Results 1 to 5 of 5

Thread: Dovecot submission failing after latest patches install

  1. #1
    Join Date
    May 2017
    Location
    New York
    Posts
    20

    Exclamation Dovecot submission failing after latest patches install

    This was working just fine until the latest patches were installed. Now I get the following error:

    Aug 12 20:32:26 phoenix dovecot[69835]: submission-login: Error: Aug 12 20:32:26 service(submission-login): Fatal: execv(/usr/lib/dovecot/submission-login) failed: Permission denied
    Aug 12 20:32:26 phoenix dovecot[69832]: master: Error: service(submission-login): command startup failed, throttling for 2.000 secs
    Aug 12 20:32:26 phoenix dovecot[69835]: submission-login: Fatal: master: service(submission-login): child 69878 returned error 84 (exec() failed)

    Has anybody come across this? Any known way to fix this?

    Thanks.

  2. #2
    Join Date
    May 2017
    Location
    New York
    Posts
    20

    Default Re: Dovecot submission failing after latest patches install

    Fixed, it was the apparmor virus... After removing and rebooting all is back to normal.

  3. #3
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,081

    Default Re: Dovecot submission failing after latest patches install

    Quote Originally Posted by cdieni View Post
    Fixed, it was the apparmor virus... After removing and rebooting all is back to normal.
    You really, REALLY should not remove apparmor on an internet facing server especially if it's acting as an open SMTP/IMAP server.

    Instead you should have looked at the apparmor profiles and fixed the issue instead. Although that should have already been taken of by the developer/packager.
    .: miuku #suse @ irc.freenode.net

  4. #4
    Join Date
    May 2017
    Location
    New York
    Posts
    20

    Cool Re: Dovecot submission failing after latest patches install

    Quote Originally Posted by Miuku View Post
    You really, REALLY should not remove apparmor on an internet facing server especially if it's acting as an open SMTP/IMAP server.

    Instead you should have looked at the apparmor profiles and fixed the issue instead. Although that should have already been taken of by the developer/packager.
    I would really, REALLY never expose a linux server to the Internet, not with apparmor not with an hardened linux firewall, or any other security distribution packages or third parties. Never! All my systems are behind a sophos UTM firewall, with SMTP/POP/IMAP proxies, anti-spam/virus filters, and an IPS. I do not need to go crazy in configuring each single server with these kind of cheap solutions when I can do it one-time on a high end firewall.

    I have given up on Apparmor a long time ago (practically from the beginning). If openSuSE cannot be bothered to ensure updates don't break the configurations, why should I?

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,579
    Blog Entries
    2

    Default Re: Dovecot submission failing after latest patches install

    Quote Originally Posted by cdieni View Post
    I would really, REALLY never expose a linux server to the Internet, not with apparmor not with an hardened linux firewall, or any other security distribution packages or third parties. Never! All my systems are behind a sophos UTM firewall, with SMTP/POP/IMAP proxies, anti-spam/virus filters, and an IPS. I do not need to go crazy in configuring each single server with these kind of cheap solutions when I can do it one-time on a high end firewall.

    I have given up on Apparmor a long time ago (practically from the beginning). If openSuSE cannot be bothered to ensure updates don't break the configurations, why should I?
    Running Linux today without Apparmor or SElinux is inadvisable... They are the standard "security by policy" ways to secure your system's internal security and not running one or the other leaves your system very, very vulnerable to malware. Other security measures like patching and firewalls contribute to "security in depth" and like good security by policy are essential to keeping your system in good shape.

    Security by policy is typically different and protects against different threats than the firewalls you describe, it protects primarily from threats from within instead of from other machines. You never know when malware might install by mistake and not always by attack, it can also happen by software coding mistakes, a corner scenario not seen before, a strange combination of circumstances, etc. Security by policy then would be your last and best defense against many unpredictable scenarios so is essential to a well running machine.

    If you have any specific Apparmor problems, it's not difficult to place your system in complain mode temporarily to identify the problem and then either fix the problem or modify the profile the error violates.

    Looks like openSUSE documentation has greatly expanded its Apparmor info... Which is good but don't let the large amount of information obscure how easy it should be to do what's necessary for your system.

    https://doc.opensuse.org/documentati...-apparmor.html

    Keep in mind that if your dovecot setup isn't handcrafted and is built using openSUSE packages, there's a reasonable chance you're simply missing a profile appropriate for your setup.

    If you prefer SELinux instead (I feel doubtful when securing a Server Application, but whatever may be your choice) you also have the option to disable Apparmor but enable SElinux instead. That should be an acceptable option but probably used more often to satisfy government requirements than a voluntary choice.

    If you run into obstacles either setting up or troubleshooting properly, go ahead and post for others to evaluate.
    And, if you are tasked specifically with the security of your machines, I really wouldn't advise leaving Apparmoer disabled, if a problem happens that would easily be identified in a post mortem.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •