Fatal error: tls_start_servertls() failed
Müfit Eribol
hme at onart.com.tr
Tue Feb 16 01:30:07 EST 2016
Just to follow up and help others with similar problem, here is what I did.
- Research showed that entropy is needed and low entropy is a typical
problem of headless servers where there is no mouse and keyboard connected.
- Installed munin to check entropy levels by time. During the two hours
of observation, it went down as low as 160 and went up to a maximum of
850. I think the minimum is pretty low compared to the levels talked on
the internet.
- Installed haveged utility and adjusted the entropy pool for 2048.
- It is now stabilized around 2048.
I believe this was the problem with my server. Thank you Patrick for
taking my attention to magic word "entropy".
I am now monitoring the server to verify.
On 15.02.2016 00:39, Patrick Boutilier via Info-cyrus wrote:
> On 02/14/2016 02:46 AM, Mufit Eribol via Info-cyrus wrote:
>> Hi All,
>>
>> I am running cyrus-imapd-2.4.17 on CentOS 7.2.1511 for appx. 20
>> mailboxes. I get the following messages every 10-12 days.
>>
>> imaps TLS negotiation failed: [ip address of a client]
>> Fatal error: tls_start_servertls() failed
>>
>> Although cyrus-imapd, saslauthd are still running after this error,
>> login credentials are not accepted. As I don't know where the problem
>> is, restart the server fixes the problem, well for another 10-12 days.
>>
>> I would appreciate any hint you may give.
>>
>> Thanks,
>> Mufit
>>
>> Below are the configuration files:
>>
>> /etc/cyrus.conf:
>> START {
>> recover cmd="ctl_cyrusdb -r"
>> idled cmd="idled"
>> }
>> SERVICES {
>> # imap cmd="imapd" listen="imap" prefork=5
>> imaplocal cmd="imapd -C /etc/imapd-local.conf"
>> listen="127.0.0.1:imap" prefork=0
>>
>> imaps cmd="imapd -s" listen="imaps" prefork=1
>> imapslocal cmd="imapd -C /etc/imapd-local.conf"
>> listen="127.0.0.1:imaps" prefork=0
>>
>> # pop3 cmd="pop3d" listen="pop3" prefork=3
>> # pop3s cmd="pop3d -s" listen="pop3s" prefork=1
>> sieve cmd="timsieved" listen="sieve" prefork=0
>> sievelocal cmd="timsieved -C /etc/imapd-local.conf"
>> listen="127.0.0.1:sieve" prefork=0
>> # these are only necessary if receiving/exporting usenet via NNTP
>> # nntp cmd="nntpd" listen="nntp" prefork=3
>> # nntps cmd="nntpd -s" listen="nntps" prefork=1
>>
>> # lmtp cmd="lmtpd" listen="lmtp" prefork=0
>> lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp"
>> prefork=1
>>
>> # notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
>> proto="udp" prefork=1
>> }
>> EVENTS {
>> checkpoint cmd="ctl_cyrusdb -c" period=30
>> delprune cmd="cyr_expire -E 3" at=0400
>> tlsprune cmd="tls_prune" at=0400
>> }
>>
>> /etc/imapd.conf:
>> postmaster: postmaster
>> configdirectory: /var/lib/imap
>> partition-default: /var/spool/imap
>> #admins: cyrus
>> allowanonymouslogin: no
>> allowplaintext: no
>> #tls_require_cert: 1
>> sasl_minimum_layer: 128
>> servername: mail.wintess.com
>> autocreatequota: 200000
>> maxmessagesize: 0
>> reject8bit: 0
>> munge8bit: 0
>> quotawarn: 90
>> timeout: 30
>> poptimeout: 10
>> dracinterval: 0
>> drachost: localhost
>> sasl_pwcheck_method: saslauthd
>> sasl_mech_list: PLAIN
>> sievedir: /var/lib/imap/sieve
>> sieve_maxscriptsize: 32
>> sieve_maxscripts: 5
>> sieve_allowplaintext: 1
>> sendmail: /usr/sbin/sendmail
>> #hashimapspool: true
>> #defaultdomain: mail
>> tls_cert_file: /etc/pki/tls/certs/wintess-imap.pem
>> tls_key_file: /etc/pki/tls/certs/wintess-imap.pem
>> tls_ca_file: /etc/pki/tls/certs/wintess-imap.pem
>>
>> /etc/sasl2/smtpd.conf:
>>
>> pwcheck_method: saslauthd
>> mech_list: plain login
>>
>>
>> ----
>
>
>
> Almost sounds like you are running out of entropy.
>
>
>
>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20160216/661e8f16/attachment.html>
More information about the Info-cyrus
mailing list