Exim hangs on delivering mail, lack of entropy for TLS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
exim4 (Ubuntu) |
Opinion
|
Low
|
Unassigned |
Bug Description
Binary package hint: exim4-daemon-light
When Exim is first installed (on Dapper), mail delivery times out like this:
chris@fen-fw:~$ sudo exim -qf -v -v
LOG: queue_run MAIN
Start queue run: pid=30436 -qf
delivering 1LbXpS-0007T6-ED (queue run pid 30436)
R: system_aliases for <email address hidden>
R: smarthost for <email address hidden>
T: remote_
Connecting to net-mail.
SMTP<< 220 mail.aidworld.org ESMTP Exim 4.62 Mon, 23 Feb 2009 10:21:59 +0000
SMTP>> EHLO fen-fw.aptivate.org
SMTP<< 250-mail.
250-SIZE 52428800
250-AUTH PLAIN LOGIN
250 HELP
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
(hangs for a long time here)
The problem is complex:
* Dapper uses a kernel version which has poor entropy gathering (see Debian bug #343085). /dev/random is usually nearly empty, as my Munin graphs show, and my /proc/sys/
* exim4 is linked with GnuTLS rather than OpenSSL (see Debian bug #343085)
* GnuTLS makes much less efficient use of available entropy (see Debian bug #343085)
* Exim needs to generate a DH parameters cache file before TLS will work (/var/spool/
* This file is not generated on installation, but by a mail-sending process (see Debian bug #338319)
* Due to low entropy and GnuTLS wastefulness, this file takes a very long time to generate (e.g. hours/days)
* Until generated, exim4 cannot send mail, hanging forever as above
* This file is also deleted by /etc/cron.
Possible workarounds are:
* replace /dev/random with link to /dev/urandom (has security implications)
* install an entropy gathering daemon. I installed rng-tools, unexpectedly it works on my hardware, my entropy pool is back up at 4000 now (i.e. full). this will probably not work for everyone
* wait for exim to generate the gnutls-params itself (every day) and accept that mail will hang until then
* install gnutls-bin
* generate gnutls-params immediately after installation
I'd recommend making exim4-config depend on gnutls-bin, AND generate the gnutls-params file during package installation so that the admin is not mystified by an installed but apparently non-working exim4 package.
Description: Ubuntu 6.06.2 LTS
Release: 6.06
chris@fen-fw:~$ apt-cache policy exim4 exim4-daemon-light libgnutls12 libgcrypt11
exim4: 4.60-3ubuntu3.1
exim4-daemon-light: 4.60-3ubuntu3.1
libgnutls12: 1.2.9-2ubuntu1.2
libgcrypt11: 1.2.2-1
Changed in exim4 (Ubuntu): | |
importance: | Undecided → Low |
status: | New → Opinion |