And as usually happens, right after posting this I found the problem by looking in the right place!:
Oct 01 17:06:58 Error: pop3-login: Failed to initialize SSL server
context: Can't load DH parameters: error:1408518A:SSL
routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=199.73.114.98,
lip=10.0.0.81, session=
fixed with:
root@relay: /etc/dovecot # openssl dhparam 4096 > dh.pem
sorry for the noise.
On 2019-10-01 17:05, paul via dovecot wrote:
Just applied Debian SSL updates, due to vulnerabilities reported:
"Package : openssl CVE ID : CVE-2019-1547 CVE-2019-1549 CVE-2019-1563
Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default.
For the oldstable distribution (stretch), these problems have been fixed in version 1.1.0l-1~deb9u1.
For the stable distribution (buster), these problems have been fixed in version 1.1.1d-0+deb10u1."
I am running Buster. Upon installing these updates, Dovecot immediately stopped allowing authentication:
Oct 1 16:47:11 relay monit[539]: 'dovecot' failed protocol test [IMAP] at [localhost]:993 [TCP/IP TLS] -- SSL connection error: error:00000000:lib(0):func(0):reason(0) Oct 1 16:50:22 relay monit[539]: 'dovecot' failed protocol test [IMAP] at [localhost]:993 [TCP/IP TLS] -- SSL connection error: error:00000000:lib(0):func(0):reason(0)
and
Oct 01 16:51:18 imap-login: Info: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=71.198.57.170, lip=10.0.0.81, session=<0EdTB+KT+/NHxjmq>
Each time this occurs, dovecot restarts: Oct 01 16:50:23 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up for pop3, imap (core dumps disabled) Oct 01 16:50:42 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up for pop3, imap (core dumps disabled) Oct 01 16:51:10 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up for pop3, imap (core dumps disabled) Oct 01 16:53:35 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up for pop3, imap (core dumps disabled) Oct 01 16:56:46 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up for pop3, imap (core dumps disabled) Oct 01 16:59:57 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up for pop3, imap (core dumps disabled) Oct 01 17:03:08 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up for pop3, imap (core dumps disabled)
I am at a loss. Dovecot had been working fine for ages. It's not clear to me why a routine SSL update would completely break it. I'm unclear how to proceed. This is a small personal server, but nevertheless I have a number of people using it who rely on it.
Here is my local.conf ( I added the ssl_protocols and ssl_min_protocol entries just a few minutes ago while attempting to resolve)
auth_cache_size = 100 k auth_cache_ttl = 12 hours auth_cache_negative_ttl = 12 hours auth_cache_verify_password_with_worker=yes auth_verbose = yes auth_failure_delay = 7 secs default_client_limit = 500 default_process_limit = 50 default_vsz_limit = 100 M verbose_proctitle = yes protocols = pop3 imap pop3_uidl_format = %08Xu%08Xv imap_idle_notify_interval = 244 secs info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot-error.log maildir_very_dirty_syncs=yes mail_location = maildir:~/Maildir mailbox_idle_check_interval = 244 secs mailbox_list_index = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = }
passdb { driver = passwd-file args = /etc/dovecot/deny deny = yes }
passdb { driver = pam } userdb { driver = passwd }
service auth { unix_listener auth-client { mode = 0660 user = Debian-exim } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } }
protocol imap { mail_max_userip_connections = 20 }
service imap { unix_listener imap-master { user = dovecot } } imap_hibernate_timeout = 1 mins service imap { extra_groups = dovenull } service imap-hibernate { unix_listener imap-hibernate { mode = 0660 group = dovenull } } ssl = required ssl_protocols = TLSv1 TLSv1.1 TLSv1.2 ssl_min_protocol=TLSv1 ssl_dh=