Forwarded to devs Dovecot issue - incorrect config and potential FAILURE of MU61

[trialotto]

TITLE:

Dovecot issue - incorrect config and potential FAILURE of MU61​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk 17.8.11 : micro-update #60 and #61 (after Dovecot fix)
OS: Ubuntu 16.04.x LTS + Ubuntu 18.04.x LTS
VPS and Dedicated server​

PROBLEM DESCRIPTION:

Mail.log and syslog show entries like:

process '/usr/lib/dovecot/dovecot-lda -d "$DELIVERED_TO"' stderr : doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf#012doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/11-plesk-security-ssl.conf:5: ssl_dh_parameters_length is no longer needed

When simply adjusting the offending line to

#ssl_dh_parameters_length=2048 (and reloading dovecot)

the old error notification in mail.log and/or syslog, being

process '/usr/lib/dovecot/dovecot-lda -d "$DELIVERED_TO"' stderr : lda([email protected],)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

returns, even though it seems to be the case that MU61 intended to fix this particular (and odd) issue.

In addition, another (second) problem exists.

A Dovecot stop and start sequence results in the syslog entries :

Jul 22 18:01:55 main dovecot: master: Error: systemd listens on port 143, but it's not configured in Dovecot. Closing.
Jul 22 18:01:55 main dovecot: master: Error: systemd listens on port 993, but it's not configured in Dovecot. Closing.

In short, Dovecot config is not correct at all.​

STEPS TO REPRODUCE:

Just send a mail and check logs......before and after uncommenting the offending ssl_dh_parameters_length

STR to get the errors at dovecot stop/start sequences : just run the appropriate stop and start commands.​

ACTUAL RESULT:

Mails get stored to the inbox.

However, the error notification

process '/usr/lib/dovecot/dovecot-lda -d "$DELIVERED_TO"' stderr : lda([email protected],)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

still exists!​

EXPECTED RESULT:

MU61 contains some updated dovecot and other mail related packages.

MU61 seems to be the intended fix of some mail related issues with dovecot.

MU61 did not work...... probably.​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[trialotto]

Additional INFO:

This is related to ownership structure AND misconfiguration of dovecot.

The ownership structure can be easily tested by following these STR:

1 - make sure that dovecot is reloaded after uncommenting the offending line in /etc/dovecot/conf.d/11-plesk-security-ssl.conf

#ssl_dh_parameters_length=2048

and this will result in the log entry

process '/usr/lib/dovecot/dovecot-lda -d "$DELIVERED_TO"' stderr : lda([email protected],)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

which entry is related only to bad config of dovecot.

2 - cd into /var/run/dovecot and run the command : chown popuser : popuser stats-writer

3 - send a test mail to the mail server that you changed the dovecot conf on : the LDA related error message is gone.

NOTE that it is recommended to run the commands

- postfix reload
- dovecot reload

afterwards, since the chown in step 2 can be dangerous and the reload of postfix and dovecot will return to original chown settings.

Regards........

 

[IgorG]

Thanks for the report.
Actually, it's just a warning.
We have already submitted the issue PPPM-10408

 

[trialotto]

@Igor,

I am sure that the

Warning: Obsolete setting in /etc/dovecot/conf.d/11-plesk-security-ssl.conf:

is nothing to worry about.

Actually, the same applies to the LDA related issue : it is essentially a permission denied log entry without real consequences, as far as I know of.

However, the postfix-local compilation should not result in the LDA related log entry, when removing one obsolete line in the dovecot config - some recoding is required.

In addition, I am not sure why Plesk Team does not want to allow for dovecot (custom or default configurated) related services, like stats, anvil (additional protection).

Maybe I am missing something here?

Regards......

 

[IgorG]

In addition, I am not sure why Plesk Team does not want to allow for dovecot (custom or default configurated) related services, like stats, anvil (additional protection).

Because now it works that way. Not that we don't want something. Rather, it was not particularly necessary for anyone.

 

[trialotto]

@IgorG,

There is a careful consideration that can or has to be made with respect to Dovecot services like stats and especially anvil.

As far as I known of, it is to a high degree true that it is not necessary for anyone, given that postfix anvil (and similar postfix services) are configured AND that most hack attempts or attacks are aimed at postfix directly.

However, given that postfix-local (i.e. dovecot-lda) is the "internal engine", it might be a good idea to do something with Dovecot config of services.

After all, not all hack attempts or attacks are aimed directly at the postfix level - sometimes, the Dovecot level is attacked directly.

Note that I already tried some test configuration for Dovecot, but I ran into some potential security issues : this is probably related to default postfix-local config.

I will keep you posted, but will move some of this conversation to a direct message - if necessary and progress with test config has been made.

Kind regards.........

 

[Linulex]

offcourse this is not correct and must be fixed by plesk, but here is a quick workaround:

chmod 0666 /var/run/dovecot/stats-writer

* needs to be re-applied every time dovecot is restarted

regards
Jan

 

[trialotto]

@Linulex / Jan,

The suggestion for the "quick work-around" is known to me, but that is probably not the entire work-around, which at least -for many obvious reasons- should consist of :

1 - proper declaration of stats (and/or anvil) service

2 - an user:group structure according to the service declaration and in line with postfix-local configuration

Please note that the part

"in line with postfix-local configuration"

is the most challenging part : any work-around can (and often will lead) to a less secure Dovecot setup and configuration.

Also note that your remark

* needs to be re-applied every time dovecot is restarted

is probably related to the missing service declaration - as far as I know of, a proper service declaration will make sure that everything is set right at Dovecot restart.

Kind regards........

 

[Linulex]

@trialotto

That is why it is called a "work-around": a quick fix that fixes the problem for now, it is not a "permanent solution".

a permanent solution would be as you discribed changing the group structure and/or config.
In a 666 rights structure, every user or group on the server can access it, true ... but ... if you have a local user that has access to /var/run/dovecot/ then you have a far bigger security issue then some local user being able to access e-mail stats.

regards
Jan

 

[trialotto]

@Linulex, Jan

Nice to brainstorm about a potential (complete) solution.

I am not sure (since I did not test all config options fully) ..... but ..... there is a danger in modifying stats-writer ownership structure - after all, postfix-local (i.e. dovecot-lda) is running on popuser : popuser and, as far as I know, the config structure of dovecot-lda (and hence postfix-local) is only allowing for same user/group in order to have the full dovecot-lda, including services like stats or anvil, working properly.

I am not certain about this, though.

I suppose your solution suppresses the log entries containing the "permission denied" warning - but does the stats service actually do something?

Would be glad to hear some feedback from you.

Kind regards........

 

[Linulex]

@trialotto

if you run "doveadm who" you see that the stat service does "something" and stats are collected. if plesk uses these stats, i dont know.

As far as i can see, there are no anvil configuration on /etc/postfix/main.cf, so that defaults apply of 100 connections every 60 secs.

regards
Jan

 

[trialotto]

@Linulex

Stats service is - amongst others - used by anvil : without anvil config, the stats service is not of much value.

With respect to your other remark

As far as i can see, there are no anvil configuration on /etc/postfix/main.cf, so that defaults apply of 100 connections every 60 secs.

I must emphasize the following :

- anvil service for dovecot-lda (i.e. postfix-local) is configured by config files in /etc/dovecot (and not /etc/postfix),
- it is not sure whether the standard defaults are compiled into the custom package that Plesk Team creates.

In a couple of weeks, I will have more time and I will spend some time to dovecot config changes.

After all, it might be valuable to change things to secure dovecot and/or to introduce config for specific services like anvil and stats.

I am hoping that Plesk Team will have a look into this matter.

Kind regards.........

 

[Linulex]

@trialotto

dovecot anvil is configured by plesk and some even configurable from within plesk, connections per ip, max imap connections, max pop3 connections etc...

it would be hard to not compile in defaults. even if plesk removes the standard defaults (that would mean change a lot of code) then the default would become unlimited, wich is also a default in itself.

As for the postfix anvil: it would be nice to be able to configure the most important ones like smtp conections per second etc...

regards
Jan

 

[trialotto]

@Linulex

With all due respect, but one of us is mistaken - could be you or me.

There are some basics here, Plesk consists of

1 - Dovecot : IMAP / POP3 server
2 - Postfix : mail / smtp server
3 - Postfix-local : local mail server, which is a custom version of dovecot-lda (not the same as Dovecot!)

You probably know that, but it seems to be the case that we are having discussion where you talk about dovecot + postfix and I talk about postfix-local / dovecot-lda

Am I seeing it right and are there some misunderstandings here?

Regards........

 

[Linulex]

Am I seeing it right and are there some misunderstandings here?

I think you might be right. I was talking about postfix and dovecot anvil.

regards
Jan