Odd problem: IMAP/S suddenly not working, but no errors, and IMAP still works

Simon Matter simon.matter at invoca.ch
Mon Nov 1 10:46:38 EDT 2010 

> Bron,
>
> 	My Cyrus is from RPM, and I am just nursing it along until my users
> finish migrating off and FastMail manages to complete my own migration,
> so I don't want to build from source. Why would IMAP/S block on empty
> /dev/random, while IMAP+STARTTLS works? FWIW, SASL2 seems to use urandom.

If this is really stock CentOS 5 then I think everything Cyrus related
should use /dev/urandom and not /dev/random. But, could it be that other
software you installed uses /dev/random and makes it "empty"?

Simon

>
>> [root at inspector random]# strings /usr/lib/libsasl* |grep random
>> /dev/urandom
>> /dev/urandom
>
>
> 	But my /dev/random does seem quite low. Still surfing and looking for a
> good way to fill it on a mostly headless server -- I haven't found a
> good solution yet.
>
> Chris
>
>> [root at inspector ~]# ls -l /dev/*random
>> crw-rw-rw- 1 root root 1, 8 Oct 31 02:05 /dev/random
>> cr--r--r-- 1 root root 1, 9 Oct 31 02:05 /dev/urandom
>> [root at inspector ~]# cd /proc/sys/kernel/random
>> [root at inspector random]# more *|cat
>> ::::::::::::::
>> boot_id
>> ::::::::::::::
>> d3724e19-7462-4224-960b-49d5d3a18d7a
>> ::::::::::::::
>> entropy_avail
>> ::::::::::::::
>> 17
>> ::::::::::::::
>> poolsize
>> ::::::::::::::
>> 4096
>> ::::::::::::::
>> read_wakeup_threshold
>> ::::::::::::::
>> 64
>> ::::::::::::::
>> uuid
>> ::::::::::::::
>> a3ed2323-e04d-4034-a72a-76b5d4b697f7
>> ::::::::::::::
>> write_wakeup_threshold
>> ::::::::::::::
>> 128
>
>
> On 10/31/10 9:26 PM, Bron Gondwana wrote:
>> Sounds like your /dev/random is empty. You can compile with /dev/urandom
>> or add a source of entropy...
>>
>> "Chris Pepper"<pepper at cbio.mskcc.org>  wrote:
>>
>>> 	mail.reppep.com (CentOS 5) is running cyrus-imapd-2.3.7-7.el5_4.3,
>>> along with SquirrelMail, postfix, etc. Last night, I noticed that when
>>> I
>>> sent mail from Thunderbird, it was not able to file copies in the Sent
>>> mailbox, although they did reach the recipients, so postfix was
>>> accepting mail on 587/tcp.
>>>
>>> 	I restarted Cyrus IMAPd but don't see any error messages in
>>> /var/log/maillog, and the cert&  key look fine. SquirrelMail is fine
>>> using plain IMAP. I opened 143/tcp in the firewall, and am able to
>>> fetch
>>> mail via IMAP with STARTTLS, so it looks like the cert and key are
>>> fine.
>>>
>>> 	But "telnet mail.reppep.com 993" and openssl fail to get any response.
>>> Port 993 is open to the Internet, FWIW.
>>>
>>> 	Does anyone have any suggestions for what went wrong and/or how to
>>> fix?
>>> I'll try tcpdump next to see if it's responding at all.
>>>
>>> 	Alternatively, is there a way to make sure Cyrus requires STARTTLS on
>>> 143? I was blocking external access to it to make sure users always use
>>> encryption to connect, but port 143 with STARTTLS required would be an
>>> acceptable alternative.
>>>
>>> Thanks,
>>>
>>> Chris Pepper
>>>
>>>> pepper at imp:~$ !openssl
>>>> openssl s_client -connect www.reppep.com:993
>>>> CONNECTED(00000003)
>>>> 4284:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>>> failure:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s23_lib.c:188:
>>>
>>>
>>>> [root at inspector ~]# cat /etc/imapd.conf
>>>> admins: cyrus
>>>> altnamespace: yes
>>>> configdirectory: /var/lib/imap
>>>> duplicatesuppression: yes
>>>> hashimapspool: no
>>>> partition-default: /var/spool/imap
>>>> servername: mail.reppep.com
>>>> singleinstancestore: yes
>>>> #syslog_prefix: cyrus
>>>> unixhierarchysep: yes
>>>>
>>>> lmtp_downcase_rcpt: yes
>>>> maxmessagesize: 20971520
>>>> sendmail: /usr/sbin/sendmail
>>>> #quotawarn: 80
>>>>
>>>> #allowplaintext: yes
>>>> #allowplainwithouttls: yes
>>>> sasl_pwcheck_method: saslauthd
>>>> #imap_auth_login: yes
>>>> #imap_auth_cram_md5: yes
>>>> #imap_auth_plain: yes
>>>>
>>>> autocreateinboxfolders:      Junk
>>>> autocreatequota: -1
>>>> #autocreate_sieve_script: /etc/junk.sieve
>>>> autocreate_sieve_compiledscript: /etc/sieve.bc
>>>> autosievefolders: Junk
>>>> autosubscribeinboxfolders:   Junk
>>>> createonpost: yes
>>>> #sievedir: /var/lib/imap/sieve
>>>> sieveusehomedir: true
>>>>
>>>> tls_ca_file:   /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>> tls_cert_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>> tls_key_file:  /etc/pki/tls/private/mail.reppep.com.20080219.key
>>>> tls_cipher_list: SSLv3:TLSv1:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>>>> [root at inspector ~]# ls -l
>>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>> /etc/pki/tls/private/mail.reppep.com.20080219.key
>>>> -rw-r--r-- 1 root root 6466 Oct  1 17:13
>>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>> -rw-r----- 1 root mail  497 Feb 19  2008
>>>> /etc/pki/tls/private/mail.reppep.com.20080219.key
>>>> [root at inspector ~]# netstat -an|grep LIST|grep tcp|sort -n
>>>> tcp        0      0 0.0.0.0:110                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:111                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:139                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:143                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:2000                0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:25                  0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:3306                0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:445                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:587                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:993                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 0.0.0.0:995                 0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 10.0.104.200:53             0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 :::110                      :::*
>>>>      LISTEN
>>>> tcp        0      0 127.0.0.1:10024             0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 127.0.0.1:10025             0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 127.0.0.1:53                0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 127.0.0.1:953               0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 :::143                      :::*
>>>>      LISTEN
>>>> tcp        0      0 ::1:953                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::2000                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::22                       :::*
>>>>      LISTEN
>>>> tcp        0      0 :::4242                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::443                      :::*
>>>>      LISTEN
>>>> tcp        0      0 :::5222                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::5223                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::5229                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::5269                     :::*
>>>>      LISTEN
>>>> tcp        0      0 66.92.104.200:53            0.0.0.0:*
>>>>      LISTEN
>>>> tcp        0      0 :::8080                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::80                       :::*
>>>>      LISTEN
>>>> tcp        0      0 :::8483                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::9090                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::9091                     :::*
>>>>      LISTEN
>>>> tcp        0      0 :::993                      :::*
>>>>      LISTEN
>>>> tcp        0      0 :::995                      :::*
>>>>      LISTEN
>>>> tcp        0      0 ::ffff:127.0.0.1:4243       :::*
>>>>      LISTEN
>>>
>>> ----
>>> Cyrus Home Page: http://www.cyrusimap.org/
>>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>

More information about the Info-cyrus mailing list