Pkg exim4 users - Jan 2006 - Downgrading or removing TLS due to lack of entropy

Hello,

I have configured exim4 (with considerable help from Marc Haber,) to
listen on port 587 with TLS. Due to the entropy bug my mail is getting
frozen and comes back with this error message; "smtp transport process
returned non-zero status 0x0200: exit code 2"

When trying to debug the message using exim4 -d -M 1Ew3mJ-0005AX-E9 I
get a lot of output and no delivery, sometimes a message saying "Fatal:
out of entropy" appears after debugging.

Is there any way to remove TLS so that mail can continue to flow? Is
this a dangerous process? Is it relatively doable or do I need to
re-install?

I have contacted my colocation provider and they claim they are trying
to fix the problem but until the do I need mail to move.

Thanks,

Jeremiah

On Mon, Jan 09, 2006 at 09:50:34PM +0100, Jeremiah Foster
wrote:
> I have configured exim4 (with considerable help from Marc Haber,) to
> listen on port 587 with TLS. Due to the entropy bug my mail is getting
> frozen and comes back with this error message; "smtp transport process
> returned non-zero status 0x0200: exit code 2"
> 
> When trying to debug the message using exim4 -d -M 1Ew3mJ-0005AX-E9 I
> get a lot of output and no delivery, sometimes a message saying
"Fatal:
> out of entropy" appears after debugging.
> 
> Is there any way to remove TLS so that mail can continue to flow?
Yes. The information about how to disable TLS and how to allow SMTP
AUTH over unencrypted connections is in README.Debian.

Additionally, the latest exim4 packages (starting with 4.60-3) allow
optionally build with openssl instead of GnuTLS. If you have the
possiblity to re-build exim4 locally, this may be an option. I would
also be interested in learning whether this actually works better than
GnuTLS.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Um 15:43 Uhr am 19.01.06 schrieb Marc Haber:
> Additionally, the latest exim4 packages (starting with 4.60-3) allow 
> optionally build with openssl instead of GnuTLS. If you have the 
> possiblity to re-build exim4 locally, this may be an option. I would 
> also be interested in learning whether this actually works better than 
> GnuTLS.
I have been hit by the entropy problem as well, but it was really bad, 
since only some encrypted mails caused a major DoS on my server, since the 
entropie pool was depleted so fast (in fact, just _one_ mail was needed 
for the pool to go from 3500 to about 120), the kernel was not able to 
refill it fast enough.

After recompiling exim with OpenSSL, this problem went away.

So in my opinion, the is definitely something wrong with gnutls as it uses 
_way_ to much entropie from the pool as compared to openssl.

Gr??e,
Sven.

-- 
Sven Hartge -- professioneller Unix-Geek
Meine Gedanken im Netz: http://www.svenhartge.de/

Achtung, neue Mail-Adresse: sven@svenhartge.de