Ubuntu
exim4 package

Exim hangs on delivering mail, lack of entropy for TLS

Bug #333257 reported by gcc
2
Affects Status Importance Assigned to Milestone
exim4 (Ubuntu)
Opinion
Low
Unassigned

Bug Description

Binary package hint: exim4-daemon-light

When Exim is first installed (on Dapper), mail delivery times out like this:

chris@fen-fw:~$ sudo exim -qf -v -v
LOG: queue_run MAIN
  Start queue run: pid=30436 -qf
delivering 1LbXpS-0007T6-ED (queue run pid 30436)
R: system_aliases for <email address hidden>
R: smarthost for <email address hidden>
T: remote_smtp_smarthost for <email address hidden>
Connecting to net-mail.aptivate.org [80.248.178.172]:25 ... connected
  SMTP<< 220 mail.aidworld.org ESMTP Exim 4.62 Mon, 23 Feb 2009 10:21:59 +0000
  SMTP>> EHLO fen-fw.aptivate.org
  SMTP<< 250-mail.aidworld.org Hello fen-fw.aptivate.org [217.155.111.90]
         250-SIZE 52428800
         250-PIPELINING
         250-AUTH PLAIN LOGIN
         250-STARTTLS
         250 HELP
  SMTP>> STARTTLS
  SMTP<< 220 TLS go ahead
  (hangs for a long time here)

The problem is complex:

* Dapper uses a kernel version which has poor entropy gathering (see Debian bug #343085). /dev/random is usually nearly empty, as my Munin graphs show, and my /proc/sys/kernel/random/entropy_avail is (was) usually below 200 bytes
* exim4 is linked with GnuTLS rather than OpenSSL (see Debian bug #343085)
* GnuTLS makes much less efficient use of available entropy (see Debian bug #343085)
* Exim needs to generate a DH parameters cache file before TLS will work (/var/spool/exim4/gnutls-params, see Debian bugs #343085 and #338319)
* This file is not generated on installation, but by a mail-sending process (see Debian bug #338319)
* Due to low entropy and GnuTLS wastefulness, this file takes a very long time to generate (e.g. hours/days)
* Until generated, exim4 cannot send mail, hanging forever as above
* This file is also deleted by /etc/cron.daily/exim4-base, UNLESS the gnutls-bin package is installed, therefore the problem will recur daily (see Debian bug #338319)

Possible workarounds are:

* replace /dev/random with link to /dev/urandom (has security implications)
* install an entropy gathering daemon. I installed rng-tools, unexpectedly it works on my hardware, my entropy pool is back up at 4000 now (i.e. full). this will probably not work for everyone
* wait for exim to generate the gnutls-params itself (every day) and accept that mail will hang until then
* install gnutls-bin
* generate gnutls-params immediately after installation

I'd recommend making exim4-config depend on gnutls-bin, AND generate the gnutls-params file during package installation so that the admin is not mystified by an installed but apparently non-working exim4 package.

Description: Ubuntu 6.06.2 LTS
Release: 6.06

chris@fen-fw:~$ apt-cache policy exim4 exim4-daemon-light libgnutls12 libgcrypt11
exim4: 4.60-3ubuntu3.1
exim4-daemon-light: 4.60-3ubuntu3.1
libgnutls12: 1.2.9-2ubuntu1.2
libgcrypt11: 1.2.2-1

Chuck Short (zulcss)
Changed in exim4 (Ubuntu):
importance: Undecided → Low
status: New → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.