dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
Reuben Farrelly
reuben-dovecot at reub.net
Tue Oct 31 15:00:04 EET 2017
Hi,
On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote:
> Message: 6
> Date: Mon, 30 Oct 2017 10:22:42 +0200
> From: Teemu Huovila <teemu.huovila at dovecot.fi>
> To: dovecot at dovecot.org
> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi>
> Content-Type: text/plain; charset=utf-8
>
>
>
> On 30.10.2017 09:10, Aki Tuomi wrote:
>>
>>
>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>> Hi Aki,
>>>
>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>> <reuben-dovecot at reub.net> wrote:
>>>>>
>>>>>
>>>>> Hi again,
>>>>>
>>>>> Chasing down one last problem which seems to have been missed from my
>>>>> last email:
>>>>>
>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>
>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly <reuben-dovecot at reub.net>
>>>>>>>> wrote:
>>>>> This problem below is still present in 2.3 -git, as of version
>>>>> 2.3.devel
>>>>> (6fc40674e)
>>>>>
>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf:
>>>>>>>>
>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>
>>>>>>>> Yet the file is there:
>>>>>>>>
>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>>>>>>>
>>>>>>>> And the config is there as well:
>>>>>>>>
>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> thunderstorm dovecot #
>>>>>>>>
>>>>>>>> It appears that this warning is being triggered by the presence of
>>>>>>>> the ssl-parameters.dat file because when I remove it the warning
>>>>>>>> goes away. Perhaps the warning could be made a bit more specific
>>>>>>>> about this file being removed if it is not required because at the
>>>>>>>> moment the warning message is not related to the trigger.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Reuben
>>>>> Thanks,
>>>>> Reuben
>>>> It is triggered when there is ssl-parameters.dat file *AND* there is
>>>> no ssl_dh=< explicitly set in config file.
>>>>
>>>> Aki
>>>
>>> I have this already in my 10-ssl.conf file:
>>>
>>> lightning dovecot # /etc/init.d/dovecot reload
>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>> doveconf: Warning: You can generate it with: dd
>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>> -inform der > /etc/dovecot/dh.pem
>>> ?* Reloading dovecot configs and restarting auth/login processes
>>> ...????? [ ok ]
>>> lightning dovecot #
>>>
>>> However:
>>>
>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>> # gives on startup when ssl_dh is unset.
>>> ssl_dh=</etc/dovecot/dh.pem
>>> lightning dovecot #
>>>
>>> and the file is there:
>>>
>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>> lightning dovecot #
>>>
>>> So it is actually configured and yet the warning still is present.
>>>
>>> Reuben
>>
>> Hi!
>>
>> I gave this a try, and I was not able to repeat this issue. Perhaps you
>> are still missing ssl_dh somewhere?
>>
>> Aki
>>
> Hello
>
> Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present.
>
> br,
> Teemu
I still can't see anything amiss. Here's the output from doveconf -n:
# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.devel (f4659224)
# OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_username_format = %Ln
doveadm_password = # hidden, use -P to show it
first_valid_uid = 1000
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
last_valid_uid = 1100
login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k
login_trusted_networks = 192.168.0.0/16
mail_location = maildir:~/Maildir
mail_plugins = stats notify replication fts fts_lucene
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = failure_show_msg=yes %s
driver = pam
}
plugin {
fts = lucene
fts_autoindex = yes
fts_languages = en
fts_lucene = whitespace_chars=@.
mail_replica = tcps:inside-mail.reub.net:4813
replication_full_sync_interval = 4 hours
sieve = file:~/sieve;active=~/.dovecot.sieve
stats_refresh = 30 secs
stats_track_cmds = yes
}
protocols = imap lmtp sieve
recipient_delimiter = -
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
user = root
}
unix_listener replication-notify {
mode = 0666
user = root
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0777
}
}
service doveadm {
inet_listener {
address = 2400:8901:e001:3a::20
port = 4813
ssl = yes
}
user = root
}
service imap {
executable = imap postlogin
}
service lmtp {
inet_listener lmtp {
address = ::1
port = 24
}
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service postlogin {
executable = script-login -d rawlog
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
service stats {
fifo_listener stats-mail {
mode = 0666
}
}
ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
ssl_client_ca_dir = /etc/ssl/certs
ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = stats notify replication fts fts_lucene sieve
ssl_dh = # hidden, use -P to show it
}
protocol !indexer-worker {
ssl_dh = # hidden, use -P to show it
}
protocol lda {
mail_plugins = stats notify replication fts fts_lucene sieve
ssl_dh = # hidden, use -P to show it
}
protocol imap {
mail_plugins = stats notify replication fts fts_lucene imap_stats
ssl_dh = # hidden, use -P to show it
}
protocol sieve {
ssl_dh = # hidden, use -P to show it
}
protocol pop3 {
ssl_dh = # hidden, use -P to show it
}
And showing with -P as an example:
protocol pop3 {
ssl_dh = -----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
...
AAAAAAAAAAAAAAAAAAAAAAAAAAA=
-----END DH PARAMETERS-----
There is a single set of valid DH parameters for every protocol as
listed above.
It seems odd that ssl_dh is defined all of these protocols specifically
too. This specific per-protocol definition of ssl_dh isn't specified in
any config file.
Reuben
More information about the dovecot
mailing list