Mailing List Archive: Qmail: users

Netqmail on XEN virtual servers

Index | Next | Previous | View Threaded

lists at penpal4u

Mar 29, 2011, 2:44 AM

Post #1 of 3 (575 views)
Permalink

Netqmail on XEN virtual servers

Hi,
I am using Netqmail with TLS/SMTPAUTH patch on a number of XEN virtual
servers. Now, I've been experiencing a problem which I cannot explain.
I don't know if it has more to do with XEN or with Netqmail. All I know
is that the combination is giving me a hard time.

The problem I'm having is that in about 90% of all cases the SSL
handshake with Netqmail on SMTPS fails. The percentage is slightly
lower for STARTTLS but still significant.

The strange thing is that no other SSL wrapped service has this
problem. There never seem to be handshake problems with Apache HTTPS or
IMAPS/POP3S in Dovecot. I believe even Netqmail POP3S (in sslserver)
works fine but haven't really extensively tested that.

I've had a look at the traffic on the XEN DomU and Dom0 and can't see
any discrepancies or significant delays. I've also tested this on a
Linux Dom0 with XEN 3, Linux Dom0 with Xen 4 and NetBSD Dom0 with XEN
3. It's the same on all three of them.

I've tried different versions of patches and am currently using a patch
which merges http://rocketscience.lukasfeiler.com/bigqmail.patch with
http://tomclegg.net/qmail/#qmail-remote-auth (which I need). I've used
these patches before on physical machines and never had any trouble.
Also, I've merged patches manually before and always had the same
result.

I've had a quick look through the TLS patch but couldn't see an obvious
candidate for timing issues. Is there anything I can do to fix this?
I've thought about using sslserver for SMTPS at least but that would
also require hacking the TLS patch to make sure that AUTH is accepted
without STARTTLS on port 465 even though Netqmail is unaware of the SSL
wrapper. Any better suggestions?

Cheers,
Christian

amb-sendok-1304001303.ofelnnhlhpppcmmbeial at bradfo

Mar 29, 2011, 7:35 AM

Post #2 of 3 (563 views)
Permalink

Re: Netqmail on XEN virtual servers [In reply to]

Thus said Christian Lerrahn on Tue, 29 Mar 2011 20:44:00 +1100:

> The problem I'm having is that in about 90% of all cases the SSL
> handshake with Netqmail on SMTPS fails. The percentage is slightly
> lower for STARTTLS but still significant.

Unlikely that it has anything to do with Xen. What did
strace/truss/ktrace tell you? My guess is that they will tell you that
you didn't give the process enough memory for the additional overhead
that SSL requires in your qmail-smtpd/run script.

Andy

lists at penpal4u

Mar 29, 2011, 10:32 PM

Post #3 of 3 (550 views)
Permalink

Re: Netqmail on XEN virtual servers [In reply to]

Hi Andy,
On 29 Mar 2011 08:35:02 -0600
"Andy Bradford"
<amb-sendok-1304001303.ofelnnhlhpppcmmbeial [at] bradfords> wrote:

> Thus said Christian Lerrahn on Tue, 29 Mar 2011 20:44:00 +1100:
>
> > The problem I'm having is that in about 90% of all cases the
> > SSL handshake with Netqmail on SMTPS fails. The percentage is
> > slightly lower for STARTTLS but still significant.
>
> Unlikely that it has anything to do with Xen. What
> did strace/truss/ktrace tell you? My guess is that they will tell
> you that you didn't give the process enough memory for the
> additional overhead that SSL requires in your qmail-smtpd/run script.

I haven't straced the process, yet, because I didn't have a test system
where I could easily do that. But I can't see how that would make any
sense, anyway. In fact, I know the memory problem but it usually shows
in the logs as a failure to load libraries. No matter how much memory I
allocate to qmail-smtpd (via softlimit), the problem remains the same.

There are three things that puzzle me.

1. The problem only occurs erratically.
2. Even with almost the same patchset, I have never seen this problem
on a physical server before.
3. Nothing appears in the logs other than tcpserver writing an error
code 256.
4. The problem is less common on STARTTLS than on SSL but exists on
both.

I'll see if I can test the same binary on a physical machine (had none
to try so far) and report back if there is any new findings.

Cheers,
Christian

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads