Odd problem: IMAP/S suddenly not working, but no errors, and IMAP still works
Chris Pepper
pepper at cbio.mskcc.org
Sun Oct 31 22:40:13 EDT 2010
Bron,
My Cyrus is from RPM, and I am just nursing it along until my users
finish migrating off and FastMail manages to complete my own migration,
so I don't want to build from source. Why would IMAP/S block on empty
/dev/random, while IMAP+STARTTLS works? FWIW, SASL2 seems to use urandom.
> [root at inspector random]# strings /usr/lib/libsasl* |grep random
> /dev/urandom
> /dev/urandom
But my /dev/random does seem quite low. Still surfing and looking for a
good way to fill it on a mostly headless server -- I haven't found a
good solution yet.
Chris
> [root at inspector ~]# ls -l /dev/*random
> crw-rw-rw- 1 root root 1, 8 Oct 31 02:05 /dev/random
> cr--r--r-- 1 root root 1, 9 Oct 31 02:05 /dev/urandom
> [root at inspector ~]# cd /proc/sys/kernel/random
> [root at inspector random]# more *|cat
> ::::::::::::::
> boot_id
> ::::::::::::::
> d3724e19-7462-4224-960b-49d5d3a18d7a
> ::::::::::::::
> entropy_avail
> ::::::::::::::
> 17
> ::::::::::::::
> poolsize
> ::::::::::::::
> 4096
> ::::::::::::::
> read_wakeup_threshold
> ::::::::::::::
> 64
> ::::::::::::::
> uuid
> ::::::::::::::
> a3ed2323-e04d-4034-a72a-76b5d4b697f7
> ::::::::::::::
> write_wakeup_threshold
> ::::::::::::::
> 128
On 10/31/10 9:26 PM, Bron Gondwana wrote:
> Sounds like your /dev/random is empty. You can compile with /dev/urandom or add a source of entropy...
>
> "Chris Pepper"<pepper at cbio.mskcc.org> wrote:
>
>> mail.reppep.com (CentOS 5) is running cyrus-imapd-2.3.7-7.el5_4.3,
>> along with SquirrelMail, postfix, etc. Last night, I noticed that when I
>> sent mail from Thunderbird, it was not able to file copies in the Sent
>> mailbox, although they did reach the recipients, so postfix was
>> accepting mail on 587/tcp.
>>
>> I restarted Cyrus IMAPd but don't see any error messages in
>> /var/log/maillog, and the cert& key look fine. SquirrelMail is fine
>> using plain IMAP. I opened 143/tcp in the firewall, and am able to fetch
>> mail via IMAP with STARTTLS, so it looks like the cert and key are fine.
>>
>> But "telnet mail.reppep.com 993" and openssl fail to get any response.
>> Port 993 is open to the Internet, FWIW.
>>
>> Does anyone have any suggestions for what went wrong and/or how to fix?
>> I'll try tcpdump next to see if it's responding at all.
>>
>> Alternatively, is there a way to make sure Cyrus requires STARTTLS on
>> 143? I was blocking external access to it to make sure users always use
>> encryption to connect, but port 143 with STARTTLS required would be an
>> acceptable alternative.
>>
>> Thanks,
>>
>> Chris Pepper
>>
>>> pepper at imp:~$ !openssl
>>> openssl s_client -connect www.reppep.com:993
>>> CONNECTED(00000003)
>>> 4284:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s23_lib.c:188:
>>
>>
>>> [root at inspector ~]# cat /etc/imapd.conf
>>> admins: cyrus
>>> altnamespace: yes
>>> configdirectory: /var/lib/imap
>>> duplicatesuppression: yes
>>> hashimapspool: no
>>> partition-default: /var/spool/imap
>>> servername: mail.reppep.com
>>> singleinstancestore: yes
>>> #syslog_prefix: cyrus
>>> unixhierarchysep: yes
>>>
>>> lmtp_downcase_rcpt: yes
>>> maxmessagesize: 20971520
>>> sendmail: /usr/sbin/sendmail
>>> #quotawarn: 80
>>>
>>> #allowplaintext: yes
>>> #allowplainwithouttls: yes
>>> sasl_pwcheck_method: saslauthd
>>> #imap_auth_login: yes
>>> #imap_auth_cram_md5: yes
>>> #imap_auth_plain: yes
>>>
>>> autocreateinboxfolders: Junk
>>> autocreatequota: -1
>>> #autocreate_sieve_script: /etc/junk.sieve
>>> autocreate_sieve_compiledscript: /etc/sieve.bc
>>> autosievefolders: Junk
>>> autosubscribeinboxfolders: Junk
>>> createonpost: yes
>>> #sievedir: /var/lib/imap/sieve
>>> sieveusehomedir: true
>>>
>>> tls_ca_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>> tls_cert_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>> tls_key_file: /etc/pki/tls/private/mail.reppep.com.20080219.key
>>> tls_cipher_list: SSLv3:TLSv1:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>>> [root at inspector ~]# ls -l /etc/pki/tls/certs/mail.reppep.com.20100115.crt /etc/pki/tls/private/mail.reppep.com.20080219.key
>>> -rw-r--r-- 1 root root 6466 Oct 1 17:13 /etc/pki/tls/certs/mail.reppep.com.20100115.crt
>>> -rw-r----- 1 root mail 497 Feb 19 2008 /etc/pki/tls/private/mail.reppep.com.20080219.key
>>> [root at inspector ~]# netstat -an|grep LIST|grep tcp|sort -n
>>> tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
>>> tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
>>> tcp 0 0 10.0.104.200:53 0.0.0.0:* LISTEN
>>> tcp 0 0 :::110 :::* LISTEN
>>> tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN
>>> tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN
>>> tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
>>> tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
>>> tcp 0 0 :::143 :::* LISTEN
>>> tcp 0 0 ::1:953 :::* LISTEN
>>> tcp 0 0 :::2000 :::* LISTEN
>>> tcp 0 0 :::22 :::* LISTEN
>>> tcp 0 0 :::4242 :::* LISTEN
>>> tcp 0 0 :::443 :::* LISTEN
>>> tcp 0 0 :::5222 :::* LISTEN
>>> tcp 0 0 :::5223 :::* LISTEN
>>> tcp 0 0 :::5229 :::* LISTEN
>>> tcp 0 0 :::5269 :::* LISTEN
>>> tcp 0 0 66.92.104.200:53 0.0.0.0:* LISTEN
>>> tcp 0 0 :::8080 :::* LISTEN
>>> tcp 0 0 :::80 :::* LISTEN
>>> tcp 0 0 :::8483 :::* LISTEN
>>> tcp 0 0 :::9090 :::* LISTEN
>>> tcp 0 0 :::9091 :::* LISTEN
>>> tcp 0 0 :::993 :::* LISTEN
>>> tcp 0 0 :::995 :::* LISTEN
>>> tcp 0 0 ::ffff:127.0.0.1:4243 :::* LISTEN
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>
More information about the Info-cyrus
mailing list