VS: Dovecot stops responding when I update SSL certificate

Aki Tuomi aki.tuomi at dovecot.fi
Sat Mar 5 06:00:21 UTC 2016 

Did you change dh parameter size as well? This causes dh generation which can take some time.
---Aki TuomiDovecot oy-------- Alkuperäinen viesti --------Lähettäjä: HotSlots Webmaster <webmaster at hotslots132.com> Päivämäärä: 5.3.2016  4.10  (GMT+02:00) Saaja: dovecot at dovecot.org Aihe: Dovecot stops responding when I update SSL certificate 
Dovecot 2.2.18
CentOS 6.7 (x86_64)
Plesk 12.5.30

I have had Dovecot working fine with SSL for nearly two years now. It's 
time to renew the SSL certificate, so I did (same CA). The new 
certificate works fine in Apache and Postfix. But when I update Dovecot 
to use the same certificate, and restart the server, Dovecot stops 
responding to connects. I have triple-checked that the ssl_cert and 
ssl_key files are correct - all I did was change the names in the conf 
file. There's nothing in the log. I have tried various SSL tests but 
either they don't work (unspecific error) or they tell me nothing is 
wrong (and show the correct certificate.)  I am running out of time to 
find a solution to this - what else can I look for?

The one difference for the certificates is that I opted for one with a 
SHA256 root rather than SHA1 root. I have separately used a tool to 
verify that the certificate and private key match.

Here is the end of the dovecot -n file that mentions SSL:

ssl = required
ssl_cert = </etc/pki/tls/certs/hotslots-cert.pem
ssl_cipher_list = 
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/hotslots-private.pem
ssl_protocols = TLSv1.1 TLSv1.2 !TLSv1
userdb {
   args = uid=popuser gid=popuser
   driver = static
}
protocol imap {
   mail_plugins = " quota imap_quota"
}
protocol pop3 {
   pop3_uidl_format = UID%u-%v
}
protocol lda {
   mail_plugins = " quota sieve"
}

(The !TLSv1 doesn't seem to be honored - I tried it with and without 
that. A problem for later.)

Thanks for any help.

Steve L

More information about the dovecot mailing list