Seeing 30+ second delay on port 465 or 587 connections, yet Courier
IMAP 993 connections are instant using openssl s_client.
I though that it may be the ISP putting in a delay, so I opened a port
on the firewall above 10K and tried that - same results. If you're
behind the firewall, no delay exists, even if you're inside the network
and hit the public side IP.
Time from openssl s_client command to mail.log entry: 34 seconds - this
varies - sometimes no response at all
contents of esmtpd-ssl configuration file:
***********************************************************************
******************************
##VERSION: $Id: a61b6f9173bf2b9fcb0e0e253a47f53ff34359b4-
20160424075309$
#
# esmtpd-ssl created from esmtpd-ssl.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
# Copyright 2000-2016 Double Precision, Inc. See COPYING for
# distribution information.
#
# This configuration file sets various options for the Courier-SMTP
server
# when used to handle SSL ESMTP connections.
#
# SSL and non-SSL connections are handled by a dedicated instance of
the
# couriertcpd daemon. If you are accepting both SSL and non-SSL ESMTP
# connections, you will start two instances of couriertcpd, one on the
# ESMTP port 25, and another one on the ESMTP-SSL port 465.
#
# Download OpenSSL from http://www.openssl.org/
#
##NAME: install_prefix:0
#
# Do not change the following settings.
prefix=/usr
exec_prefix=/usr
##NAME: BOFHCHECKDNS:0
#
# Comment out the following line in order to accept mail with a bad
# return address.
BOFHCHECKDNS=1
##NAME: BOFHNOEXPN:1
#
# Set BOFHNOEXP to 1 to disable EXPN
BOFHNOEXPN=0
##NAME: BOFHNOVRFY:1
#
# Set BOFHNOVERIFY to disable VRFY
BOFHNOVRFY=0
##NAME: TARPIT:1
#
# Set TARPIT to 0 to disable tarpitting
TARPIT=1
##NAME: NOADDMSGID:0
#
# The following environment variables keep Courier from adding
# default Date: and Message-ID: header to messages which do not have
them.
# If you would like to add default headers only for mail from certain
# IP address ranges, you can override them in couriertcpd access file,
# see couriertcpd(8).
NOADDMSGID=1
##NAME: NOADDDATE:0
#
NOADDDATE=1
##NAME: NOADDRREWRITE:0
#
# Don't rewrite To:, From:, and Cc: headers. Set to 2 in order to omit
# rewriting them only if there is a DKIM-Signature.
NOADDRREWRITE=0
##NAME: ESMTP_LOG_DIALOG:0
#
# If set, log the esmtp dialog.
ESMTP_LOG_DIALOG=1
##NAME: AUTH_REQUIRED:0
#
# Set AUTH_REQUIRED to 1 in order to force the client to use ESMTP
# authentication. You can override AUTH_REQUIRED on a per-IP address
basis
# using smtpaccess. See makesmtpaccess(8).
AUTH_REQUIRED=1
##NAME: SSLPORT:0
#
# Options in the esmtpd-ssl configuration file AUGMENT the options in
the
# esmtpd configuration file. First the esmtpd configuration file is
read,
# then the esmtpd-ssl configuration file, so we do not have to
redefine
# anything.
#
# However, some things do have to be redefined. The port number is
# specified by SSLPORT, instead of PORT. The default port is port
465.
#
# Multiple port numbers can be separated by commas. When multiple
port
# numbers are used it is possibly to select a specific IP address for
a
# given port as "ip.port". For example,
"127.0.0.1.900,192.168.0.1.900"
# accepts connections on port 900 on IP addresses 127.0.0.1 and
192.168.0.1
# The SSLADDRESS setting is a default for ports that do not have
# a specified IP address.
SSLPORT=465,587
##NAME: SSLADDRESS:0
#
# Address to listen on, can be set to a single IP address.
#
# SSLADDRESS=127.0.0.1
SSLADDRESS=****BLOCKED FOR SECURITY ****
##NAME: SSLPIDFILE:0
#
#
SSLPIDFILE=/run/courier/esmtpd-ssl.pid
##NAME: ESMTPDSSLSTART:0
#
# Whether or not to start ESMTP over SSL on esmtps port:
ESMTPDSSLSTART=YES
##NAME: COURIERTLS:0
#
# The following variables configure ESMTP over SSL. If OpenSSL or
GnuTLS
# is available during configuration, the couriertls helper gets
compiled, and
# upon installation a dummy TLS_CERTFILE gets generated. courieresmtpd
will
# automatically advertise the ESMTP STARTTLS extension if both
TLS_CERTFILE
# and COURIERTLS exist.
#
# WARNING: Peer certificate verification has NOT yet been
tested. Proceed
# at your own risk. Only the basic SSL/TLS functionality is known to
be
# working. Keep this in mind as you play with the following variables.
#
COURIERTLS=/usr/bin/couriertls
##NAME: TLS_PRIORITY:0
#
# GnuTLS setting only
#
# Set TLS protocol priority settings (GnuTLS only)
#
# DEFAULT: NORMAL:-CTYPE-OPENPGP
#
# TLS_PRIORITY="NORMAL:-CTYPE-OPENPGP"
#
# This setting is also used to select the available ciphers.
#
# The actual list of available ciphers depend on the options GnuTLS was
# compiled against. The possible ciphers are:
#
# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
#
# Also, the following aliases:
#
# HIGH -- all ciphers that use more than a 128 bit key size
# MEDIUM -- all ciphers that use a 128 bit key size
# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL
cipher
# is not included
# ALL -- all ciphers except the NULL cipher
#
# See GnuTLS documentation, gnutls_priority_init(3) for additional
# documentation.
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
# OpenSSL:
#
# TLSv1 - TLS1
# TLSv1.1 - TLS1.1
# TLSv1.2 - TLS1.2
#
# TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all
# higher protocols.
#
# The default value is TLSv1+
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# OpenSSL:
#
# TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
##NAME: TLS_MIN_DH_BITS:0
#
# TLS_MIN_DH_BITS=n
#
# GnuTLS only:
#
# Set the minimum number of acceptable bits for a DH key exchange.
#
# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some
server
# have been encountered that offer 512 bit keys. You may have to set
# TLS_MIN_DH_BITS=512 here, if necessary.
##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future
use.
# This is supposed to be an inactivity timeout, but its not yet
implemented.
#
##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for
SSL/TLS
# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is
usually
# treated as confidential, and must not be world-readable. Set
TLS_CERTFILE
# instead of TLS_DHCERTFILE if this is a garden-variety certificate
#
# VIRTUAL HOSTS ON THE SAME IP ADDRESS.
#
# Install each certificate $TLS_CERTFILE.domain, so if TLS_CERTFILE is
set to
# /etc/certificate.pem, then you'll need to install the actual
certificate
# files as /etc/certificate.pem.www.example.com,
# /etc/certificate.pem.www.domain.com and so on. Then, create a link
from
# $TLS_CERTFILE to whichever certificate you consider to be the main
one,
# for example:
# /etc/certificate.pem => /etc/certificate.pem.www.example.com
#
# IP-BASED VIRTUAL HOSTS:
#
# There may be a need to support older SSL/TLS client that don't
support
# virtual hosts on the same IP address, and require a dedicated IP
address
# for each SSL/TLS host. If so, install each certificate file as
# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP
address
# for the certificate's domain name. So, if TLS_CERTFILE is set to
# /etc/certificate.pem, then you'll need to install the actual
certificate
# files as /etc/certificate.pem.192.168.0.2,
/etc/certificate.pem.192.168.0.3
# and so on, for each IP address.
#
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.
TLS_CERTFILE=****BLOCKED FOR SECURITY****
##NAME: TLS_DHPARAMS:0
#
# TLS_DHPARAMS - DH parameter file.
#
TLS_DHPARAMS=/etc/courier/dhparams.pem
##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
# contain a list of trusted certificates, in PEM format. If a
# directory, the directory should contain the trusted certificates,
# in PEM format, one per file and hashed using OpenSSL's c_rehash
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
TLS_TRUSTCERTS=****BLOCKED FOR SECURITY****
##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates. The possible
values of
# this setting are:
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not
presented
#
#
TLS_VERIFYPEER=NONE
##NAME: TLS_EXTERNAL:0
#
# To enable SSL certificate-based authentication:
#
# 1) TLS_TRUSTCERTS must be set to a pathname that holds your
certificate
# authority's SSL certificate
#
# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later
settings
# requires all SSL clients to present a certificate, and rejects
# SSL/TLS connections without a valid cert).
#
# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login
ID.
# Example:
#
# TLS_EXTERNAL=emailaddress
#
# The above example retrieves the login ID from the "emailaddress"
subject
# field. The certificate's emailaddress subject must match exactly the
login
# ID in the courier-authlib database.
##NAME: SYSLOGNAME:0
#
# Name that courieresmtpd uses to log to syslog
#
# SYSLOGNAME=courieresmtpd
##NAME: MAXDAEMONS:0
#
# Maximum number of daemons started
#
MAXDAEMONS=40
##NAME: MAXPERC:0
#
# Maximum number of connections accepted from the same C address block
#
MAXPERC=25
##NAME: MAXPERIP:0
#
#
# Maximum number of connections accepted from the same IP address
MAXPERIP=5
***********************************************************************
******************************
/end contents of esmtpd-ssl configuration file
--
--
Greg Pfister
[email protected]
WARNING - Oath Inc. now owns all email content of users with the follow
domains:
ATT.NET
Yahoo
AOL
Verizon
flurry
Tumblr
autoblog
ryot
kanwas
engadget
msn
Microsoft Outlook
Xbox
Additionally, any companies that are hosted by Oath Inc. mail servers
are included in said ownership of any content, including those that pay
to have their email hosted. This content includes pictures, business
proposals, personal messages, documents, etc..
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Courier-imap mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
