Package: mailutils-imap4d Version: 1:0.6.1-4sarge2 Severity: critical Justification: causes serious data loss
Background I've been using gnu-imap4d for over a year. Several months back, one of my users had their mailbox corrupted twice when using balsa over IMAP. Both times it appeared that she might have had Pine open on the mailbox (via a shell window) at the same time. I didn't know which thing was at fault, pine or imap4d, so I restored from backup and set up some log watchers. Today the log appeared to show that another user's mailbox had been chewed during IMAP access. He was accessing either from Outlook Express or from his mobile phone, either way all access over IMAP, none local. Looks like the client was misbehaving somewhat in opening several IMAP connections in quick succession, but irrespective of that, imap4d showed that it has no awareness of multiple access even amongst itself, let alone from non-IMAP sources. The log shows four overlapping sessions: Jan 31 09:05:08 kali gnu-imap4d[26773]: Incoming connection opened Jan 31 09:05:08 kali gnu-imap4d[26773]: Connect from 149.254.200.215 Jan 31 09:05:11 kali gnu-imap4d[26773]: User `marky' logged in Jan 31 09:05:14 kali gnu-imap4d[26774]: Incoming connection opened Jan 31 09:05:14 kali gnu-imap4d[26774]: Connect from 149.254.200.215 Jan 31 09:05:25 kali gnu-imap4d[26774]: User `marky' logged in Jan 31 09:08:17 kali gnu-imap4d[26775]: Incoming connection opened Jan 31 09:08:17 kali gnu-imap4d[26775]: Connect from 149.254.200.215 Jan 31 09:08:19 kali gnu-imap4d[26775]: User `marky' logged in Jan 31 09:08:21 kali gnu-imap4d[26776]: Incoming connection opened Jan 31 09:08:21 kali gnu-imap4d[26776]: Connect from 149.254.200.215 Jan 31 09:08:23 kali gnu-imap4d[26776]: User `marky' logged in Jan 31 09:11:58 kali gnu-imap4d[26776]: Session terminating for user: marky Jan 31 09:13:56 kali gnu-imap4d[26774]: Error reading from input file: Connection reset by peer Jan 31 09:13:56 kali gnu-imap4d[26774]: No socket to send to Jan 31 09:14:23 kali gnu-imap4d[26773]: Error reading from input file: Connection reset by peer Jan 31 09:14:23 kali gnu-imap4d[26773]: * BAD : Mailbox corrupted, shrank size Jan 31 09:14:24 kali gnu-imap4d[26773]: No socket to send to Jan 31 09:38:40 kali gnu-imap4d[26775]: Got signal Alarm clock Jan 31 09:38:40 kali gnu-imap4d[26775]: Session timed out for user: marky Fortunately after initial investigation it would appear that there is no genuine corruption this time. My guess is the user may have deleted some of his mail in the innermost session (26776), which 26773 was unaware of when it detected the shrunk mailbox. The manpage for imap4d suggests it can use some sort of external locking mutex, but this isn't configured for Debian by default. I have no idea what the correct settings should be to make imap4d aware of itself and other MUAs accessing the mailbox, but it seems likely that this lack of awareness/locking is what led to the original mailbox corruption some months ago. In the meantime I am going to replace mailutils-imap4d with uw-imapd and see if that fares any better! Regards, Ben -- System Information: Debian Release: 3.1 Architecture: i386 (i586) Kernel: Linux 2.4.27-2-k6 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages mailutils-imap4d depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libcomerr2 1.37-2sarge1 common error description library ii libgcrypt11 1.2.0-11.1 LGPL Crypto library - runtime libr ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library ii libgpg-error0 1.0-1 library for common error values an ii libgsasl7 0.2.5-1 GNU SASL library ii libidn11 0.5.13-1.0 GNU libidn library, implementation ii libkrb53 1.3.6-2sarge2 MIT Kerberos runtime libraries ii libmailutils0 1:0.6.1-4sarge2 GNU Mail abstraction library ii libmysqlclient12 4.0.24-10sarge1 mysql database client library ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libtasn1-2 0.2.10-3 Manage ASN.1 structures (runtime) ii netbase 4.21 Basic TCP/IP networking system ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]