SSL connection reset by peer

[Olaf Hopp]

On 07/27/2016 11:55 PM, Vince42 wrote:
> Hi,
>
> [Steffen Kaiser] - [2016-07-26 09:05]
>>>>> I am running a dovecot server and have set up an external
>>>>> monitoring, where every five minutes a login with SSL on port
>>>>> 993 is done. I usually get once a day an error "connection
>>>>> reset by peer - SSL connect", which goes away until the next
>>>>> monitor is executed.
>
>>>> that looks like a basic networking issue to me. Do you have logs
>>>> how many users try to connect at this time? Is it always the same
>>>> time range? Is the server load very high?
>
>>> My server has nice specs (in fact a 30 times lower scaled server
>>> never had this kind of problems), I also don't host many domains
>>> and users, therefore I doubt that some kind of limit might be
>>> touched. I also suspected some internal system load, but
>>> unfortunately the error occurs arbitrarily, which makes me think
>>> that no scheduled process is responsible for this. I also ran 'top'
>>> during such an event without any obvious load tasks. The system
>>> statistics also show no weird peaks. I read about the "running out
>>> of random" phenomenon, but during such an event there were still
>>> enough resources random-wise.
>
>> what about the network itself? Does the monitor crosses a firewall?
>
> I do not know all the details about my provider's data center, but the
> monitor is an internal one running on one of their machines in their
> infrastructure. I therefore doubt that this error could be related to
> some network issue. The monitor just makes a normal IMAP login and fails
> with the SSL error - and a few minutes later everything is fine again.
>
>>> Could it be that I need to offer more login processes or that I
>>> should raise some of my configuration values? The
>>> mail_max_userip_connections does not seem to solve the problem.
>
>> usually you get some warning in the logs, if such limit is reached.
>
> I desperately searched all kinds of logs - but nothing indicates a
> problem that would explain these arbitrary logon errors. I always
> thought that I should be more generous with login processes or other
> system resources in order to overcome this - but it seems that I am on
> the wrong track, if my doveconf -n does not show any oddities.
>
> I fear I will have to accept this error as being "normal" - which is
> really odd as my former server ran for years with the same config
> without any warning at all. Maybe the next will do it again ... :)))
>

Hi Vince,
just a shot into the dark:
if you are running out of entropy, you might get SSL errors.
If this is a virtual machine, there are not many entropy sources.
Consider installing alternative entropy sources like haveged(*),
available in many distro repos.

Regards, Olaf

(*) http://www.issihosts.com/haveged/

-- 
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp at kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5304 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20160802/2baac515/attachment.p7s>