Hi,
Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests.
This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue.
My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1
It is quiet complicated to find the logs for this test, so I don't know what is going wrong.
Sometimes, the test goes green for few minutes.
I tried configuring fail2ban to whitelist my Xymon server IP, and set dovecot to allow a large amount of connections, but this did not change anything.
Any help to investigate or locate IMAPS test logs would be appreciated.
On Fri, Nov 22, 2019 at 10:53:51AM +0100, Damien Martins wrote: Hi,
Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests.
This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue.
My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1
It is quiet complicated to find the logs for this test, so I don't know what is going wrong.
Sometimes, the test goes green for few minutes.
I'm not a debian specialist, but check the TLS protocol offerer by dovecot on this server. I had the same issue on freebsd when monitoring a dovecot offering TLS 1.3 even if xymon was build on a server running the same openssl version offering TLS 1.3.
I replaced the imaps/pop3s test by a perl scripts extension using IO::Socket::SSL build with the same openssl and it fixed the issue.
I reported this issue on this list but never got any answer.
https://lists.xymon.com/pipermail/xymon/2019-July/046585.html
Regards,
Laurent Frigault | Free.org - BookMyName.com - ONLINE SAS - Registar ID 74
On Mon, Nov 25, 2019 at 02:03:59PM +0100, Laurent Frigault wrote:
On Fri, Nov 22, 2019 at 10:53:51AM +0100, Damien Martins wrote: Hi,
Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests.
This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue.
My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1
It is quiet complicated to find the logs for this test, so I don't know what is going wrong.
Sometimes, the test goes green for few minutes.
I'm not a debian specialist, but check the TLS protocol offerer by dovecot on this server. I had the same issue on freebsd when monitoring a dovecot offering TLS 1.3 even if xymon was build on a server running the same openssl version offering TLS 1.3.
I replaced the imaps/pop3s test by a perl scripts extension using IO::Socket::SSL build with the same openssl and it fixed the issue.
I reported this issue on this list but never got any answer.
https://lists.xymon.com/pipermail/xymon/2019-July/046585.html
I am seeing the exact same issue with Courier-IMAP on Gentoo Linux. It remains yellow most of the day, but randomly goes green for a few minutes. The odd thing is that the sslcert test gets the certs and displays the proper info there.
Debian 10 made some updates to requirements for TLS connections, specifically the minimum TLS version was sat to TLS 1.2 and there is now a check for (I think) some Diffie-Hellman keylength parameters. This has caused problems. See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
The quick-and-dirty solution is to change /etc/ssl/openssl.cnf and change the line
CipherString = DEFAULT at SECLEVEL=2
to have a SECLEVEL=1 instead (this was the setting until Debian 10).
Of course, you should check up on the certificates and TLS settings on the servers that are flagged as in error, but at least this will revert to the behaviour before the upgrade.
Regards, Henrik
Damien Martins skrev den 22-11-2019 10:53:
Hi,
Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests.
This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue.
My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1
It is quiet complicated to find the logs for this test, so I don't know what is going wrong.
Sometimes, the test goes green for few minutes.
I tried configuring fail2ban to whitelist my Xymon server IP, and set dovecot to allow a large amount of connections, but this did not change anything.
Any help to investigate or locate IMAPS test logs would be appreciated.
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
participants (4)
-
damien@makelofine.org
-
henrik@hswn.dk
-
lolo@troll.free.org
-
matt@oddprocess.org