[SOLVED] Dovecot loads of ' PAM unable to dlopen...' messages
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
@sportsman That is fair. And I also knew it was a workaround. I saw that the default number of requests was 100 so I started lowering the value. I have now set the max_requests to 5 which still works. 6 did also work but with a value of 7 the problem occurred again. Thanks for pointing this out.
I also noticed that dovecot was noticeably faster when using caching. So I enabled both.
The PAM — Dovecot documentation states the following: "Usually in other software PAM is used to do only a single lookup in a process, so PAM plugin writers haven’t done much testing on what happens when multiple lookups are done. Because of this, many PAM plugins leak memory and possibly have some other problems when doing multiple lookups. If you notice that PAM authentication stops working after some time, you can limit the number of lookups done by the auth worker process before it dies".
So I think a more correct solution is to "Limiting the number of PAM lookups" rather than "Caching".
My auth-system.conf.ext configuration looks like this:
Well thank you for this. It seems that this really solves the issue. I've implemented this and let the Iranians have a go at my server (they're still trying) and have things running smoothly for like 10 hours now. I see a lot of failed logins in the log (and some succesful ones from regular users) but no more error messages.
Though I still find it strange that this bug now turns up after several years (server has been around for a while; it started out at openSUSE 15.0). Hopefully it will still be fixed in the future.
OT: I do wonder why you are not using fail2ban to keep the Iranians out @lpwevers. Both at home and at work we have that running with great success. We implemented the incremental ban feature and use ipset to keep the firewall rules uncluttered.
OT: I do wonder why you are not using fail2ban to keep the Iranians out @lpwevers. Both at home and at work we have that running with great success. We implemented the incremental ban feature and use ipset to keep the firewall rules uncluttered.
Regards,
Jurriaan
Oh but I am using fail2ban to keep them out. The issue was that, without the max_requests=1 parameter in place dovecot would still crash, before fail2ban was able to block them all. The attacks came from the whole 46.148.40.0/24 IP range and it took only like 10 of them to crash the server.
I observed the very same issue, and I do confirm that the workarounds described above (limiting the number of requests to 2 and enabling caching) do hide the problem on my system, too.
Good.
Still; debatable for how long.
I traced down the cause to the recent glibc updates: glibc 's latest leap 15.4 / 15.5-releases introduced the problem:
glibc 2.31-150300.58.1 does trigger the errors, glibc 2.31-150300.52.2 does not.
For a week or two, I locked the library on 2.31-150300.52.2 until I could figure it out in more detail.
The workaround discussed here seems much smarter than my resort of locking glibc to an outdated version.
Now, does perhaps anyone know what changed between 2.31-150300.58.1 and 2.31-150300.52.2, so that the bug could be reported and fixed?
Last edited by slestersofmercy; 10-16-2023 at 09:00 AM.
Would any of you know if there is a glibc bug report already filed for this? Or any other bug report already filed?
I'm not a Dovecot user, but I hit this same bug using Postfix + Cyrus SASL (saslauthd)
Fail2ban seemed to make this issue more "known" for us as our Fail2ban setup started banning legitimate internal IPs, but only because they were getting authentication failures caused by this bug.
I have attempted, but do not have a great workaround for Cyrus/saslauthd. Hoping there is a bug report and the source of the issue is fixed soon!
Distributions may include their own modifications to glibc in the binaries and sources you get with the operating system. If the glibc you are using comes from a complete operating system distribution, you should report bugs to that distribution project first. Your distribution's own documentation and web pages should refer you to their bug-reporting system.
Among the 179 open bug reports tagged "glibc" there, I haven't found it yet.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.