Monit failing to connect to Dovecot over SSL IMAP

debian ssl tls dovecot monit

I run Monit to keep check on processes on a Debian server. It's working as normal for all other services (Apache SSL, Postfix, SSH etc.) but Monit's checks on Dovecot are failing repeatedly. I think this may have started after installing some package updates, but I'm not sure when.

Dovecot is working correctly for client connections as email is still working. I've tried testing with open_ssl s_client and all seems fine for SSLv3, TLS1.1 and TLS1.2 from there too.

Dovecot section from /etc/monit/monitrc: check process dovecot with pidfile /run/dovecot/master.pid start program = "/usr/sbin/service dovecot start" stop program = "/usr/sbin/service dovecot stop" if failed port 993 type tcpssl sslauto protocol imap then unmonitor

When I enable monitoring of Dovecot I get this message in /var/log/monit: 'dovecot' failed protocol test [IMAP] at INET[localhost:993] via TCPSSL -- IMAP: error receiving data -- Success

I thought it might be something like this https://secure.kitserve.org.uk/content/ssl-tls-version-conflict-zarafa-monit but I've tried replacing 'sslauto' with all of these options in turn, but with no luck: SSLV2|SSLV3|TLSV1|TLSV11|TLSV12

The Monit documentation I've been referring to is here: http://mmonit.com/monit/documentation/#connection_testing

Thanks in advance


The problem is caused by http://osdir.com/ml/ubuntu-security-announce/2014-05/msg00023.html as TomDogg mentioned.

This forum has more detail: http://comments.gmane.org/gmane.comp.monitoring.monit.general/7378

FYI, the problem is the same even if you try is with POP instead of IMAP.

Here are the possible solutions:

  1. Apply these 2 patches or wait for them to be part of the mainstream release:

    http://hg.dovecot.org/dovecot-2.2/rev/09d3c9c6f0ad
    http://hg.dovecot.org/dovecot-2.2/rev/7129fe8bc260

  2. Monitor either pop or imap without SSL as Sebastian S mentioned in his answer.

    if failed host localhost port 143 type tcp protocol imap then restart

  3. Monitor the port only without imap or pop as kexik suggested

    if failed port 993 for 5 cycles then restart

Option 1 is the only real solution as the other two force the you to test something different that you were hoping to test, but they do at least easily provide a similar test while you wait for the update.


If you want to monitor dovecot in general, you might consider monitoring port 143 without SSL by using the following configuration:

  if failed host localhost port 143 type tcp protocol imap then restart

Related

HAProxy set acl with hosts from file
why is php-fpm running as nobody?
Job Control/background process (using ampersand) in .ebextensions config commands
Has Windows Server Backup's Disk Space Management Changed in Server 2012?
How do I get notified on a failed deployment to azure?
How do I export/download a VM from vcenter to vmware workstation? [closed]
Desktop CPU VS server CPU performance - is passmark relevant?
Server overloaded, acts like out of memory, but thats not true
What options exist for changing usernames transparently in Webmail?
Cassandra: do more storage size, needs more CPU and RAM
Can Puppet run a shell script (that it downloads from the master) without saving it?
Can BIND alter a response based on requesting IP address?