<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Andre,</div><div><br></div><div>Thanks for the info!! Two questions since sasl is still new to me:</div><div><br></div><div>1) How many processes should I have running? Is there an option somewhere to adjust this or see it?</div><div><br></div><div>2) I installed havaged, but the process instantly crashes and tells me a sub system is locked when I try to restart it. Any ideas on that? (On centos 6)</div><div><br></div><div><br></div><div>Thanks again!<br><br>- Paul</div><div><br>On Sep 11, 2015, at 2:59 PM, Andre Felipe Machado <<a href="mailto:andremachado@techforce.com.br">andremachado@techforce.com.br</a>> wrote:<br><br></div><blockquote type="cite"><div><p>Hello,</p>
<p>By your numbers it seems that your machine is able to generate random numbers at good speed. But the problem is WHEN and HOW OFTEN.</p>
<p>Afaik, the linux kernel waits too long to trigger the process to generate random numbers and fast paced process spawning or ssl connections could deplete pool before the process is triggered again.</p>
<p>This is the problem that haveged could solve. Triggering a random numbers generation at a higher threshold and at higher frequency.</p>
<p><a href="http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/">http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/</a></p>
<p>Well, it is only ONE of possible causes of your problem. Unfortunately one obscure and difficult to identify because it does not generate errors, crashes or logs. Simply slowness.</p>
<p>Had you checked disk latency? Does your servers have enough sasl processes?</p>
<p>We use Debian and did not find haveged installation issues, so you will have to search a bit more about your running errors.</p>
<p>Regards.</p>
<p>Andre Felipe</p>
<p><a href="http://www.techforce.com.br">http://www.techforce.com.br</a></p>
<p> </p>
<p>Paul Bronson <<a href="mailto:signaldeveloper@gmail.com">signaldeveloper@gmail.com</a>> wrote ..</p>
<blockquote>
<div dir="ltr">Guys,
<div> </div>
<div>I ran cat /dev/urandom | rngtest -c 1000</div>
<div> </div>
<div>and got:</div>
<div> </div>
<div>
<div>rngtest: starting FIPS tests...</div>
<div>rngtest: bits received from input: 20000032</div>
<div>rngtest: FIPS 140-2 successes: 998</div>
<div>rngtest: FIPS 140-2 failures: 2</div>
<div>rngtest: FIPS 140-2(2001-10-10) Monobit: 0</div>
<div>rngtest: FIPS 140-2(2001-10-10) Poker: 0</div>
<div>rngtest: FIPS 140-2(2001-10-10) Runs: 1</div>
<div>rngtest: FIPS 140-2(2001-10-10) Long run: 1</div>
<div>rngtest: FIPS 140-2(2001-10-10) Continuous run: 0</div>
<div>rngtest: input channel speed: (min=22.980; avg=501.129; max=19073.486)Mibits/s</div>
<div>rngtest: FIPS tests speed: (min=98.317; avg=121.603; max=131.541)Mibits/s</div>
<div>rngtest: Program run time: 198018 microseconds</div>
</div>
<div> </div>
<div> </div>
<div>Does this look bad to you considering all of my slow SASL auths? (no haveged is on at this point.. available entropy is between 131 - 160... pool size is default 4096.</div>
<div> </div>
<div>I also tried installing haveged, which worked fine, but as soon as I started the service it said something like process dead, sub sys locked... ? Sorry, entropy is fairly new to me.</div>
<div> </div>
<div> </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Sep 10, 2015 at 5:24 PM, <span dir="ltr"><<a href="reply_mail.cgi?new=1&to=signaldeveloper%40gmail%2Ecom" target="_blank">signaldeveloper@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;">Andre,<br> <br> Really? What should it be? I was curious and checked.. Entropy on some of my other big time production servers for email is only about 200) and its lightning fast?<br> <span class="HOEnZb"><span style="color: #888888;"><br> - Paul<br> </span></span>
<div class="HOEnZb">
<div class="h5"><br> > On Sep 10, 2015, at 5:00 PM, Andre Felipe Machado <<a href="reply_mail.cgi?new=1&to=andremachado%40techforce%2Ecom%2Ebr">andremachado@techforce.com.br</a>> wrote:<br> ><br> > Hello,<br> > Entropy of 158 is way too low for production servers. And this *MAY* cause weird<br> > slowness without logging any errors.<br> > You could install "haveged" and configure for max threshold levels on production<br> > servers.<br> > <a href="https://packages.debian.org/search?keywords=haveged" target="_blank" rel="noreferrer">https://packages.debian.org/search?keywords=haveged</a><br> ><br> > Regards.<br> ><br> > Andre Felipe<br> > <a href="http://www.techforce.com.br" target="_blank" rel="noreferrer">http://www.techforce.com.br</a><br> ><br> ><br> ><br> > <a href="reply_mail.cgi?new=1&to=signaldeveloper%40gmail%2Ecom">signaldeveloper@gmail.com</a> wrote ..<br> &g!
t;> Ru
dy,<br> >><br> >> Entropy is 158 I just looked. And as far as compiling against urandom, to be<br> > honest<br> >> I'm<br> >> not sure.<br> >><br> >> - Paul<br> >><br> >><br> >><br> >><br> >>> On Sep 6, 2015, at 9:50 PM, Rudy Gevaert <<a href="mailto:Rudy.Gevaert@UGent.be">Rudy.Gevaert@UGent.be</a>> wrote:<br> >>><br> >>><br> >>> Quoting <a href="reply_mail.cgi?new=1&to=signaldeveloper%40gmail%2Ecom">signaldeveloper@gmail.com</a>, Mon, 07 Sep 2015:<br> >>><br> >>>> Hosts file is fine I checked that, thanks. Kolab uses 389 to<br> >>>> authenticate for everything, so Cyrus is using LDAP as you can see<br> >>>> above. I think the problem lies in the constant TLS logins into<br> >>>> Cyrus for every click:<br> >>>><br> >>>> imap[2281]: login: localhost [::1] <a href="reply_mail.cgi?new=1&am!
p;to=john
doe%40domain%2Ecom">johndoe@domain.com</a> PLAIN+TLS User<br> >>>> logged in<br> >>>> SESSIONID=<<a href="http://es1.domain.com">es1.domain.com</a>-2281-1441500890-1-15740725055571902363><br> >>>> Sep 5 20:54:51 es1 imap[2281]: USAGE <a href="reply_mail.cgi?new=1&to=johndoe%40domain%2Ecom">johndoe@domain.com</a> user:<br> >>>> 0.009998 sys: 0.006999<br> >>>><br> >>>><br> >>>> Again its only one user, on roundcube... I am afraid to put any more<br> >>>> users on it. There doesn't seem to be much of performance tweaks<br> >>>> with Cyrus around the web either...<br> >>><br> >>> does your system have enough entropy?<br> >>><br> >>> Is saslauthd compiled against /dev/urandom?<br> >>><br> >>> Rudy<br> >>><br> >>> --<br> >>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- !
-- -- --
-- -- --<br> >>> Rudy Gevaert e-mail: <a href="mailto:Rudy.Gevaert@UGent.be">Rudy.Gevaert@UGent.be</a><br> >>> Directie ICT, Afdeling Infrastructuur<br> >>> Groep Systemen tel: <a href="tel:%2B32%209%20264%204750">+32 9 264 4750</a><br> >>> Universiteit Gent fax: <a href="tel:%2B32%209%20264%204994">+32 9 264 4994</a><br> >>> Krijgslaan 281, gebouw S9, 9000 Gent, Belgie <a href="http://www.UGent.be" target="_blank" rel="noreferrer">www.UGent.be</a><br> >>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --<br> >>><!--
br /--> >
;>><br> >>> ----<br> >>> Cyrus Home Page: <a href="http://www.cyrusimap.org/" target="_blank" rel="noreferrer">http://www.cyrusimap.org/</a><br> >>> List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/" target="_blank" rel="noreferrer">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a><br> >>> To Unsubscribe:<br> >>> <a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus" target="_blank" rel="noreferrer">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a><br> >> ----<br> >> Cyrus Home Page: <a href="http://www.cyrusimap.org/" target="_blank" rel="noreferrer">http://www.cyrusimap.org/</a><br> >> List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/" target="_blank" rel="noreferrer">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a><br> >> To Unsubscribe:<br> >> <a href="https://lists.andrew.cmu.edu/m!
ailman/li
stinfo/info-cyrus" target="_blank" rel="noreferrer">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a><br> > ----<br> > Cyrus Home Page: <a href="http://www.cyrusimap.org/" target="_blank" rel="noreferrer">http://www.cyrusimap.org/</a><br> > List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/" target="_blank" rel="noreferrer">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a><br> > To Unsubscribe:<br> > <a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus" target="_blank" rel="noreferrer">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a></div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<p> </p>
</div></blockquote><blockquote type="cite"><div><span>----</span><br><span>Cyrus Home Page: <a href="http://www.cyrusimap.org/">http://www.cyrusimap.org/</a></span><br><span>List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a></span><br><span>To Unsubscribe:</span><br><span><a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a></span></div></blockquote></body></html>