Sporadic TLS/STARTTLS negotitation failed

André Schild andre at schild.ws
Wed Mar 7 14:00:19 EST 2018


Am 07.03.2018 um 19:51 schrieb Andrew Nichols via Info-cyrus:
> Am 07.03.2018 um 17:00 schrieb Andrew Nichols via Info-cyrus:
>>> Hello,
>>>
>>> We run a cyrus-imap 2.5.11 server under FreeBSD and we are experiencing issues with TLS/STARTTLS negotiation failed entries in the log, which show as timeouts on the client side.   It?s all different email clients and even our monitoring experiencing these failures.  Other TLS services (https mostly) on the same server do not have these failures.  There are also times when these errors ramp up and happen to most TLS clients, which is only solved by restarting cyrus.    Has anyone else experiences these issues or have any tips on where to look to figure out the root cause?
>> Has your server enough entropy?
>> Specially cloud servers with no physical ports can run low on entropy
>> and the random number generator used for SSL/TLS stuff needs to way
>> until it is filled up again.
>>
>> To check the amount of bytes of entropy currently available, use
>>
>> |cat /proc/sys/kernel/random/entropy_avail From
>> https://serverfault.com/questions/214605/gpg-does-not-have-enough-entropy|
>>
>
> That’s what I had though at the start, but this is a physical server and /dev/random in FreeBSD is the same as /dev/urandom so it doesn’t block once seeded.  Also, when this starts happening the other services on the machine that need entropy aren’t affected.

Do you monitor the number of cyrus processes (pop/imap/sieve/... )
Perhaps you reach the configured limit?

André


More information about the Info-cyrus mailing list