Re: SSL connection reset by peer
Hi,
[Olaf Hopp] - [2016-08-02 23:45]
> just a shot into the dark: if you are running out of entropy, you
> might get SSL errors. If this is a virtual machine, there are not
> many entropy sources. Consider installing alternative entropy sources
> like haveged(*), available in many distro repos.
Thank you for your hint. I followed the entropy idea when I first
encountered this strange behaviour, but there was no shortage.
Tweaking the parameters for the imap_login service seemed to fix the
problems, now I need to try to set them to reasonable values in order to
have the best compromise between "secure" and "high performance" as
described in the Dovecot wiki.
--
Cheers,\\|//
Vince (o o)
ooO-(_)-Ooo-
''' (o)_(o)[ ][0][ ]
ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
-(")_(")[0][0][0]
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Ooo.
---.ooO( )-
( )(_/
\_)
Re: SSL connection reset by peer
On 07/27/2016 11:55 PM, Vince42 wrote: Hi, [Steffen Kaiser] - [2016-07-26 09:05] I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed. that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high? My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise. what about the network itself? Does the monitor crosses a firewall? I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again. Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem. usually you get some warning in the logs, if such limit is reached. I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities. I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :))) Hi Vince, just a shot into the dark: if you are running out of entropy, you might get SSL errors. If this is a virtual machine, there are not many entropy sources. Consider installing alternative entropy sources like haveged(*), available in many distro repos. Regards, Olaf (*) http://www.issihosts.com/haveged/ -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL connection reset by peer
Hi,
[Steffen Kaiser] - [2016-07-26 09:05]
>> Could it be that I need to offer more login processes or that I should
>> raise some of my configuration values? The mail_max_userip_connections
>> does not seem to solve the problem.
> usually you get some warning in the logs, if such limit is reached.
I changed some parameters in the imap-login service and the problem
seems to be gone - at least I have not received any error message in
three days.
Following the examples on http://wiki.dovecot.org/LoginProcess I changed
10-master.conf to
service imap-login {
service_count = 0
#client_limit = $default_client_limit
process_min_avail = 8
vsz_limit = 256M
I think that these parameters are very generous and I would rather like
to stick to "high security" than to "high performance". What would be
your recommendations? Would it suffice to try to set service_count back
to 1? Also I did not touch the client_limit, as I did not understand the
formula "Default client_limit * process_limit = 1000*100 = 100k
connections" given on the wiki page.
Any suggestions are welcome and highly appreciated.
--
Cheers,\\|//
Vince (o o)
ooO-(_)-Ooo-
''' (o)_(o)[ ][0][ ]
ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
-(")_(")[0][0][0]
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Ooo.
---.ooO( )-
( )(_/
\_)
Re: SSL connection reset by peer
Hi,
[Steffen Kaiser] - [2016-07-26 09:05]
>>>> I am running a dovecot server and have set up an external
>>>> monitoring, where every five minutes a login with SSL on port
>>>> 993 is done. I usually get once a day an error "connection
>>>> reset by peer - SSL connect", which goes away until the next
>>>> monitor is executed.
>>> that looks like a basic networking issue to me. Do you have logs
>>> how many users try to connect at this time? Is it always the same
>>> time range? Is the server load very high?
>> My server has nice specs (in fact a 30 times lower scaled server
>> never had this kind of problems), I also don't host many domains
>> and users, therefore I doubt that some kind of limit might be
>> touched. I also suspected some internal system load, but
>> unfortunately the error occurs arbitrarily, which makes me think
>> that no scheduled process is responsible for this. I also ran 'top'
>> during such an event without any obvious load tasks. The system
>> statistics also show no weird peaks. I read about the "running out
>> of random" phenomenon, but during such an event there were still
>> enough resources random-wise.
> what about the network itself? Does the monitor crosses a firewall?
I do not know all the details about my provider's data center, but the
monitor is an internal one running on one of their machines in their
infrastructure. I therefore doubt that this error could be related to
some network issue. The monitor just makes a normal IMAP login and fails
with the SSL error - and a few minutes later everything is fine again.
>> Could it be that I need to offer more login processes or that I
>> should raise some of my configuration values? The
>> mail_max_userip_connections does not seem to solve the problem.
> usually you get some warning in the logs, if such limit is reached.
I desperately searched all kinds of logs - but nothing indicates a
problem that would explain these arbitrary logon errors. I always
thought that I should be more generous with login processes or other
system resources in order to overcome this - but it seems that I am on
the wrong track, if my doveconf -n does not show any oddities.
I fear I will have to accept this error as being "normal" - which is
really odd as my former server ran for years with the same config
without any warning at all. Maybe the next will do it again ... :)))
--
Cheers,\\|//
Vince (o o)
ooO-(_)-Ooo-
''' (o)_(o)[ ][0][ ]
ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
-(")_(")[0][0][0]
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Ooo.
---.ooO( )-
( )(_/
\_)
Re: SSL connection reset by peer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 26 Jul 2016, Vince42 wrote: [Steffen Kaiser] - [2016-07-25 08:23] I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed. that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high? My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise. what about the network itself? Does the monitor crosses a firewall? Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem. usually you get some warning in the logs, if such limit is reached. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBV5cLnXz1H7kL/d9rAQIEHgf9Fm+0PDtY+N2s2yYX1xcIntI8QdrmDuvU oQP2FMY57bcnQXb4g3PYaplNCNDIljUfCyWAGC4y07kRXrbztbxhawXVSdXELQQ4 EHofsZPWoC19yPibz5hCQ2Bd2EEq9D7I2o68wQCsvDbaZgyPsHnTdfBONt/T9NGW 1gZTY44G0xX8QzpVkqhZcLYo4X5737NmceLis7eZajfgAn3XMrOgrKLoolEsMr3m aTOIm4FcWGDU5V84zcbMIwC3+ukSR22RyOXeQcflU3k8i+PZh0dKmwS6a27ogk3Z ZttoOE961p2i9wy2MaiXjkVpLrfkaNLsCcud10aH5B+xUzLn0mcFqA== =NrfW -END PGP SIGNATURE-
Re: SSL connection reset by peer
On 25 Jul 2016, at 18:26, Vince42 <dove...@mx24.net> wrote: > > Hi, > > [Steffen Kaiser] - [2016-07-25 08:23] >>> I am running a dovecot server and have set up an external monitoring, >>> where every five minutes a login with SSL on port 993 is done. I usually >>> get once a day an error "connection reset by peer - SSL connect", which >>> goes away until the next monitor is executed. > >> that looks like a basic networking issue to me. >> Do you have logs how many users try to connect at this time? Is it >> always the same time range? Is the server load very high? > > My server has nice specs (in fact a 30 times lower scaled server never > had this kind of problems), I also don't host many domains and users, > therefore I doubt that some kind of limit might be touched. I also > suspected some internal system load, but unfortunately the error occurs > arbitrarily, which makes me think that no scheduled process is > responsible for this. I also ran 'top' during such an event without any > obvious load tasks. The system statistics also show no weird peaks. I > read about the "running out of random" phenomenon, but during such an > event there were still enough resources random-wise. > > Could it be that I need to offer more login processes or that I should > raise some of my configuration values? If you are reaching any such limits, a warning is logged. Do you see any errors or warnings at all in logs?
Re: SSL connection reset by peer
Hi,
[Steffen Kaiser] - [2016-07-25 08:23]
>> I am running a dovecot server and have set up an external monitoring,
>> where every five minutes a login with SSL on port 993 is done. I usually
>> get once a day an error "connection reset by peer - SSL connect", which
>> goes away until the next monitor is executed.
> that looks like a basic networking issue to me.
> Do you have logs how many users try to connect at this time? Is it
> always the same time range? Is the server load very high?
My server has nice specs (in fact a 30 times lower scaled server never
had this kind of problems), I also don't host many domains and users,
therefore I doubt that some kind of limit might be touched. I also
suspected some internal system load, but unfortunately the error occurs
arbitrarily, which makes me think that no scheduled process is
responsible for this. I also ran 'top' during such an event without any
obvious load tasks. The system statistics also show no weird peaks. I
read about the "running out of random" phenomenon, but during such an
event there were still enough resources random-wise.
Could it be that I need to offer more login processes or that I should
raise some of my configuration values? The mail_max_userip_connections
does not seem to solve the problem.
--
Cheers,\\|//
Vince (o o)
ooO-(_)-Ooo-
''' (o)_(o)[ ][0][ ]
ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
-(")_(")[0][0][0]
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Ooo.
---.ooO( )-
( )(_/
\_)
Re: SSL connection reset by peer
Hi,
[Christian Kivalo] - [2016-07-23 14:50]
> I don't really have a suggestion for configuration but i think maybe
> some logs and the output of doveconf -n would help. Is the error
> definitly from your monitoring ip?
I already searched in the logs but did not find anything obvious.
Anything specific I should look for? My dovecot -n looks like this:
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-68-generic x86_64 Ubuntu 14.04.4 LTS
auth_mechanisms = plain login
auth_username_format = %n
debug_log_path = /var/log/dovecot.log
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp sieve pop3
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl_cert =
Re: SSL connection reset by peer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 22 Jul 2016, Vince42 wrote: I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed. that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBV5WwZnz1H7kL/d9rAQIfcggAyOBqarR7dZw22AUSyqh3WqJh3tNKhtYn jVvROFO29mPjxLzM7UlGp/R6Ys2frJgr5Gsdo+Ep/Eaa05SJwHDo0M6rlGabwLLw SDUqfdZA7eqSMIUn62S1knZYnScjkcXUQnYqLkgViIKt0XvSYiRDOcXpgtA4ZXP6 JkN0l2KTOC46IACSnh1R4p+hbo+A3bHBix78Mx+4vrkYhK1/17l9m1kztG2WkA8U cNgAPsUIxeJZJLlZqmYbadWpQZS2D2p3qWhK42Zt0yWZ5N1XwMp7qS4I5YQWYaxO gnoNJP7ms26tNh13oO6zHmdsB4z4gp1/1q/5IxbqCnoqGT5wJTDcZQ== =7PLg -END PGP SIGNATURE-
Re: SSL connection reset by peer
Am 23. Juli 2016 14:24:01 MESZ, schrieb Vince42 <dove...@mx24.net>: >Hi, > >[Vince42] - [2016-07-22 00:19] >> I am running a dovecot server and have set up an external monitoring, >> where every five minutes a login with SSL on port 993 is done. I >usually >> get once a day an error "connection reset by peer - SSL connect", >which >> goes away until the next monitor is executed. >> >> Initially I thought that raising the mail_max_userip_connections in >> protocol imap in 20-imap.conf to 256 should do the trick - but the >error >> stays. >> >> What could be the reason for this error and which configuration >values >> could be changed in order to avoid this error? >> >> I read a lot of different suggestions - but did not find a plausible >> explanation and recommendation. > >Anybody? Sorry for bumping this thread ... but I am really desperately >looking for some configuration issues to scrutinize ... I don't really have a suggestion for configuration but i think maybe some logs and the output of doveconf -n would help. Is the error definitly from your monitoring ip? -- Christian
Re: SSL connection reset by peer
Hi,
[Vince42] - [2016-07-22 00:19]
> I am running a dovecot server and have set up an external monitoring,
> where every five minutes a login with SSL on port 993 is done. I usually
> get once a day an error "connection reset by peer - SSL connect", which
> goes away until the next monitor is executed.
>
> Initially I thought that raising the mail_max_userip_connections in
> protocol imap in 20-imap.conf to 256 should do the trick - but the error
> stays.
>
> What could be the reason for this error and which configuration values
> could be changed in order to avoid this error?
>
> I read a lot of different suggestions - but did not find a plausible
> explanation and recommendation.
Anybody? Sorry for bumping this thread ... but I am really desperately
looking for some configuration issues to scrutinize ...
--
Cheers,\\|//
Vince (o o)
ooO-(_)-Ooo-
''' (o)_(o)[ ][0][ ]
ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
-(")_(")[0][0][0]
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Ooo.
---.ooO( )-
( )(_/
\_)
SSL connection reset by peer
Hi,
I am running a dovecot server and have set up an external monitoring,
where every five minutes a login with SSL on port 993 is done. I usually
get once a day an error "connection reset by peer - SSL connect", which
goes away until the next monitor is executed.
Initially I thought that raising the mail_max_userip_connections in
protocol imap in 20-imap.conf to 256 should do the trick - but the error
stays.
What could be the reason for this error and which configuration values
could be changed in order to avoid this error?
I read a lot of different suggestions - but did not find a plausible
explanation and recommendation.
Thanks in advance!
--
Cheers,\\|//
Vince (o o)
ooO-(_)-Ooo-
''' (o)_(o)[ ][0][ ]
ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
-(")_(")[0][0][0]
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Ooo.
---.ooO( )-
( )(_/
\_)
