Amavis fails to handle dropped LDAP connections
Quanah Gibson-Mount
quanah at zimbra.com
Tue Jan 22 20:50:09 CET 2013
This has been brought up before
(<http://marc.info/?l=amavis-user&m=113334817820237>), but this is an issue
that persists through today -- If the LDAP connection is dropped, and
amavis doesn't detect it, all mail is endlessly blocked until Amavis is
restarted.
Amavis should be able to gracefully handle lost connections without
requiring a restart. It is a basic tenet of doing persistent connections
to an LDAP server.
I've noticed this issue seems to most commonly occur when something like an
F5 load balancer is between the MTA and the LDAP Server. It will
(unfortunately) close the connection in such a way that Amavis still thinks
the LDAP connection is alive.
Looking at the amavis code, the problem appears to be in the do_search
function, specifically this block:
} or do {
my $err = $@ ne '' ? $@ : "errno=$!"; chomp $err;
die $err if $err =~ /^timed out\b/; # resignal timeout
if ($err !~ /^LDAP_/) {
die "do_search: $err";
} elsif ($error_name !~ /^LDAP_(?:BUSY|UNAVAILABLE|UNWILLING_TO_PERFORM|
TIMEOUT|SERVER_DOWN|CONNECT_ERROR|OTHER)\z/x) {
die "do_search: failed: $error_name\n";
} else { # LDAP related error, worth retrying
The error Amavis gets when this scenario occurs is:
Nov 9 12:02:03 mta amavis[5021]: (05021-02) (!)lookup_ldap: do_search:
failed:
LDAP_OPERATIONS_ERROR
Since this does not match any of the above, it never retries. It should
also retry when it gets OPERATIONS_ERROR:
} elsif ($error_name !~ /^LDAP_(?:BUSY|UNAVAILABLE|UNWILLING_TO_PERFORM|
TIMEOUT|SERVER_DOWN|CONNECT_ERROR|OTHER|OPERATIONS_ERROR)\z/x) {
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the amavis-users
mailing list