TLS/SSL failures

Tuomas Toropainen tuomas.toropainen at lanwan.fi
Wed Mar 28 02:05:55 EST 2007


Good morning

Our cyrus is occasionally logging following errors:

---8<---
Mar 26 19:11:06 server cyrus/imapsext[13333]: imaps TLS negotiation 
failed: [client.ip.address]

Mar 26 19:11:06 server cyrus/imapsext[13333]: Fatal error: 
tls_start_servertls() failed
---8<---

I have ignored these errors until the day before yesterday, when 
something happened. SSL-wrapped imap service stopped responding and only 
logged those 2 lines for (every?) connection attempt. Restarting cyrus 
fixed the problem. There is a chance that this was caused by too low 
maxchild setting in /etc/cyrus.conf, but I'm not sure. It doesn't seem 
intuitive that cyrus logs TLS errors when maxchild is reached, though.

Here is imapd.conf:

---8<---
configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
servername: server.name.domain
duplicate_db: skiplist
tlscache_db: skiplist
annotation_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: quotalegacy
seenstate_db: skiplist
subscription_db: flat
imapidresponse: no
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: no
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
tls_cert_file: /etc/ssl/certs/server.pem
tls_key_file: /etc/ssl/private/server.key
tls_ca_file: /etc/ssl/certs/server-cacert.pem
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: /var/spool/postfix/extern/cyrus/lmtp
idlemethod: poll
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus
---8<---

And cyrus.conf

---8<---
START {
         recover         cmd="/usr/sbin/ctl_cyrusdb -r"

         delprune        cmd="/usr/sbin/cyr_expire -E 3"
         tlsprune        cmd="/usr/sbin/tls_prune"
}

SERVICES {
         imapext         cmd="imapd -U 30" listen="ip.address:imap" 
prefork=0 maxchild=500
         imapsext        cmd="imapd -s -U 30" listen="ip.address:imaps" 
prefork=0 maxchild=500
         imaplocal       cmd="imapd -U 30 -C /etc/imapd.conf.localhost" 
listen="127.0.0.1:imap" prefork=0 maxchild=500
         imapslocal      cmd="imapd -s -U 30 -C 
/etc/imapd.conf.localhost" listen="127.0.0.1:imaps" prefork=0 maxchild=100
         lmtpunix        cmd="lmtpd" 
listen="/var/spool/postfix/extern/cyrus/lmtp" prefork=1 maxchild=20
         sieve           cmd="timsieved -C /etc/imapd.conf.localhost" 
listen="localhost:sieve" prefork=0 maxchild=100
         notify          cmd="notifyd" 
listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
         checkpoint      cmd="/usr/sbin/ctl_cyrusdb -c" period=30
         delprune        cmd="/usr/sbin/cyr_expire -E 3" at=0401
         tlsprune        cmd="/usr/sbin/tls_prune" at=0401

         squatter_1      cmd="/usr/bin/nice -n 19 /usr/sbin/squatter -s" 
period=120
         squatter_a      cmd="/usr/sbin/squatter" at=0517
}
---8<---

Cyrus version:

name       : Cyrus IMAPD
version    : v2.2.13-Debian-2.2.13-10 2006/11/13 16:17:53
vendor     : Project Cyrus
support-url: http://asg.web.cmu.edu/cyrus
os         : Linux
os-version : 2.6.18-3-686-bigmem
environment: Built w/Cyrus SASL 2.1.22
              Running w/Cyrus SASL 2.1.22
              Built w/Sleepycat Software: Berkeley DB 4.2.52: (December 
  3, 2003)             Running w/Sleepycat Software: Berkeley DB 4.2.52: 
(December  3, 2003)
              Built w/OpenSSL 0.9.8c 05 Sep 2006
              Running w/OpenSSL 0.9.8c 05 Sep 2006
              CMU Sieve 2.2
              TCP Wrappers
              NET-SNMP
              mmap = shared
              lock = fcntl
              nonblock = fcntl
              idle = poll


Thank you for help :)


More information about the Info-cyrus mailing list