I run Monit to keep check on processes on a Debian server. It's working as normal for all other services (Apache SSL, Postfix, SSH etc.) but Monit's checks on Dovecot are failing repeatedly. I think this may have started after installing some package updates, but I'm not sure when.
Dovecot is working correctly for client connections as email is still working. I've tried testing with open_ssl s_client and all seems fine for SSLv3, TLS1.1 and TLS1.2 from there too.
Dovecot section from /etc/monit/monitrc:
check process dovecot with pidfile /run/dovecot/master.pid
start program = "/usr/sbin/service dovecot start"
stop program = "/usr/sbin/service dovecot stop"
if failed port 993 type tcpssl sslauto protocol imap then unmonitor
When I enable monitoring of Dovecot I get this message in /var/log/monit:
'dovecot' failed protocol test [IMAP] at INET[localhost:993] via TCPSSL -- IMAP: error receiving data -- Success
I thought it might be something like this https://secure.kitserve.org.uk/content/ssl-tls-version-conflict-zarafa-monit but I've tried replacing 'sslauto' with all of these options in turn, but with no luck: SSLV2|SSLV3|TLSV1|TLSV11|TLSV12
The Monit documentation I've been referring to is here:
http://mmonit.com/monit/documentation/#connection_testing
Thanks in advance
Best Answer
The problem is caused by http://osdir.com/ml/ubuntu-security-announce/2014-05/msg00023.html as TomDogg mentioned.
This forum has more detail: http://comments.gmane.org/gmane.comp.monitoring.monit.general/7378
FYI, the problem is the same even if you try is with POP instead of IMAP.
Here are the possible solutions:
Apply these 2 patches or wait for them to be part of the mainstream release:
Monitor either pop or imap without SSL as Sebastian S mentioned in his answer.
Monitor the port only without imap or pop as kexik suggested
Option 1 is the only real solution as the other two force the you to test something different that you were hoping to test, but they do at least easily provide a similar test while you wait for the update.