On Thu, Jan 06, 2011 at 01:22:50AM -0500, Jerrale G wrote:
>> 0. http://www.postfix.org/TLS_README.html
>> 1. http://www.entropykey.co.uk/
>> 2. http://www.postfix.org/TLS_README.html#tlsmgr_controls
>>
>
> We use /dev/random. Using /dev/urandom does not cause enough entropy,
> which may just be a problem with dnssec and not postfix, on a stock 32-bit
> or 64-bit centos kernel, as of 2.6.13 from the last test six months ago.
This is a mistake.
> We discovered this problem with dnssec signing, as describe, and, since
> using /dev/random, everything generates within two or three seconds.
/dev/urandom never blocks, while /dev/random does if the entropy is
deemed "depleted". A decent PRNG, once security seeded is never depleted,
so if the system seed state is retained across boots, /dev/urandom is
much more performant.
In any case additional PRNG state is retained across system boot events
by Postfix, which then mixes its saved state and random data from
/dev/urandom via its internal PRNG. Postfix users should stick with the
non-blocking /dev/urandom. Please do not give them bad advice.
--
Viktor.
