IMAPS & POP3S tests
list Damien Martins
Hi, Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests. This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue. My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1 It is quiet complicated to find the logs for this test, so I don't know what is going wrong. Sometimes, the test goes green for few minutes. I tried configuring fail2ban to whitelist my Xymon server IP, and set dovecot to allow a large amount of connections, but this did not change anything. Any help to investigate or locate IMAPS test logs would be appreciated.
list Laurent Frigault
▸
On Fri, Nov 22, 2019 at 10:53:51AM +0100, Damien Martins wrote: Hi,
Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests. This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue. My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1 It is quiet complicated to find the logs for this test, so I don't know what is going wrong. Sometimes, the test goes green for few minutes.
I'm not a debian specialist, but check the TLS protocol offerer by dovecot on this server. I had the same issue on freebsd when monitoring a dovecot offering TLS 1.3 even if xymon was build on a server running the same openssl version offering TLS 1.3. I replaced the imaps/pop3s test by a perl scripts extension using IO::Socket::SSL build with the same openssl and it fixed the issue. I reported this issue on this list but never got any answer. https://lists.xymon.com/pipermail/xymon/2019-July/046585.html Regards, -- Laurent Frigault | Free.org - BookMyName.com - ONLINE SAS - Registar ID 74
list Damien Martins
Laurent, Thank you for your answer. May you share this perl script ? should be useful for many ppl I guess Le 25/11/2019 ? 14:03, Laurent Frigault a ?crit?:
▸
On Fri, Nov 22, 2019 at 10:53:51AM +0100, Damien Martins wrote: Hi,Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests. This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue. My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1 It is quiet complicated to find the logs for this test, so I don't know what is going wrong. Sometimes, the test goes green for few minutes.I'm not a debian specialist, but check the TLS protocol offerer by dovecot on this server. I had the same issue on freebsd when monitoring a dovecot offering TLS 1.3 even if xymon was build on a server running the same openssl version offering TLS 1.3. I replaced the imaps/pop3s test by a perl scripts extension using IO::Socket::SSL build with the same openssl and it fixed the issue. I reported this issue on this list but never got any answer. https://lists.xymon.com/pipermail/xymon/2019-July/046585.html Regards,
list Matthew Daubenspeck
▸
On Mon, Nov 25, 2019 at 02:03:59PM +0100, Laurent Frigault wrote:
On Fri, Nov 22, 2019 at 10:53:51AM +0100, Damien Martins wrote: Hi,Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my > Xymon server (running version 4.3.28 on Debian 10) reports errors for > IMAPS & POP3S tests.This is weird, because I have another server, running Xymon 4.3.28 too, > that is not reporting any issue. My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1 It is quiet complicated to find the logs for this test, so I don't know > what is going wrong. Sometimes, the test goes green for few minutes.I'm not a debian specialist, but check the TLS protocol offerer by dovecot on this server. I had the same issue on freebsd when monitoring a dovecot offering TLS 1.3 even if xymon was build on a server running the same openssl version offering TLS 1.3. I replaced the imaps/pop3s test by a perl scripts extension using IO::Socket::SSL build with the same openssl and it fixed the issue. I reported this issue on this list but never got any answer. https://lists.xymon.com/pipermail/xymon/2019-July/046585.html
I am seeing the exact same issue with Courier-IMAP on Gentoo Linux. It remains yellow most of the day, but randomly goes green for a few minutes. The odd thing is that the sslcert test gets the certs and displays the proper info there.
list Henrik Størner
Debian 10 made some updates to requirements for TLS connections, specifically the minimum TLS version was sat to TLS 1.2 and there is now a check for (I think) some Diffie-Hellman keylength parameters. This has caused problems. See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 The quick-and-dirty solution is to change /etc/ssl/openssl.cnf and change the line CipherString = DEFAULT at SECLEVEL=2 to have a SECLEVEL=1 instead (this was the setting until Debian 10). Of course, you should check up on the certificates and TLS settings on the servers that are flagged as in error, but at least this will revert to the behaviour before the upgrade. Regards, Henrik Damien Martins skrev den 22-11-2019 10:53:
▸
Hi, Since I upgraded a system to Debian 10 running Xymon client 4.3.28, my Xymon server (running version 4.3.28 on Debian 10) reports errors for IMAPS & POP3S tests. This is weird, because I have another server, running Xymon 4.3.28 too, that is not reporting any issue. My IMAPS & POPS3S daemon is dovecot 2.3.4.1-5+deb10u1 It is quiet complicated to find the logs for this test, so I don't know what is going wrong. Sometimes, the test goes green for few minutes. I tried configuring fail2ban to whitelist my Xymon server IP, and set dovecot to allow a large amount of connections, but this did not change anything. Any help to investigate or locate IMAPS test logs would be appreciated.
list Laurent Frigault
▸
On Mon, Nov 25, 2019 at 02:09:55PM +0100, Damien Martins wrote:
Thank you for your answer. May you share this perl script ? should be useful for many ppl I guess
please find: tls.pl the extension to install as tls in server/ext directory tls.task to install in server/etc/tasks.d/ tls.pl use 2 small modules (hasred by other xymon extension) ReportToBB.pm and Untaint.pm I install them in /usr/local/lib/perl5/site_perl/XymonExt . Adapt to your local distrib/path in hosts.cfg, replace pop3s with tls_pop3s and imaps with tls_imaps For some unknown reason, I don't have this tls 1.3 issue with https. It looks like the tls part of https is not handled the same bad way pop3s/imaps are. Regards, -- Laurent Frigault | Free.org - BookMyName.com - ONLINE SAS - Registar ID 74
Attachments (3)