On 11/1/10 10:46 AM, Simon Matter wrote: >> Bron, >> >> My Cyrus is from RPM, and I am just nursing it along until my users >> finish migrating off and FastMail manages to complete my own migration, >> so I don't want to build from source. Why would IMAP/S block on empty >> /dev/random, while IMAP+STARTTLS works? FWIW, SASL2 seems to use urandom. > > If this is really stock CentOS 5 then I think everything Cyrus related > should use /dev/urandom and not /dev/random. But, could it be that other > software you installed uses /dev/random and makes it "empty"? Most things are CentOS RPMs (thanks for those! ;), with a few from RPMforge. > [root@inspector ~]# rpm -q cyrus-imapd amavisd-new clamav spamassassin postfix httpd mod_ssl > cyrus-imapd-2.3.7-7.el5_4.3 > amavisd-new-2.6.4-3.el5.rf > clamav-0.96.4-1.el5.rf > spamassassin-3.3.1-3.el5.rf > postfix-2.3.3-2.1.el5_2 > httpd-2.2.3-43.el5.centos.3 > mod_ssl-2.2.3-43.el5.centos.3 Which still leaves me thinking my port 993 problem isn't entropy, because STARTTLS works fine. Chris >>> [root@inspector random]# strings /usr/lib/libsasl* |grep random >>> /dev/urandom >>> /dev/urandom >> >> >> But my /dev/random does seem quite low. Still surfing and looking for a >> good way to fill it on a mostly headless server -- I haven't found a >> good solution yet. >> >> Chris >> >>> [root@inspector ~]# ls -l /dev/*random >>> crw-rw-rw- 1 root root 1, 8 Oct 31 02:05 /dev/random >>> cr--r--r-- 1 root root 1, 9 Oct 31 02:05 /dev/urandom >>> [root@inspector ~]# cd /proc/sys/kernel/random >>> [root@inspector random]# more *|cat >>> :::::::::::::: >>> boot_id >>> :::::::::::::: >>> d3724e19-7462-4224-960b-49d5d3a18d7a >>> :::::::::::::: >>> entropy_avail >>> :::::::::::::: >>> 17 >>> :::::::::::::: >>> poolsize >>> :::::::::::::: >>> 4096 >>> :::::::::::::: >>> read_wakeup_threshold >>> :::::::::::::: >>> 64 >>> :::::::::::::: >>> uuid >>> :::::::::::::: >>> a3ed2323-e04d-4034-a72a-76b5d4b697f7 >>> :::::::::::::: >>> write_wakeup_threshold >>> :::::::::::::: >>> 128 >> >> >> On 10/31/10 9:26 PM, Bron Gondwana wrote: >>> Sounds like your /dev/random is empty. You can compile with /dev/urandom >>> or add a source of entropy... >>> >>> "Chris Pepper"<pepper@xxxxxxxxxxxxxx> wrote: >>> >>>> mail.reppep.com (CentOS 5) is running cyrus-imapd-2.3.7-7.el5_4.3, >>>> along with SquirrelMail, postfix, etc. Last night, I noticed that when >>>> I >>>> sent mail from Thunderbird, it was not able to file copies in the Sent >>>> mailbox, although they did reach the recipients, so postfix was >>>> accepting mail on 587/tcp. >>>> >>>> I restarted Cyrus IMAPd but don't see any error messages in >>>> /var/log/maillog, and the cert& key look fine. SquirrelMail is fine >>>> using plain IMAP. I opened 143/tcp in the firewall, and am able to >>>> fetch >>>> mail via IMAP with STARTTLS, so it looks like the cert and key are >>>> fine. >>>> >>>> But "telnet mail.reppep.com 993" and openssl fail to get any response. >>>> Port 993 is open to the Internet, FWIW. >>>> >>>> Does anyone have any suggestions for what went wrong and/or how to >>>> fix? >>>> I'll try tcpdump next to see if it's responding at all. >>>> >>>> Alternatively, is there a way to make sure Cyrus requires STARTTLS on >>>> 143? I was blocking external access to it to make sure users always use >>>> encryption to connect, but port 143 with STARTTLS required would be an >>>> acceptable alternative. >>>> >>>> Thanks, >>>> >>>> Chris Pepper >>>> >>>>> pepper@imp:~$ !openssl >>>>> openssl s_client -connect www.reppep.com:993 >>>>> CONNECTED(00000003) >>>>> 4284:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >>>>> failure:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s23_lib.c:188: >>>> >>>> >>>>> [root@inspector ~]# cat /etc/imapd.conf >>>>> admins: cyrus >>>>> altnamespace: yes >>>>> configdirectory: /var/lib/imap >>>>> duplicatesuppression: yes >>>>> hashimapspool: no >>>>> partition-default: /var/spool/imap >>>>> servername: mail.reppep.com >>>>> singleinstancestore: yes >>>>> #syslog_prefix: cyrus >>>>> unixhierarchysep: yes >>>>> >>>>> lmtp_downcase_rcpt: yes >>>>> maxmessagesize: 20971520 >>>>> sendmail: /usr/sbin/sendmail >>>>> #quotawarn: 80 >>>>> >>>>> #allowplaintext: yes >>>>> #allowplainwithouttls: yes >>>>> sasl_pwcheck_method: saslauthd >>>>> #imap_auth_login: yes >>>>> #imap_auth_cram_md5: yes >>>>> #imap_auth_plain: yes >>>>> >>>>> autocreateinboxfolders: Junk >>>>> autocreatequota: -1 >>>>> #autocreate_sieve_script: /etc/junk.sieve >>>>> autocreate_sieve_compiledscript: /etc/sieve.bc >>>>> autosievefolders: Junk >>>>> autosubscribeinboxfolders: Junk >>>>> createonpost: yes >>>>> #sievedir: /var/lib/imap/sieve >>>>> sieveusehomedir: true >>>>> >>>>> tls_ca_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>>> tls_cert_file: /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>>> tls_key_file: /etc/pki/tls/private/mail.reppep.com.20080219.key >>>>> tls_cipher_list: SSLv3:TLSv1:!NULL:!EXPORT:!DES:!LOW:@STRENGTH >>>>> [root@inspector ~]# ls -l >>>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>>> /etc/pki/tls/private/mail.reppep.com.20080219.key >>>>> -rw-r--r-- 1 root root 6466 Oct 1 17:13 >>>>> /etc/pki/tls/certs/mail.reppep.com.20100115.crt >>>>> -rw-r----- 1 root mail 497 Feb 19 2008 >>>>> /etc/pki/tls/private/mail.reppep.com.20080219.key >>>>> [root@inspector ~]# netstat -an|grep LIST|grep tcp|sort -n >>>>> tcp 0 0 0.0.0.0:110 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:111 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:139 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:143 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:2000 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:25 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:3306 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:445 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:587 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:993 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 0.0.0.0:995 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 10.0.104.200:53 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 :::110 :::* >>>>> LISTEN >>>>> tcp 0 0 127.0.0.1:10024 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 127.0.0.1:10025 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 127.0.0.1:53 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 127.0.0.1:953 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 :::143 :::* >>>>> LISTEN >>>>> tcp 0 0 ::1:953 :::* >>>>> LISTEN >>>>> tcp 0 0 :::2000 :::* >>>>> LISTEN >>>>> tcp 0 0 :::22 :::* >>>>> LISTEN >>>>> tcp 0 0 :::4242 :::* >>>>> LISTEN >>>>> tcp 0 0 :::443 :::* >>>>> LISTEN >>>>> tcp 0 0 :::5222 :::* >>>>> LISTEN >>>>> tcp 0 0 :::5223 :::* >>>>> LISTEN >>>>> tcp 0 0 :::5229 :::* >>>>> LISTEN >>>>> tcp 0 0 :::5269 :::* >>>>> LISTEN >>>>> tcp 0 0 66.92.104.200:53 0.0.0.0:* >>>>> LISTEN >>>>> tcp 0 0 :::8080 :::* >>>>> LISTEN >>>>> tcp 0 0 :::80 :::* >>>>> LISTEN >>>>> tcp 0 0 :::8483 :::* >>>>> LISTEN >>>>> tcp 0 0 :::9090 :::* >>>>> LISTEN >>>>> tcp 0 0 :::9091 :::* >>>>> LISTEN >>>>> tcp 0 0 :::993 :::* >>>>> LISTEN >>>>> tcp 0 0 :::995 :::* >>>>> LISTEN >>>>> tcp 0 0 ::ffff:127.0.0.1:4243 :::* >>>>> LISTEN >>>> >>>> ---- >>>> Cyrus Home Page: http://www.cyrusimap.org/ >>>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >>> >> >> >> ---- >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> > > -- Chris Pepper: <http://cbio.mskcc.org/> <http://www.extrapepperoni.com/> ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
