Amavis fails to handle dropped LDAP connections

Quanah Gibson-Mount quanah at
Tue Jan 22 20:50:09 CET 2013

This has been brought up before 
(<>), but this is an issue 
that persists through today -- If the LDAP connection is dropped, and 
amavis doesn't detect it, all mail is endlessly blocked until Amavis is 

Amavis should be able to gracefully handle lost connections without 
requiring a restart.  It is a basic tenet of doing persistent connections 
to an LDAP server.

I've noticed this issue seems to most commonly occur when something like an 
F5 load balancer is between the MTA and the LDAP Server.  It will 
(unfortunately) close the connection in such a way that Amavis still thinks 
the LDAP connection is alive.

Looking at the amavis code, the problem appears to be in the do_search 
function, specifically this block:

  } or do {
    my $err = $@ ne '' ? $@ : "errno=$!";  chomp $err;
    die $err  if $err =~ /^timed out\b/;  # resignal timeout
    if ($err !~ /^LDAP_/) {
      die "do_search: $err";
    } elsif ($error_name !~ /^LDAP_(?:BUSY|UNAVAILABLE|UNWILLING_TO_PERFORM|
                             TIMEOUT|SERVER_DOWN|CONNECT_ERROR|OTHER)\z/x) {
      die "do_search: failed: $error_name\n";
    } else {  # LDAP related error, worth retrying

The error Amavis gets when this scenario occurs is:

Nov  9 12:02:03 mta amavis[5021]: (05021-02) (!)lookup_ldap: do_search: 

Since this does not match any of the above, it never retries.  It should 
also retry when it gets OPERATIONS_ERROR:

    } elsif ($error_name !~ /^LDAP_(?:BUSY|UNAVAILABLE|UNWILLING_TO_PERFORM|



Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration

More information about the amavis-users mailing list