Timeout on postfix.service when generating big DH parameter

Question

Timeout on postfix.service when generating big DH parameter

nyanloutre opened this issue 6 years ago · comments

Paul TREHIOU commented 6 years ago

(Use this template for bugs, feel free to delete it for other issues)

SNM Version: (e.g. v2.1.3)

v2.1.4

Nixos Version: (e.g. 17.09 or unstable)

18.03

Relevant part of the config to reproduce:

dhParamBitLength = 4096;

What I expected to happen:

Systemd should let OpenSSL generate the key even if it take some time

What happened:

The postfix service timed out (because it's the one generating the key) and the key was not properly generated resulting in connection failures.

Relevant journald log:

# systemctl restart postfix
Job for postfix.service failed because a timeout was exceeded.

I created this issue so it's possible to discuss about the best timeout value. Maybe 1 hour is enough ?

Philipp Dörfler · Answer 1 · Thu Apr 12 2018 04:53:24 GMT+0800 (China Standard Time)

I'll be playing Captain Obvious here: in principle the higher the bit length the better, of course. This being said a timeout of 1h also means that it is deemed OK for you to not have a postfix for 1h and not know about it / have something done about it. Now SMTP is quite a robust protocol and sane mail servers should try to attempt the sending of an email for a while but there's that.

Just for perspective: The default value in NMS is 1024 because 2048 takes a long time and 1024 is deemed sufficiently secure, but you are probably aware of this.

Last but not least the timeout value will ultimately depend on the speed of the CPU and the amount of randomness happening on the system at the time of the generation.

So you got "How quickly do I want to know if I my postfix is broken" vs. "How much time do I want to give postfix for this initial generation" with the hard to gauge bit "How fast and random is your system". I doubt it is possible to come up with a timeout value that satisfies all of these things for dhParamBitLength = 4096; and thus will work for everyone.

Paul TREHIOU · Answer 2 · Thu Apr 12 2018 05:05:47 GMT+0800 (China Standard Time)

So the sanest thing is to generate my enormous DH parameter manually, it's a one time process after all

Robin Raymond · Answer 3 · Thu Apr 12 2018 15:19:14 GMT+0800 (China Standard Time)

I guess we could make it easier (i.e. better explain how) to manually generate the dh file. It will work right now if you place it at in the correct location with the correct name.