Public bug reported:
Binary package hint: exim4-daemon-light
When Exim is first installed (on Dapper), mail delivery times out like
this:
ch...@fen-fw:~$ sudo exim -qf -v -v
LOG: queue_run MAIN
Start queue run: pid=30436 -qf
delivering 1LbXpS-0007T6-ED (queue run pid 30436)
R: system_aliases for r...@fen-fw.aptivate.org
R: smarthost for hid...@aptivate.org
T: remote_smtp_smarthost for hid...@aptivate.org
Connecting to net-mail.aptivate.org [80.248.178.172]:25 ... connected
SMTP<< 220 mail.aidworld.org ESMTP Exim 4.62 Mon, 23 Feb 2009 10:21:59 +0000
SMTP>> EHLO fen-fw.aptivate.org
SMTP<< 250-mail.aidworld.org Hello fen-fw.aptivate.org [217.155.111.90]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
(hangs for a long time here)
The problem is complex:
* Dapper uses a kernel version which has poor entropy gathering (see Debian bug
#343085). /dev/random is usually nearly empty, as my Munin graphs show, and my
/proc/sys/kernel/random/entropy_avail is (was) usually below 200 bytes
* exim4 is linked with GnuTLS rather than OpenSSL (see Debian bug #343085)
* GnuTLS makes much less efficient use of available entropy (see Debian bug
#343085)
* Exim needs to generate a DH parameters cache file before TLS will work
(/var/spool/exim4/gnutls-params, see Debian bugs #343085 and #338319)
* This file is not generated on installation, but by a mail-sending process
(see Debian bug #338319)
* Due to low entropy and GnuTLS wastefulness, this file takes a very long time
to generate (e.g. hours/days)
* Until generated, exim4 cannot send mail, hanging forever as above
* This file is also deleted by /etc/cron.daily/exim4-base, UNLESS the
gnutls-bin package is installed, therefore the problem will recur daily (see
Debian bug #338319)
Possible workarounds are:
* replace /dev/random with link to /dev/urandom (has security implications)
* install an entropy gathering daemon. I installed rng-tools, unexpectedly it
works on my hardware, my entropy pool is back up at 4000 now (i.e. full). this
will probably not work for everyone
* wait for exim to generate the gnutls-params itself (every day) and accept
that mail will hang until then
* install gnutls-bin
* generate gnutls-params immediately after installation
I'd recommend making exim4-config depend on gnutls-bin, AND generate the
gnutls-params file during package installation so that the admin is not
mystified by an installed but apparently non-working exim4 package.
Description: Ubuntu 6.06.2 LTS
Release: 6.06
ch...@fen-fw:~$ apt-cache policy exim4 exim4-daemon-light libgnutls12
libgcrypt11
exim4: 4.60-3ubuntu3.1
exim4-daemon-light: 4.60-3ubuntu3.1
libgnutls12: 1.2.9-2ubuntu1.2
libgcrypt11: 1.2.2-1
** Affects: exim4 (Ubuntu)
Importance: Undecided
Status: New
--
Exim hangs on delivering mail, lack of entropy for TLS
https://bugs.launchpad.net/bugs/333257
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
