> Bron, > > My Cyrus is from RPM, and I am just nursing it along until my users > finish migrating off and FastMail manages to complete my own migration, > so I don't want to build from source. Why would IMAP/S block on empty > /dev/random, while IMAP+STARTTLS works? FWIW, SASL2 seems to use urandom. If this is really stock CentOS 5 then I think everything Cyrus related should use /dev/urandom and not /dev/random. But, could it be that other software you installed uses /dev/random and makes it "empty"? Simon > >> [root@inspector random]# strings /usr/lib/libsasl* |grep random >> /dev/urandom >> /dev/urandom > > > But my /dev/random does seem quite low. Still surfing and looking for a > good way to fill it on a mostly headless server -- I haven't found a > good solution yet. > > Chris > >> [root@inspector ~]# ls -l /dev/*random >> crw-rw-rw- 1 root root 1, 8 Oct 31 02:05 /dev/random >> cr--r--r-- 1 root root 1, 9 Oct 31 02:05 /dev/urandom >> [root@inspector ~]# cd /proc/sys/kernel/random >> [root@inspector random]# more *|cat >> :::::::::::::: >> boot_id >> :::::::::::::: >> d3724e19-7462-4224-960b-49d5d3a18d7a >> :::::::::::::: >> entropy_avail >> :::::::::::::: >> 17 >> :::::::::::::: >> poolsize >> :::::::::::::: >> 4096 >> :::::::::::::: >> read_wakeup_threshold >> :::::::::::::: >> 64 >> :::::::::::::: >> uuid >> :::::::::::::: >> a3ed2323-e04d-4034-a72a-76b5d4b697f7 >> :::::::::::::: >> write_wakeup_threshold >> :::::::::::::: >> 128 > > > On 10/31/10 9:26 PM, Bron Gondwana wrote: >> Sounds like your /dev/random is empty. You can compile with /dev/urandom >> or add a source of entropy... >> >> "Chris Pepper"<pepper@xxxxxxxxxxxxxx> wrote: >> >>> mail.reppep.com (CentOS 5) is running cyrus-imapd-2.3.7-7.el5_4.3, >>> along with SquirrelMail, postfix, etc. Last night, I noticed that when >>> I >>> sent mail from Thunderbird, it was not able to file copies in the Sent >>> mailbox, although they did reach the recipients, so postfix was >>> accepting mail on 587/tcp. >>> >>> I restarted Cyrus IMAPd but don't see any error messages in >>> /var/log/maillog, and the cert& key look fine. SquirrelMail is fine >>> using plain IMAP. I opened 143/tcp in the firewall, and am able to >>> fetch >>> mail via IMAP with STARTTLS, so it looks like the cert and key are >>> fine. >>> >>> But "telnet mail.reppep.com 993" and openssl fail to get any response. >>> Port 993 is open to the Internet, FWIW. >>> >>> Does anyone have any suggestions for what went wrong and/or how to >>> fix? >>> I'll try tcpdump next to see if it's responding at all. >>> >>> Alternatively, is there a way to make sure Cyrus requires STARTTLS on >>> 143? I was blocking external access to it to make sure users always use >>> encryption to connect, but port 143 with STARTTLS required would be an >>> acceptable alternative. >>> >>> Thanks, >>> >>> Chris Pepper >>> >>>> pepper@imp:~$ !openssl >>>> openssl s_client -connect www.reppep.com:993 >>>> CONNECTED(00000003) >>>> 4284:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >>>> failure:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s23_lib.c:188: >>> >>> >>>> [root@inspector ~]# cat /etc/imapd.conf >>>> admins: cyrus >>>> altnamespace: yes >>>> configdirectory: /var/lib/imap >>>> duplicatesuppression: yes >>>> hashimapspool: no >>>> partition-default: /var/spool/imap >>>> servername: mail.reppep.com >>>> singleinstancestore: yes >>>> #syslog_prefix: cyrus >>>> unixhierarchysep: yes >>>> >>>> lmtp_downcase_rcpt: yes >>>> maxmessagesize: 20971520 >>>> sendmail: /usr/sbin/sendmail >>>> #quotawarn: 80 >>>> >>>> #allowplaintext: yes >>>> #allowplainwithouttls: yes >>>> sasl_pwcheck_method: saslauthd >>>> #imap_auth_login: yes >>>> #imap_auth_cram_md5: yes >>>> #imap_auth_plain: yes >>>> >>>> autocreateinboxfolders: Junk >>>> autocreatequota: -1 >>>> #autocreate_sieve_script: /etc/junk.sieve >>>> autocreate_sieve_compiledscript: /etc/sieve.bc >>>> autosievefolders: Junk >>>> autosubscribeinboxfolders: Junk >>>> createonpost: yes >>>> #sievedir: /var/lib/imap/sieve >>>> sieveusehomedir: true >>>> >>>> tls_ca_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>> tls_cert_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>> tls_key_file: /etc/pki/tls/private/mail.reppep.com.20080219.key >>>> tls_cipher_list: SSLv3:TLSv1:!NULL:!EXPORT:!DES:!LOW:@STRENGTH >>>> [root@inspector ~]# ls -l >>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>> /etc/pki/tls/private/mail.reppep.com.20080219.key >>>> -rw-r--r-- 1 root root 6466 Oct 1 17:13 >>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>> -rw-r----- 1 root mail 497 Feb 19 2008 >>>> /etc/pki/tls/private/mail.reppep.com.20080219.key >>>> [root@inspector ~]# netstat -an|grep LIST|grep tcp|sort -n >>>> tcp 0 0 0.0.0.0:110 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:111 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:139 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:143 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:2000 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:25 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:3306 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:445 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:587 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:993 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 0.0.0.0:995 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 10.0.104.200:53 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 :::110 :::* >>>> LISTEN >>>> tcp 0 0 127.0.0.1:10024 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 127.0.0.1:10025 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 127.0.0.1:53 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 127.0.0.1:953 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 :::143 :::* >>>> LISTEN >>>> tcp 0 0 ::1:953 :::* >>>> LISTEN >>>> tcp 0 0 :::2000 :::* >>>> LISTEN >>>> tcp 0 0 :::22 :::* >>>> LISTEN >>>> tcp 0 0 :::4242 :::* >>>> LISTEN >>>> tcp 0 0 :::443 :::* >>>> LISTEN >>>> tcp 0 0 :::5222 :::* >>>> LISTEN >>>> tcp 0 0 :::5223 :::* >>>> LISTEN >>>> tcp 0 0 :::5229 :::* >>>> LISTEN >>>> tcp 0 0 :::5269 :::* >>>> LISTEN >>>> tcp 0 0 66.92.104.200:53 0.0.0.0:* >>>> LISTEN >>>> tcp 0 0 :::8080 :::* >>>> LISTEN >>>> tcp 0 0 :::80 :::* >>>> LISTEN >>>> tcp 0 0 :::8483 :::* >>>> LISTEN >>>> tcp 0 0 :::9090 :::* >>>> LISTEN >>>> tcp 0 0 :::9091 :::* >>>> LISTEN >>>> tcp 0 0 :::993 :::* >>>> LISTEN >>>> tcp 0 0 :::995 :::* >>>> LISTEN >>>> tcp 0 0 ::ffff:127.0.0.1:4243 :::* >>>> LISTEN >>> >>> ---- >>> Cyrus Home Page: http://www.cyrusimap.org/ >>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
