We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we upgraded openSUSE to Leap 15.0.

In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer works and I haven't figured out how to downgrade to the older working version.

The key issue seems to be the change to requiring dh.pem and changing ssl_protocols to ssl_min_protocols. I think I've navigated both correctly, but it still doesn't work.

The error is

auth: Error: stats: open(old-stats-user) failed: Permission denied

as a consequence of which we get

imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate.

We have followed the instructions at https://wiki.dovecot.org/SSL/DovecotConfiguration

1. We have created /etc/dovecot/dh.pem (yes it took five hours)

2. We have edited 10-ssl.conf as directed by the Wiki:

ssl = yes

	ssl_cert = /etc/certbot/live/privustech.com/fullchain.pem

	ssl_key = /etc/certbot/live/privustech.com/privkey.pem

	ssl_dh = /etc/dovecot/dh.pem	#(yes, it took five hours to create...)

	ssl_min_protocol = TLSv1

	ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

	ssl_prefer_server_ciphers = no

3. We have checked 10-ssl.conf against the 2.3 default at

https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf

4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files.

5. we have checked all the pem keys, certificates, and dh files with cat, they all exist and are in the expected hash format.

6. We have followed the instructions to set their permissions root:root 0444 and 0400 accordingly.

7. We have rebooted the host.

Any help or clues would be most appreciated.