Odd problem: IMAP/S suddenly not working, but no errors, and IMAP still works
Chris Pepper
pepper at cbio.mskcc.org
Mon Nov 1 11:06:40 EDT 2010
On 11/1/10 10:46 AM, Simon Matter wrote:
>> Bron,
>>
>> My Cyrus is from RPM, and I am just nursing it along until my users
>> finish migrating off and FastMail manages to complete my own migration,
>> so I don't want to build from source. Why would IMAP/S block on empty
>> /dev/random, while IMAP+STARTTLS works? FWIW, SASL2 seems to use urandom.
>
> If this is really stock CentOS 5 then I think everything Cyrus related
> should use /dev/urandom and not /dev/random. But, could it be that other
> software you installed uses /dev/random and makes it "empty"?
Most things are CentOS RPMs (thanks for those! ;), with a few from RPMforge.
> [root at inspector ~]# rpm -q cyrus-imapd amavisd-new clamav spamassassin postfix httpd mod_ssl
> cyrus-imapd-2.3.7-7.el5_4.3
> amavisd-new-2.6.4-3.el5.rf
> clamav-0.96.4-1.el5.rf
> spamassassin-3.3.1-3.el5.rf
> postfix-2.3.3-2.1.el5_2
> httpd-2.2.3-43.el5.centos.3
> mod_ssl-2.2.3-43.el5.centos.3
Which still leaves me thinking my port 993 problem isn't entropy, because STARTTLS works fine.
Chris
>>> [root at inspector random]# strings /usr/lib/libsasl* |grep random
>>> /dev/urandom
>>> /dev/urandom
>>
>>
>> But my /dev/random does seem quite low. Still surfing and looking for a
>> good way to fill it on a mostly headless server -- I haven't found a
>> good solution yet.
>>
>> Chris
>>
>>> [root at inspector ~]# ls -l /dev/*random
>>> crw-rw-rw- 1 root root 1, 8 Oct 31 02:05 /dev/random
>>> cr--r--r-- 1 root root 1, 9 Oct 31 02:05 /dev/urandom
>>> [root at inspector ~]# cd /proc/sys/kernel/random
>>> [root at inspector random]# more *|cat
>>> ::::::::::::::
>>> boot_id
>>> ::::::::::::::
>>> d3724e19-7462-4224-960b-49d5d3a18d7a
>>> ::::::::::::::
>>> entropy_avail
>>> ::::::::::::::
>>> 17
>>> ::::::::::::::
>>> poolsize
>>> ::::::::::::::
>>> 4096
>>> ::::::::::::::
>>> read_wakeup_threshold
>>> ::::::::::::::
>>> 64
>>> ::::::::::::::
>>> uuid
>>> ::::::::::::::
>>> a3ed2323-e04d-4034-a72a-76b5d4b697f7
>>> ::::::::::::::
>>> write_wakeup_threshold
>>> ::::::::::::::
>>> 128
>>
>>
>> On 10/31/10 9:26 PM, Bron Gondwana wrote:
>>> Sounds like your /dev/random is empty. You can compile with /dev/urandom
>>> or add a source of entropy...
>>>
>>> "Chris Pepper"<pepper at cbio.mskcc.org> wrote:
>>>
>>>> mail.reppep.com (CentOS 5) is running cyrus-imapd-2.3.7-7.el5_4.3,
>>>> along with SquirrelMail, postfix, etc. Last night, I noticed that when
>>>> I
>>>> sent mail from Thunderbird, it was not able to file copies in the Sent
>>>> mailbox, although they did reach the recipients, so postfix was
>>>> accepting mail on 587/tcp.
>>>>
>>>> I restarted Cyrus IMAPd but don't see any error messages in
>>>> /var/log/maillog, and the cert& key look fine. SquirrelMail is fine
>>>> using plain IMAP. I opened 143/tcp in the firewall, and am able to
>>>> fetch
>>>> mail via IMAP with STARTTLS, so it looks like the cert and key are
>>>> fine.
>>>>
>>>> But "telnet mail.reppep.com 993" and openssl fail to get any response.
>>>> Port 993 is open to the Internet, FWIW.
>>>>
>>>> Does anyone have any suggestions for what went wrong and/or how to
>>>> fix?
>>>> I'll try tcpdump next to see if it's responding at all.
>>>>
>>>> Alternatively, is there a way to make sure Cyrus requires STARTTLS on
>>>> 143? I was blocking external access to it to make sure users always use
>>>> encryption to connect, but port 143 with STARTTLS required would be an
>>>> acceptable alternative.
>>>>
>>>> Thanks,
>>>>
>>>> Chris Pepper
>>>>
>>>>> pepper at imp:~$ !openssl
>>>>> openssl s_client -connect www.reppep.com:993
>>>>> CONNECTED(00000003)
>>>>> 4284:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>>>> failure:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s23_lib.c:188:
>>>>
>>>>
>>>>> [root at inspector ~]# cat /etc/imapd.conf
>>>>> admins: cyrus
>>>>> altnamespace: yes
>>>>> configdirectory: /var/lib/imap
>>>>> duplicatesuppression: yes
>>>>> hashimapspool: no
>>>>> partition-default: /var/spool/imap
>>>>> servername: mail.reppep.com
>>>>> singleinstancestore: yes
>>>>> #syslog_prefix: cyrus
>>>>> unixhierarchysep: yes
>>>>>
>>>>> lmtp_downcase_rcpt: yes
>>>>> maxmessagesize: 20971520
>>>>> sendmail: /usr/sbin/sendmail
>>>>> #quotawarn: 80
>>>>>
>>>>> #allowplaintext: yes
>>>>> #allowplainwithouttls: yes
>>>>> sasl_pwcheck_method: saslauthd
>>>>> #imap_auth_login: yes
>>>>> #imap_auth_cram_md5: yes
>>>>> #imap_auth_plain: yes
>>>>>
>>>>> autocreateinboxfolders: Junk
>>>>> autocreatequota: -1
>>>>> #autocreate_sieve_script: /etc/junk.sieve
>>>>> autocreate_sieve_compiledscript: /etc/sieve.bc
>>>>> autosievefolders: Junk
>>>>> autosubscribeinboxfolders: Junk
>>>>> createonpost: yes
>>>>> #sievedir: /var/lib/imap/sieve
>>>>> sieveusehomedir: true
>>>>>
>>>>> tls_ca_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>>> tls_cert_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>>> tls_key_file: /etc/pki/tls/private/mail.reppep.com.20080219.key
>>>>> tls_cipher_list: SSLv3:TLSv1:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>>>>> [root at inspector ~]# ls -l
>>>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>>> /etc/pki/tls/private/mail.reppep.com.20080219.key
>>>>> -rw-r--r-- 1 root root 6466 Oct 1 17:13
>>>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>>>> -rw-r----- 1 root mail 497 Feb 19 2008
>>>>> /etc/pki/tls/private/mail.reppep.com.20080219.key
>>>>> [root at inspector ~]# netstat -an|grep LIST|grep tcp|sort -n
>>>>> tcp 0 0 0.0.0.0:110 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:111 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:139 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:143 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:2000 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:25 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:3306 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:445 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:587 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:993 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 0.0.0.0:995 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 10.0.104.200:53 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 :::110 :::*
>>>>> LISTEN
>>>>> tcp 0 0 127.0.0.1:10024 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 127.0.0.1:10025 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 127.0.0.1:53 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 127.0.0.1:953 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 :::143 :::*
>>>>> LISTEN
>>>>> tcp 0 0 ::1:953 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::2000 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::22 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::4242 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::443 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::5222 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::5223 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::5229 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::5269 :::*
>>>>> LISTEN
>>>>> tcp 0 0 66.92.104.200:53 0.0.0.0:*
>>>>> LISTEN
>>>>> tcp 0 0 :::8080 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::80 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::8483 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::9090 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::9091 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::993 :::*
>>>>> LISTEN
>>>>> tcp 0 0 :::995 :::*
>>>>> LISTEN
>>>>> tcp 0 0 ::ffff:127.0.0.1:4243 :::*
>>>>> LISTEN
>>>>
>>>> ----
>>>> Cyrus Home Page: http://www.cyrusimap.org/
>>>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>>>
>>
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>>
>
>
--
Chris Pepper: <http://cbio.mskcc.org/>
<http://www.extrapepperoni.com/>
More information about the Info-cyrus
mailing list