=12e1cf0 a1=c02 a2=0 a3=0 items=1 ppid=10142 pid=10143 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="imapd" exe="/usr/bin/imapd" key="maildirsize"
----
time->Tue Aug 7 06:46:35 2012
type=CONFIG_CHANGE msg=audit(1344314795.623:991): auid=4294967295 ses=4294967295 op="updated rules" path="/var/qmail/mailnames/peter-heck.de/peter/Maildir/maildirsize" key="maildirsize" list=4 res=1
----
time->Tue Aug 7 06:46:35 2012
type=PATH msg=audit(1344314795.623:992): item=4 name="./maildirsize" inode=12471315 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344314795.623:992): item=3 name="./maildirsize" inode=12468107 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344314795.623:992): item=2 name="./tmp/1344314795.10143_NeWmAiLdIrSiZe.ph-internet.de" inode=12471315 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344314795.623:992): item=1 name="./" inode=12326882 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=PATH msg=audit(1344314795.623:992): item=0 name="./tmp/" inode=12453318 dev=09:02 mode=040700 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344314795.623:992): cwd="/var/qmail/mailnames/peter-heck.de/peter/Maildir"
type=SYSCALL msg=audit(1344314795.623:992): arch=c000003e syscall=82 success=yes exit=0 a0=fbfa80 a1=12e1cf0 a2=1b a3=0 items=5 ppid=10142 pid=10143 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="imapd" exe="/usr/bin/imapd" key="maildirsize"
----
time->Tue Aug 7 06:46:35 2012
type=PATH msg=audit(1344314795.623:993): item=0 name="./maildirsize" inode=12471315 dev=09:02 mode=0100644 ouid=110 ogid=31 rdev=00:00
type=CWD msg=audit(1344314795.623:993): cwd="/var/qmail/mailnames/peter-heck.de/peter/Maildir"
type=SYSCALL msg=audit(1344314795.623:993): arch=c000003e syscall=2 success=yes exit=3 a0=12e1cf0 a1=c02 a2=0 a3=0 items=1 ppid=10142 pid=10143 auid=4294967295 uid=110 gid=31 euid=110 suid=110 fsuid=110 egid=31 sgid=31 fsgid=31 tty=(none) ses=4294967295 comm="imapd" exe="/usr/bin/imapd" key="maildirsize"
----

So it is now proven, that the file is changed and this causes the problem.

BUT - this time it's not caused by "/usr/bin/deliverquota" but by "/usr/bin/imapd" - strange.

Checked the mail.info log to see, if there is any pattern here, but it is not. Yesterday, it happens during processing of an incomming mail, today during IMAP session to grab mails from the mailbox.

Ciao
Peter

 

[IgorG]

Someone please fill template http://forum.parallels.com/showthread.php?t=106113 with all details! I will forward it to developers for investigation.

 

[P_heck]

Someone please fill template http://forum.parallels.com/showthread.php?t=106113 with all details! I will forward it to developers for investigation.

Here it is:

---------------------------------------------------------------
PRODUCT, VERSION, MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE

11.0.9 Debian 6.0 110120608.16

Linux ph-internet.de 2.6.32-5-amd64 #1 SMP Mon Oct 3 03:59:20 UTC 2011 x86_64 GNU/Linux

PROBLEM DESCRIPTION

See thread - in my case, on one mail account the file "maildirsize" gets corrupt (single empty line inserted at the top of the file). Future analysis done (see http://forum.parallels.com/showthread.php?p=634953#post634953


STEPS TO REPRODUCE

Couldn't be reproduced by my own, but happens each day (not at the same time, each time at different hour)

ACTUAL RESULT

Corrupt "maildirsize" file

EXPECTED RESULT
Corruption of "maildirsize" file is not longer taking place

ANY ADDITIONAL INFORMATION
Investigation done by me, see my post from Aug 6, 2012, 08:47 AM at the forum http://forum.parallels.com/showthread.php?p=634953#post634953

--------------------------------------------------------------

 

[IgorG]

Thank you. I have submitted corresponding request to developers.

 

[maumar]

/opt/psa/admin/sbin/mchk --with-spam
has fixed it for me

 

[P_heck]

/opt/psa/admin/sbin/mchk --with-spam
has fixed it for me

Work, but only max. 24 hours and then it appears again...

 

[abdi]

Do you have a LOT of spam going through your server?

 

[P_heck]

Do you have a LOT of spam going through your server?

11.778 SPAM Mails from Jan 18 2012 till today. Well, quite a lot, I know...

 

[abdi]

Well that explains why your mailboxes get so corrupted oftenly. This thread might help in investigation of SPAM:

http://forum.parallels.com/showthread.php?t=262069

 

[Nikolay.]

/opt/psa/admin/sbin/mchk --with-spam
has fixed it for me

Work, but only max. 24 hours and then it appears again...

OK, Peter, I need you to check the maildirsize file that is generated for the mailbox with the issue just after issuing this command (mchk). Then post this file here, please.

Some explanations:

So it is now proven, that the file is changed and this causes the problem.

BUT - this time it's not caused by "/usr/bin/deliverquota" but by "/usr/bin/imapd" - strange.

deliverquota and imapd are both part of Courier-IMAP and share the same code for updating Maildir++ quota files. Therefore this is to be expected. Occasionally they create a new file in place of the old one (this is what you actually see here) when it becomes too large or requires recalculation otherwise. Since after this operation header becomes invalid (from the Plesk point of view), it most probably had unusual value beforehand.

Well that explains why your mailboxes get so corrupted oftenly.

Not exactly. If the spam is not rejected, then this would trigger maildirsize recalculation more often.

I think another scenario is more probable though. If mailbox is over quota and maildirsize file is at least 15 minutes old, then recalculation is triggered (upon mail delivery or IMAP session, of course).

P.S. Sorry for long response. Been busy.

 

[P_heck]

Hello Nikolay,

attached a "fresh" maildirsize file, generated after the problem occured.

One remark: None of my configured mail accounts is using quotas - all are configured without limits.

Ciao
Peter

 

[Nikolay.]

Thank you, Peter! Now it's clear what's causing the problem.

One remark: None of my configured mail accounts is using quotas - all are configured without limits.

As I expected, deliverquota/imapd place an empty header into maildirsize file upon recalculation if previous 'S' and 'C' values are zero. This seems to be handled well by mail subsystem, but triggers a warning in Plesk utilities. Unfortunately, I don't believe there is a proper solution currently.

But there are two possible workarounds:
1) Set a reasonably high quota for your mailboxes. (recommended)
2) Remove maildirsize files from problematic mailboxes. (This should help as well. But no guarantees are given. Also mail_restore will bring them back, I suppose.)

I haven't yet reproduced the problem, but I think it's pretty clear now what should be done on Parallels side. Your help is greatly appreciated!

 

[P_heck]

Hello Nikolay,

ok, changed the mailsize limit in Plesk for this one mailbox from unlimited to 9999999 - now I need to wait and see for a few days if this is working. Thanks for your support!

Ciao
Peter

 

[P_heck]

So far (touch wood) - the problem has not appeared anymore - looks like setting a limit works for me.

Ciao
Peter

 

[MeaC]

The error kept reappearing for me, too.
I checked and the relevant domain did also specify an "unlimited" mailbox size.

My workaround was to go to "Tools --> Settings --> Server Settings" and deactivate the inclusion of "Mailboxes" and "Mailing Lists" in the space calculation. Since then, the error did not reappear.
That's not a great solution but seems to work until Plesk has fixed this bug (and without setting mailbox limits temporarily).

 

[MeaC]

My workaround was to go to "Tools --> Settings --> Server Settings" and deactivate the inclusion of "Mailboxes" and "Mailing Lists" in the space calculation. Since then, the error did not reappear.
That's not a great solution but seems to work until Plesk has fixed this bug (and without setting mailbox limits temporarily).

Update: the above workaround did not work.
I now wrote a cronjob, that runs mchk every X minutes...

 

[Kartoffelsack]

Are there any updates on this subject?

On my server there are the same problems. It's one mailbox whose maildirsize file gets corrupted nearly every day. This mailbox has no quota enabled, there is no other software accessing this mailbox than postfix/courier. What makes me wonder is that other mailboxes don't get corrupted even they also have no quota set. Thanks to the tip regarding checking the size of the maildirs I could easily find out which mailbox got corrupted and delete it's maildirsize file instead of starting that longrunning mchk every day. This was really annoying!

Maybe this is another reason for switching from courier to dovecot?