Hi,
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
Initially I thought that raising the mail_max_userip_connections in protocol imap in 20-imap.conf to 256 should do the trick - but the error stays.
What could be the reason for this error and which configuration values could be changed in order to avoid this error?
I read a lot of different suggestions - but did not find a plausible explanation and recommendation.
Thanks in advance!
-- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
- (")_(") [0][0][0]
() ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
Hi,
[Vince42] - [2016-07-22 00:19]
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
Initially I thought that raising the mail_max_userip_connections in protocol imap in 20-imap.conf to 256 should do the trick - but the error stays.
What could be the reason for this error and which configuration values could be changed in order to avoid this error?
I read a lot of different suggestions - but did not find a plausible explanation and recommendation.
Anybody? Sorry for bumping this thread ... but I am really desperately looking for some configuration issues to scrutinize ...
-- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
- (")_(") [0][0][0]
() ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
Am 23. Juli 2016 14:24:01 MESZ, schrieb Vince42 dovecot@mx24.net:
Hi,
[Vince42] - [2016-07-22 00:19]
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
Initially I thought that raising the mail_max_userip_connections in protocol imap in 20-imap.conf to 256 should do the trick - but the error stays.
What could be the reason for this error and which configuration values could be changed in order to avoid this error?
I read a lot of different suggestions - but did not find a plausible explanation and recommendation.
Anybody? Sorry for bumping this thread ... but I am really desperately looking for some configuration issues to scrutinize ... I don't really have a suggestion for configuration but i think maybe some logs and the output of doveconf -n would help.
Is the error definitly from your monitoring ip?
-- Christian
Hi,
[Christian Kivalo] - [2016-07-23 14:50]
I don't really have a suggestion for configuration but i think maybe some logs and the output of doveconf -n would help. Is the error definitly from your monitoring ip?
I already searched in the logs but did not find anything obvious. Anything specific I should look for? My dovecot -n looks like this:
# 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.13.0-68-generic x86_64 Ubuntu 14.04.4 LTS auth_mechanisms = plain login auth_username_format = %n debug_log_path = /var/log/dovecot.log mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 lmtp sieve pop3 service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert =
-- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
- (")_(") [0][0][0]
() ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 22 Jul 2016, Vince42 wrote:
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBV5WwZnz1H7kL/d9rAQIfcggAyOBqarR7dZw22AUSyqh3WqJh3tNKhtYn jVvROFO29mPjxLzM7UlGp/R6Ys2frJgr5Gsdo+Ep/Eaa05SJwHDo0M6rlGabwLLw SDUqfdZA7eqSMIUn62S1knZYnScjkcXUQnYqLkgViIKt0XvSYiRDOcXpgtA4ZXP6 JkN0l2KTOC46IACSnh1R4p+hbo+A3bHBix78Mx+4vrkYhK1/17l9m1kztG2WkA8U cNgAPsUIxeJZJLlZqmYbadWpQZS2D2p3qWhK42Zt0yWZ5N1XwMp7qS4I5YQWYaxO gnoNJP7ms26tNh13oO6zHmdsB4z4gp1/1q/5IxbqCnoqGT5wJTDcZQ== =7PLg -----END PGP SIGNATURE-----
Hi,
[Steffen Kaiser] - [2016-07-25 08:23]
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high?
My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise.
Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem.
-- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
- (")_(") [0][0][0]
() ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
On 25 Jul 2016, at 18:26, Vince42 dovecot@mx24.net wrote:
Hi,
[Steffen Kaiser] - [2016-07-25 08:23]
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high?
My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise.
Could it be that I need to offer more login processes or that I should raise some of my configuration values?
If you are reaching any such limits, a warning is logged. Do you see any errors or warnings at all in logs?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 26 Jul 2016, Vince42 wrote:
[Steffen Kaiser] - [2016-07-25 08:23]
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high?
My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise.
what about the network itself? Does the monitor crosses a firewall?
Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem.
usually you get some warning in the logs, if such limit is reached.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBV5cLnXz1H7kL/d9rAQIEHgf9Fm+0PDtY+N2s2yYX1xcIntI8QdrmDuvU oQP2FMY57bcnQXb4g3PYaplNCNDIljUfCyWAGC4y07kRXrbztbxhawXVSdXELQQ4 EHofsZPWoC19yPibz5hCQ2Bd2EEq9D7I2o68wQCsvDbaZgyPsHnTdfBONt/T9NGW 1gZTY44G0xX8QzpVkqhZcLYo4X5737NmceLis7eZajfgAn3XMrOgrKLoolEsMr3m aTOIm4FcWGDU5V84zcbMIwC3+ukSR22RyOXeQcflU3k8i+PZh0dKmwS6a27ogk3Z ZttoOE961p2i9wy2MaiXjkVpLrfkaNLsCcud10aH5B+xUzLn0mcFqA== =NrfW -----END PGP SIGNATURE-----
Hi,
[Steffen Kaiser] - [2016-07-26 09:05]
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high?
My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise.
what about the network itself? Does the monitor crosses a firewall?
I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again.
Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem.
usually you get some warning in the logs, if such limit is reached.
I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities.
I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :)))
-- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
- (")_(") [0][0][0]
() ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
On 07/27/2016 11:55 PM, Vince42 wrote:
Hi,
[Steffen Kaiser] - [2016-07-26 09:05]
I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.
that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high?
My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise.
what about the network itself? Does the monitor crosses a firewall?
I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again.
Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem.
usually you get some warning in the logs, if such limit is reached.
I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities.
I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :)))
Hi Vince, just a shot into the dark: if you are running out of entropy, you might get SSL errors. If this is a virtual machine, there are not many entropy sources. Consider installing alternative entropy sources like haveged(*), available in many distro repos.
Regards, Olaf
(*) http://www.issihosts.com/haveged/
-- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -
Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp@kit.edu www.atis.informatik.kit.edu
www.kit.edu
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.
Hi,
[Olaf Hopp] - [2016-08-02 23:45]
just a shot into the dark: if you are running out of entropy, you might get SSL errors. If this is a virtual machine, there are not many entropy sources. Consider installing alternative entropy sources like haveged(*), available in many distro repos.
Thank you for your hint. I followed the entropy idea when I first encountered this strange behaviour, but there was no shortage.
Tweaking the parameters for the imap_login service seemed to fix the problems, now I need to try to set them to reasonable values in order to have the best compromise between "secure" and "high performance" as described in the Dovecot wiki.
-- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
- (")_(") [0][0][0]
() ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
Hi,
[Steffen Kaiser] - [2016-07-26 09:05]
Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem.
usually you get some warning in the logs, if such limit is reached.
I changed some parameters in the imap-login service and the problem seems to be gone - at least I have not received any error message in three days.
Following the examples on http://wiki.dovecot.org/LoginProcess I changed 10-master.conf to
service imap-login { service_count = 0 #client_limit = $default_client_limit process_min_avail = 8 vsz_limit = 256M
I think that these parameters are very generous and I would rather like to stick to "high security" than to "high performance". What would be your recommendations? Would it suffice to try to set service_count back to 1? Also I did not touch the client_limit, as I did not understand the formula "Default client_limit * process_limit = 1000*100 = 100k connections" given on the wiki page.
Any suggestions are welcome and highly appreciated.
-- Cheers, \\|// Vince (o o) ----------------------------ooO-(_)-Ooo------------------------- ''' (o)_(o) [ ][0][ ] ô¿ô (=°o°=) World Domination by Copy and Paste [ ][ ][0]
- (")_(") [0][0][0]
() ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Ooo. ---------------------------.ooO----( )------------------------- ( ) (_/ \_)
participants (5)
-
Christian Kivalo
-
Olaf Hopp
-
Steffen Kaiser
-
Timo Sirainen
-
Vince42