On 07/27/2016 11:55 PM, Vince42 wrote:
Hi,[Steffen Kaiser] - [2016-07-26 09:05]I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed.that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high?My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise.what about the network itself? Does the monitor crosses a firewall?I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again.Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem.usually you get some warning in the logs, if such limit is reached.I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities. I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :)))
Hi Vince, just a shot into the dark: if you are running out of entropy, you might get SSL errors. If this is a virtual machine, there are not many entropy sources. Consider installing alternative entropy sources like haveged(*), available in many distro repos. Regards, Olaf (*) http://www.issihosts.com/haveged/ -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.
smime.p7s
Description: S/MIME Cryptographic Signature
