Hi, [Steffen Kaiser] - [2016-07-25 08:23]>> I am running a dovecot server and have set up an external monitoring, >> where every five minutes a login with SSL on port 993 is done. I usually >> get once a day an error "connection reset by peer - SSL connect", which >> goes away until the next monitor is executed.> that looks like a basic networking issue to me. > Do you have logs how many users try to connect at this time? Is it > always the same time range? Is the server load very high?My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise. Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem. -- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ??? (=?o?=) World Domination by Copy and Paste [ ][ ][0] - (")_(") [0][0][0] () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
On 25 Jul 2016, at 18:26, Vince42 <dovecot at mx24.net> wrote:> > Hi, > > [Steffen Kaiser] - [2016-07-25 08:23] >>> I am running a dovecot server and have set up an external monitoring, >>> where every five minutes a login with SSL on port 993 is done. I usually >>> get once a day an error "connection reset by peer - SSL connect", which >>> goes away until the next monitor is executed. > >> that looks like a basic networking issue to me. >> Do you have logs how many users try to connect at this time? Is it >> always the same time range? Is the server load very high? > > My server has nice specs (in fact a 30 times lower scaled server never > had this kind of problems), I also don't host many domains and users, > therefore I doubt that some kind of limit might be touched. I also > suspected some internal system load, but unfortunately the error occurs > arbitrarily, which makes me think that no scheduled process is > responsible for this. I also ran 'top' during such an event without any > obvious load tasks. The system statistics also show no weird peaks. I > read about the "running out of random" phenomenon, but during such an > event there were still enough resources random-wise. > > Could it be that I need to offer more login processes or that I should > raise some of my configuration values?If you are reaching any such limits, a warning is logged. Do you see any errors or warnings at all in logs?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 26 Jul 2016, Vince42 wrote:> [Steffen Kaiser] - [2016-07-25 08:23] >>> I am running a dovecot server and have set up an external monitoring, >>> where every five minutes a login with SSL on port 993 is done. I usually >>> get once a day an error "connection reset by peer - SSL connect", which >>> goes away until the next monitor is executed. > >> that looks like a basic networking issue to me. >> Do you have logs how many users try to connect at this time? Is it >> always the same time range? Is the server load very high? > > My server has nice specs (in fact a 30 times lower scaled server never > had this kind of problems), I also don't host many domains and users, > therefore I doubt that some kind of limit might be touched. I also > suspected some internal system load, but unfortunately the error occurs > arbitrarily, which makes me think that no scheduled process is > responsible for this. I also ran 'top' during such an event without any > obvious load tasks. The system statistics also show no weird peaks. I > read about the "running out of random" phenomenon, but during such an > event there were still enough resources random-wise.what about the network itself? Does the monitor crosses a firewall?> Could it be that I need to offer more login processes or that I should > raise some of my configuration values? The mail_max_userip_connections > does not seem to solve the problem.usually you get some warning in the logs, if such limit is reached. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV5cLnXz1H7kL/d9rAQIEHgf9Fm+0PDtY+N2s2yYX1xcIntI8QdrmDuvU oQP2FMY57bcnQXb4g3PYaplNCNDIljUfCyWAGC4y07kRXrbztbxhawXVSdXELQQ4 EHofsZPWoC19yPibz5hCQ2Bd2EEq9D7I2o68wQCsvDbaZgyPsHnTdfBONt/T9NGW 1gZTY44G0xX8QzpVkqhZcLYo4X5737NmceLis7eZajfgAn3XMrOgrKLoolEsMr3m aTOIm4FcWGDU5V84zcbMIwC3+ukSR22RyOXeQcflU3k8i+PZh0dKmwS6a27ogk3Z ZttoOE961p2i9wy2MaiXjkVpLrfkaNLsCcud10aH5B+xUzLn0mcFqA==NrfW -----END PGP SIGNATURE-----
Hi, [Steffen Kaiser] - [2016-07-26 09:05]>>>> I am running a dovecot server and have set up an external >>>> monitoring, where every five minutes a login with SSL on port >>>> 993 is done. I usually get once a day an error "connection >>>> reset by peer - SSL connect", which goes away until the next >>>> monitor is executed.>>> that looks like a basic networking issue to me. Do you have logs >>> how many users try to connect at this time? Is it always the same >>> time range? Is the server load very high?>> My server has nice specs (in fact a 30 times lower scaled server >> never had this kind of problems), I also don't host many domains >> and users, therefore I doubt that some kind of limit might be >> touched. I also suspected some internal system load, but >> unfortunately the error occurs arbitrarily, which makes me think >> that no scheduled process is responsible for this. I also ran 'top' >> during such an event without any obvious load tasks. The system >> statistics also show no weird peaks. I read about the "running out >> of random" phenomenon, but during such an event there were still >> enough resources random-wise.> what about the network itself? Does the monitor crosses a firewall?I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again.>> Could it be that I need to offer more login processes or that I >> should raise some of my configuration values? The >> mail_max_userip_connections does not seem to solve the problem.> usually you get some warning in the logs, if such limit is reached.I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities. I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :))) -- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ??? (=?o?=) World Domination by Copy and Paste [ ][ ][0] - (")_(") [0][0][0] () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
Hi, [Steffen Kaiser] - [2016-07-26 09:05]>> Could it be that I need to offer more login processes or that I should >> raise some of my configuration values? The mail_max_userip_connections >> does not seem to solve the problem.> usually you get some warning in the logs, if such limit is reached.I changed some parameters in the imap-login service and the problem seems to be gone - at least I have not received any error message in three days. Following the examples on http://wiki.dovecot.org/LoginProcess I changed 10-master.conf to service imap-login { service_count = 0 #client_limit = $default_client_limit process_min_avail = 8 vsz_limit = 256M I think that these parameters are very generous and I would rather like to stick to "high security" than to "high performance". What would be your recommendations? Would it suffice to try to set service_count back to 1? Also I did not touch the client_limit, as I did not understand the formula "Default client_limit * process_limit = 1000*100 = 100k connections" given on the wiki page. Any suggestions are welcome and highly appreciated. -- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ??? (=?o?=) World Domination by Copy and Paste [ ][ ][0] - (")_(") [0][0][0] () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)