Hi, [Steffen Kaiser] - [2016-07-26 09:05]>>>> I am running a dovecot server and have set up an external >>>> monitoring, where every five minutes a login with SSL on port >>>> 993 is done. I usually get once a day an error "connection >>>> reset by peer - SSL connect", which goes away until the next >>>> monitor is executed.>>> that looks like a basic networking issue to me. Do you have logs >>> how many users try to connect at this time? Is it always the same >>> time range? Is the server load very high?>> My server has nice specs (in fact a 30 times lower scaled server >> never had this kind of problems), I also don't host many domains >> and users, therefore I doubt that some kind of limit might be >> touched. I also suspected some internal system load, but >> unfortunately the error occurs arbitrarily, which makes me think >> that no scheduled process is responsible for this. I also ran 'top' >> during such an event without any obvious load tasks. The system >> statistics also show no weird peaks. I read about the "running out >> of random" phenomenon, but during such an event there were still >> enough resources random-wise.> what about the network itself? Does the monitor crosses a firewall?I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again.>> Could it be that I need to offer more login processes or that I >> should raise some of my configuration values? The >> mail_max_userip_connections does not seem to solve the problem.> usually you get some warning in the logs, if such limit is reached.I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities. I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :))) -- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ??? (=?o?=) World Domination by Copy and Paste [ ][ ][0] - (")_(") [0][0][0] () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
On 07/27/2016 11:55 PM, Vince42 wrote:> Hi, > > [Steffen Kaiser] - [2016-07-26 09:05] >>>>> I am running a dovecot server and have set up an external >>>>> monitoring, where every five minutes a login with SSL on port >>>>> 993 is done. I usually get once a day an error "connection >>>>> reset by peer - SSL connect", which goes away until the next >>>>> monitor is executed. > >>>> that looks like a basic networking issue to me. Do you have logs >>>> how many users try to connect at this time? Is it always the same >>>> time range? Is the server load very high? > >>> My server has nice specs (in fact a 30 times lower scaled server >>> never had this kind of problems), I also don't host many domains >>> and users, therefore I doubt that some kind of limit might be >>> touched. I also suspected some internal system load, but >>> unfortunately the error occurs arbitrarily, which makes me think >>> that no scheduled process is responsible for this. I also ran 'top' >>> during such an event without any obvious load tasks. The system >>> statistics also show no weird peaks. I read about the "running out >>> of random" phenomenon, but during such an event there were still >>> enough resources random-wise. > >> what about the network itself? Does the monitor crosses a firewall? > > I do not know all the details about my provider's data center, but the > monitor is an internal one running on one of their machines in their > infrastructure. I therefore doubt that this error could be related to > some network issue. The monitor just makes a normal IMAP login and fails > with the SSL error - and a few minutes later everything is fine again. > >>> Could it be that I need to offer more login processes or that I >>> should raise some of my configuration values? The >>> mail_max_userip_connections does not seem to solve the problem. > >> usually you get some warning in the logs, if such limit is reached. > > I desperately searched all kinds of logs - but nothing indicates a > problem that would explain these arbitrary logon errors. I always > thought that I should be more generous with login processes or other > system resources in order to overcome this - but it seems that I am on > the wrong track, if my doveconf -n does not show any oddities. > > I fear I will have to accept this error as being "normal" - which is > really odd as my former server ran for years with the same config > without any warning at all. Maybe the next will do it again ... :))) >Hi Vince, just a shot into the dark: if you are running out of entropy, you might get SSL errors. If this is a virtual machine, there are not many entropy sources. Consider installing alternative entropy sources like haveged(*), available in many distro repos. Regards, Olaf (*) http://www.issihosts.com/haveged/ -- Karlsruher Institut f?r Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakult?t f?r Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Geb?ude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp at kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5304 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20160802/2baac515/attachment.p7s>
Hi, [Olaf Hopp] - [2016-08-02 23:45]> just a shot into the dark: if you are running out of entropy, you > might get SSL errors. If this is a virtual machine, there are not > many entropy sources. Consider installing alternative entropy sources > like haveged(*), available in many distro repos.Thank you for your hint. I followed the entropy idea when I first encountered this strange behaviour, but there was no shortage. Tweaking the parameters for the imap_login service seemed to fix the problems, now I need to try to set them to reasonable values in order to have the best compromise between "secure" and "high performance" as described in the Dovecot wiki. -- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ??? (=?o?=) World Domination by Copy and Paste [ ][ ][0] - (")_(") [0][0][0] () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)