Univention Bugzilla – Bug 38990
3 Minute timeout in dovecot postinst prolongs installation
Last modified: 2015-09-01 13:42:57 CEST
univention-mail-dovecot.postinst waits up to 3 minutes for the generation of ssl certificates. In a cloud setup, the postinst actually waited the whole period.
The postinst could be modified to start Dovecot with only 1024 bit dh_parameters_length (Debian default) and change it later to 2048. The generation should then run in the background and be switched to without interruption of the service. Will need some testing, because the listener starts logging in (possibly in very fast succession) right after being installed, to upload Sieve-scripts for all existing users. The timeout was created to make sure it is not interrupted in this.
I would suggest to install "haveged" in any virtualized instance (by default) to create enough entropy.
I tested with "haveged -w 2048 -v 3 -r 0" and it did help a lot! I also vote for the installation of havegend (even as default for all UCS). But if before the generation of Dovecots 2048 DH, a generation of 1024 DH and another 2048 ran, it did take >3 min again. This scenario is very probable during system installation: 1st Apache, 2nd Dovecot 1024 by Debian, then 2048 bit by Dovecots UCS-integration setting. Probably others (OpenSSL, SSH) ran before that too. So I think the postinst should be adapted anyway.
Noticed again in EC2 instance setup
Dovecot is installed by Debian with 1024 bit DH parameters. The postinst script now just waits until that has finished - should be faily short. The generation of 2048 bit DH parameters is triggered afterwards and runs in the background. Commit: 62939 YAML: 62940
OK - 4.0-3 Sep 1 13:17:42 master dovecot: master: Dovecot v2.2.13 starting up for imap, lmtp, sieve, pop3 (core dumps disabled) Sep 1 13:17:49 master dovecot: master: Warning: SIGHUP received - reloading configuration Sep 1 13:17:49 master dovecot: ssl-params: Warning: Regenerating /var/lib/dovecot/ssl-parameters.dat for ssl_dh_parameters_length=2048 Sep 1 13:17:49 master dovecot: ssl-params: Generating SSL parameters Sep 1 13:17:57 master dovecot: master: Warning: SIGHUP received - reloading configuration Sep 1 13:17:57 master dovecot: ssl-params: Warning: Regenerating /var/lib/dovecot/ssl-parameters.dat for ssl_dh_parameters_length=2048 Sep 1 13:18:57 master dovecot: master: Warning: Processes aren't dying after reload, sending SIGTERM. Sep 1 13:18:59 master dovecot: ssl-params: SSL parameters regeneration completed During installation a 1024 dh parameter file is created and the creation of a 2048 dh parameter is started (but the postinst does not wait for this). OK - 4.1-0 But, univention-mail-dovecot is already announced with errata http://errata.univention.de/ucs/4.0/291.html. so i move the yaml to published and close this bug.