Re: Upgrade to 2.3.1 has failed

On 14 December 2018 at 02:12 "C. Andrews Lavarre" <alavarre@gmail.com> wrote:

Problem: We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we upgraded openSUSE to Leap 15.0. In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer works and I haven't figured out how to downgrade to the older working version.

The key issue seems to be the change to requiring dh.pem and changing s sl_protocols to ssl_min_protocols. I think I've navigated both correctly, but it still doesn't work. The error is auth: Error: stats: open(old-stats-user) failed: Permission denied

as a consequence of which we get imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate.

We have followed the instructions at  https://wiki.dovecot.org/S SL/DovecotConfiguration

1. We have created /etc/dovecot/dh.pem (yes it took five hours) 

2. We have edited 10-ssl.conf as directed by the Wiki: ssl = yes ssl_cert = /etc/certbot/live/privustech.com/fullchain.pem ssl_key = /etc/certbot/live/privustech.com/privkey.pem ssl_dh = /etc/dovecot /dh.pem #(yes, it took five hours to create...)

Hi! You should use

ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem
ssl_key =</etc/certbot/live/privustech.com/privkey.pem ssl_dh =</etc/dovecot/dh.pem

  	    	    ssl_min_protocol = TLSv1
  	    	    ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
  	    	    ssl_prefer_server_ciphers = no

You should set ssl_prefer_server_ciphers = yes.

3. We have checked 10-ssl.conf against the 2.3 default at https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl...

4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files.

Yes, this is probably indication that you are missing the files or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this.

5. we have checked all the pem keys, certificates, and dh files with cat, they all exist and are in the expected hash format.

6. We have followed the instructions to set their permissions root:root 0444 and 0400 accordingly.

7. We have rebooted the host.

This is correct.

Any help or clues would be most appreciated.

Kind regards, Andy