Having looked through the Net:SSLEAY readme, there's a bunch that suggests that it's best to compile your own net:ssleay and OpenSSL on the same machine with the same settings. I've not done that, and never have (nor do I have the skillset to do much more than run a simple make command). I'd love to find the time to give this a go, but what do you all think - could this be it? Why would gmail.com always be bad, but others not (that I've seen)?
On Tue, Aug 2, 2016 at 1:22 PM, Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >How do you know the type of encryption that gmail is using? > > You'll find it in the Received header line written by assp. > > >I have SSLDebug set to level 3, > > This helps not much. Most of the SSL-debug output goes to NUL. > But if there were errors in SSL - you would see them in the maillog. > > >I changed EnableHighPerformace to "very high," > I don't recommend to do this. This cuts the cycle time (poll/select wait > time) in the workers to a minmum. Even if assp is idle - if this is set, > it will permanently poll the sockets and will produce unwanted CPU > workload. I know 'EnableHighPerformace' sounds magic, but it is more > implemented to tweak exceptional environments. > How ever, if your host accepts this workload - it is fine. > > >Anything else I should try tweaking? > > Don't try to much. Tweak (if) one by one step. Use the > 'notes/confighistory.txt' - the old and new values are recoded there. > > I have an idea about the gmail problem. It may be the case, that they > request SSL rehandshakes more or less often depending on the used > certificate and/or cipher to raise the security of the connection. Such a > behavior would slow down the SSL speed - BUT, now the bad news, this is a > client request (made my gmail). Perl's Net::SSLeay has no easy way to > ignore these requests. The only way would be to pipe all SSL packest > through an assp routine (this is possible), which would drop the > renegotiation requests. Such a code will slow down ALL SSL traffic > dramaticaly, if written in pure perl. > > >We are using a 2048bit certificate. It's a wildcard (*.ourcharity.org) > >cert, but I don't think that has anything to do with it. > > Who knows? But to exclude this, you may use an innocent selfcert > certificate and key - create it with openssl - for a while. > BTW. assp will create such certificate and keys, if the 'assp/certs' > folder is empty at startup. :):) > > Thomas > > > > > Von: K Post <nntp.p...@gmail.com> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> > Datum: 02.08.2016 18:34 > Betreff: Re: [Assp-test] Inbound TLS from gmail.com addresses / > servers > > > > Thanks for chiming in Thomas with such a detailed response. > > First, when Google gives up, it gives a message like: > > Technical details of temporary failure: > > Missed upload deadline (899.97s) (state SENT_MESSAGE) > > So it's 15 minutes that it'll try to send a file for. At under 2mb a > minute, anything over about 25megs (considering overhead) will ultimately > fail. No good since lots of gmail users send us large files. > > > We're on a 100mbit line, both directions, but I'd happily take a 9.1 mb > attachment sent over TLS taking 2 minutes. I suspect when i find out what > the problem is that it'll be MUCh faster than that. > > We are using a 2048bit certificate. It's a wildcard (*.ourcharity.org) > cert, but I don't think that has anything to do with it. > > We're using local storage on the Hypver-V host, RAID 10 with 4 7200rpm SAS > drives. It's not the fasted disk array, but it seems fine. I can't see > slow disks impacting TLS like this if non-TLS connections fly. > > The hyper-v host is a dual processor, 2.6ghz, 6 core each, 12mb cache. > I've got a total of 10 cores assigned to the ASSP guest. > > I have SSLDebug set to level 3, but I don't see anything in the maillog. > How do you know the type of encryption that gmail is using? It would be > nice to compare how gmail is connecting vs outlook.com which seems much > faster (though not super fast) > > I've got SSL_Version set to > SSLv23:!SSLv3:!SSLv2 > > and > SSL_Cipher_List set to > > kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED > > my unscientific test of changing the cipher list to the default doesn't > seem to make a difference. > > MinPollTime is 1, I think it always has been. > I changed EnableHighPerformace to "very high," changed thread cycle time > to > 1000, maintenance thread cycle time to 2000, and rebuildthreadcycletime to > 15. That definitely made a difference in the rebuild time, almost halving > it (not that I really care about that though). > > Anything else I should try tweaking? I don't care if there's high CPU > usage, we have reasonable processing power to spare. > > Thank you > > On Tue, Aug 2, 2016 at 12:02 PM, Thomas Eckardt > <thomas.ecka...@thockar.com> > wrote: > > > I just made simlar tests with my gmail account. I can't reproduce this > > behavior related to gmail.com. > > > > I've sent a 9.1MB attachment in 133 seconds. Gmail used SMTPS(TLSv1_2 > > ECDHE-RSA-AES256-GCM-SHA384)- which is commonly used by many > > clients/servers. > > Sender was mail-qt0-f181.google.com ([209.85.216.181] > > helo=mail-qt0-f181.google.com) > > My line speed is 16MB/s inbound and 4MB/s outbound. > > > > I saw many faster SMTPS connections but also many slower - this may > depend > > on the usage of my ISP connection. > > > > 133 seconds for such a mail is acceptable (I think). > > > > SSLv2/3:!SSLv3:!SSLv2 > > DEFAULT:!aNULL:!RC4:!MD5 > > > > are my SSL settings - not very strong - I know :):) > > > > the privat key used is 2048 Bit long > > > > In front of assp is the ISP-router and a pfsense 2.3.2 with snort > 3.2.9.1 > > . Snort is configured the very hard way, except the SMTP rules are a bit > > more weak, because I need some spam. > > ASSP is running on a 4 Core 6GB W2K3 enterprise with an absolute > uptodate > > ActivePerl 5.16.3 - using all Plugins, features and a replicated MySQL > > 5.6. > > Domain based mail routing (in- and out-bound) is done by hmailserver > > 5.6.4-B2283. > > All components are configured to use SSL/TLS when ever this is possible. > > For testing purposes I use a FreeBSD 10.2 with Perl 5.20 and ASSP - it > > runs the same way stable like the production system. > > > > You see - nothing magic, but maintenained (except the nice old W2K3 - > but > > it works like a swiss made watch with an ETA 7750). > > > > I really don't know what I can do to fix up the SSL/TLS problems. > > > > Only to be complete: > > Backend for the mail environment and LDAP stuff is a Domino 9.0.1FP6. > > All the stuff above (and very much more) is running on a single VMWare > > vSphere 5.5 ( 8x 2.66GHz 48GB / x3650M2). > > Backups are done with EMC-Networker + EBR + DataDomain-VE, stored at a > > QNAP 419P+ > > > > Thomas > > > > > > > > > > Von: K Post <nntp.p...@gmail.com> > > An: ASSP development mailing list <assp-test@lists.sourceforge.net> > > Datum: 02.08.2016 00:07 > > Betreff: [Assp-test] Inbound TLS from gmail.com addresses / > servers > > > > > > > > I originally thought that we had a problem with all TLS inbound email. > As > > it turns out, my conclusion appears to have been wrong. > > > > > > - There are some SLOW servers outside that are just plain slow > (nothing > > I can do there), > > > > - TLS seems to work reasonably fast with most inbound mail, though > > significantly slower than without TLS (5 seconds for an 11mb file > > without > > tls, vs 45 seconds with TLS on) > > > > - GMAIL.com inbound TLS emails are SLOW, no matter what settings I > > tweak > > > > > > With inbound gmail.com message. if I have TLS off, an 11mb attachment is > > delivered through ASSP in under 5 seconds. With TLS on it takes close > to > > 10 minutes, which gets close to gmail's limit. > > > > I've tested with Outlook.com and that same 11mb attachment comes in > > through > > ASSP with TLS on in about 45 seconds. > > > > Sending a 30mb attachment from gmail FAILS because it takes too long. > > gmail > > will try for I believe 10 minutes to send a message, then it quits and > > retries. After a couple tries, it sends an NDR. > > > > This is a Windows 2012 R2 server, latest ASSP dev, OpenSSL 1.0.2h > > installed > > from slproweb.com/products/Win32OpenSSL.html (though I've also tried > with > > the OpenSSL I downloaded a while back from the ASSP sourceforge site. > > net::ssleay 1.74 (openssl 1.0.2g). I'm almost certain that the OpenSSL > > installation is not used by ASSP, but I've not been able to get > > confirmation of that here. > > > > Just updated IO::Socket::SSL to 2.033. > > Net::SMTP:SSL 1.02. > > > > CPU usage as reported by assp is 4.78%. It's not on the fastest machine > > in > > the world (it's a hypver-v guest on a decent machine), but it seems > speedy > > enough. 24gb ram. We've got similar physical hosts running Exchange as > a > > guest without any speed issues whatsoever. > > > > Any other info I can provide to help figure this out? > > > > Disabling TLS for any gmail inbound mail isn't a feasible option, plus I > > don't know if it really is just google, or just the way that google > > connects which others might too... > > > > Thank you all. > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Assp-test mailing list > > Assp-test@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > > > > DISCLAIMER: > > ******************************************************* > > This email and any files transmitted with it may be confidential, > legally > > privileged and protected in law and are intended solely for the use of > the > > > > individual to whom it is addressed. > > This email was multiple times scanned for viruses. There should be no > > known virus in this email! > > ******************************************************* > > > > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Assp-test mailing list > > Assp-test@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > >
------------------------------------------------------------------------------
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test