On 16/10/2020 07:18 Brian Martin <bmartin@silverflash.net> wrote:
I've spent days scouring the Internet and trying various solutions on a problem with my Dovecot installation, so I thought I'd share what I learned in hopes of saving other people a lot of time. The dedicated Dovecot hands will know all of the following already. This is for those of us that have to cover a lot of bases.
I upgraded my mail server from Ubuntu 18.04.1 to Ubuntu 20.04.1, and found that older Mac-books and iPads (and probably other devices) could no longer establish IMAP connections to Dovecot. Dovecot logged:
SSL routines:tls_early_post_process_client_hello:unsupported protocol
and TCP/IP traces showed that it dropped the connection after the client's initial HELLO. I tested what kinds of connections Dovecot would accept with (for example):
openssl s_client -tls1_1 -connect localhost:993 # Test whether TLSv1.1 is accepted - received "unsupported protocol" message.
Searching showed that Dovecot has a parameter "ssl_min_protocol", which is documented as defaulting to TLSv1. Nevertheless I explicitly set it to TLSv1 with no effect. This was a red herring. I spent a long time looking to see if Dovecot had a bug in handling this newish parameter, etc.
Eventually I came across one posting regarding a web server, that told me the OpenSSL libraries that Dovecot and lots of other packages use has a single configuration file for the entire system. In Ubuntu 20.04 it defaults to requiring TLSv1.2 or above. Changing the configuration for OpenSSL affects everything on the system using the library. I changed the file, restarted Dovecot, and it immediately accepted TLSv1 connections.
Obviously I'd prefer to maintain the improved security of TLSv1.2, but in my case it was better to continue providing mail service at a lower security level than to deny service to some users until they upgraded their personal devices. You'll need to make your on decision on that score.
The file to change is (on Ubuntu, at least) /usr/lib/ssl/openssl.cnf. The change consists of adding a line of code in the initial section that invokes several new sections later:
In the initial section I added:
openssl_conf = default_conf
Then at the bottom of the file I added:
[default_conf] ssl_conf = ssl_sect
[ssl_sect] system_default = system_default_sect
[system_default_sect] MinProtocol = TLSv1 CipherString = DEFAULT@SECLEVEL=1
There is an alternative approach that I have read of but not tested. Basically you can create a new file elsewhere with the customized content, and then set an environmental variable (OPENSSL_CONF) just before launching Dovecot that points to your new file. This way, only Dovecot is using downgraded security. Since my mail server is a dedicated system and I didn't want to muck with the Dovecot start-up environment, I didn't feel the need to go that route.
So all my digging into why Dovecot wouldn't accept TLSv1 connections and how to change it were completely on the wrong path. It would be nice if Dovecot could log a message when its ssl_min_protocol is set lower than what OpenSSL will accept, but Dovecot may not be able to tell what OpenSSL is doing. In any case, those are the symptoms, the real problem, and how to fix it. Good luck, and thanks to Matt Caswell for posting the answer that I eventually found.
Ref: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-se...
Yeah. This is a known issue, and we have a ticket about allowing configuring the minimum accepted level on dovecot. It has not been done yet, though.
Thank you for the workaround.
Aki