On 2020-08-23 21:59, Arjen de Korte wrote:
Citeren jimc <jimc@jfcarter.net>:
Failing version: dovecot23-2.3.11.3-1.1.x86_64 Install Date: 2020-08-18 -snip-
This was mentioned before on this list. See https://dovecot.org/pipermail/dovecot/2020-August/119650.html how to solve this.
@Arjen, thanks for the quick and useful reply. I implemented it and it works. For explicitness here's what I did: In /etc/dovecot/conf.d I put these 3 files, most comments redacted:
10-ssl.conf: # Everyone gets the dummy config that turns off SSL !include 10-ssl.all # Only root can read this file (and the host key it mentions) (mode 600) !include_try 10-ssl.root
10-ssl.all: ssl = no
10-ssl.root: (owned by root, mode 600) ssl = yes ssl_key = </etc/ssl/private/hostw.key # etc. etc. This is the original SSL configuration.
For testing:
- Upgraded to dovecot23-2.3.11.3-1.1.x86_64 and friends, and restarted dovecot.
- doveadm expunge mailbox Spam37 savedbefore 3day As user: works. strace shows doveconf silently skips 10-ssl.root, getting EACCESS.
- doveadm who My bad -- this command doesn't call doveconf, testing nothing.
- sleep 1 | openssl s_client -connect jacinth.jfcarter.net:143 -starttls imap --or-- sleep 1 | openssl s_client -connect jacinth.jfcarter.net:993 Verify return code: 0 (ok) and TLS session ticket was granted for both. Be careful to use the ports and hostname (IP) that the firewall is expecting.
- Normal use from Roundcube: connects and gets/deletes mail normally. TLS is required for this.
-- James F. Carter Email: jimc@jfcarter.net Web: http://www.math.ucla.edu/~jimc (q.v. for PGP key)