TLS/SSL failures
Tuomas Toropainen
tuomas.toropainen at lanwan.fi
Wed Mar 28 02:05:55 EST 2007
Good morning
Our cyrus is occasionally logging following errors:
---8<---
Mar 26 19:11:06 server cyrus/imapsext[13333]: imaps TLS negotiation
failed: [client.ip.address]
Mar 26 19:11:06 server cyrus/imapsext[13333]: Fatal error:
tls_start_servertls() failed
---8<---
I have ignored these errors until the day before yesterday, when
something happened. SSL-wrapped imap service stopped responding and only
logged those 2 lines for (every?) connection attempt. Restarting cyrus
fixed the problem. There is a chance that this was caused by too low
maxchild setting in /etc/cyrus.conf, but I'm not sure. It doesn't seem
intuitive that cyrus logs TLS errors when maxchild is reached, though.
Here is imapd.conf:
---8<---
configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
servername: server.name.domain
duplicate_db: skiplist
tlscache_db: skiplist
annotation_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: quotalegacy
seenstate_db: skiplist
subscription_db: flat
imapidresponse: no
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: no
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
tls_cert_file: /etc/ssl/certs/server.pem
tls_key_file: /etc/ssl/private/server.key
tls_ca_file: /etc/ssl/certs/server-cacert.pem
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: /var/spool/postfix/extern/cyrus/lmtp
idlemethod: poll
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus
---8<---
And cyrus.conf
---8<---
START {
recover cmd="/usr/sbin/ctl_cyrusdb -r"
delprune cmd="/usr/sbin/cyr_expire -E 3"
tlsprune cmd="/usr/sbin/tls_prune"
}
SERVICES {
imapext cmd="imapd -U 30" listen="ip.address:imap"
prefork=0 maxchild=500
imapsext cmd="imapd -s -U 30" listen="ip.address:imaps"
prefork=0 maxchild=500
imaplocal cmd="imapd -U 30 -C /etc/imapd.conf.localhost"
listen="127.0.0.1:imap" prefork=0 maxchild=500
imapslocal cmd="imapd -s -U 30 -C
/etc/imapd.conf.localhost" listen="127.0.0.1:imaps" prefork=0 maxchild=100
lmtpunix cmd="lmtpd"
listen="/var/spool/postfix/extern/cyrus/lmtp" prefork=1 maxchild=20
sieve cmd="timsieved -C /etc/imapd.conf.localhost"
listen="localhost:sieve" prefork=0 maxchild=100
notify cmd="notifyd"
listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
checkpoint cmd="/usr/sbin/ctl_cyrusdb -c" period=30
delprune cmd="/usr/sbin/cyr_expire -E 3" at=0401
tlsprune cmd="/usr/sbin/tls_prune" at=0401
squatter_1 cmd="/usr/bin/nice -n 19 /usr/sbin/squatter -s"
period=120
squatter_a cmd="/usr/sbin/squatter" at=0517
}
---8<---
Cyrus version:
name : Cyrus IMAPD
version : v2.2.13-Debian-2.2.13-10 2006/11/13 16:17:53
vendor : Project Cyrus
support-url: http://asg.web.cmu.edu/cyrus
os : Linux
os-version : 2.6.18-3-686-bigmem
environment: Built w/Cyrus SASL 2.1.22
Running w/Cyrus SASL 2.1.22
Built w/Sleepycat Software: Berkeley DB 4.2.52: (December
3, 2003) Running w/Sleepycat Software: Berkeley DB 4.2.52:
(December 3, 2003)
Built w/OpenSSL 0.9.8c 05 Sep 2006
Running w/OpenSSL 0.9.8c 05 Sep 2006
CMU Sieve 2.2
TCP Wrappers
NET-SNMP
mmap = shared
lock = fcntl
nonblock = fcntl
idle = poll
Thank you for help :)
More information about the Info-cyrus
mailing list