Aki hello, thank you. Hopefully excerpts and top posting are acceptable in the mailing list? On that assumption: Thanks for the input. I've checked out your suggestions (details below) but unfortunately no joy. I also restored my backup 10-ssl.conf. It indeed has the "<" sign with a space before the explicit paths to the files: ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem ssl_key = </etc/certbot/live/privustech.com/privkey.pem It returns several complaints after restarting dovecot which I addressed: https://wiki2.dovecot.org/Upgrading/2.3 https://github.com/dovecot/core/blob/master/doc/example-config/conf .d/10-ssl.conf • Changed ssl_protocols to ssl_min_protocol = TLSv1 • Added ssl_dh = </etc/dovecot/dh.pem and check it with cat. It reads as a properly hashed DH PARAMETERS file. At this point we are back to the complaint about ssl_cert: Permission denied. The certificates are root:root 0777 and of course dovecot is running as root. The conf files are andy:user 0644. The documentation says
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root However if I remove the < then dovecot starts up correctly. I delete them one at a time, test, and it shows that file read, but then fails on the next. So carry on. After the ssl_cert and ssl_key < are removed dovecot runs (ssl_dh still has <): Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email server. Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1 (8e2f634) starting up for imap, pop3, lmtp But then logging in imap fails: open(old-stats-user) failed: Permission denied The documentation for 2.3 says to remove stats from mail-plugin settings, but I do not find that in either dovecot.conf or 10-mail.conf. The mail system is working correctly. Mail is received and stored in /home/alavarre/Maildir/new I'm sure it's something simple, since it worked before the version upgrade. So maybe the answer is just go back to the older version... :-(
Thanks again. Andy
Here are the results of addressing your suggestions, thank you again:
>You should set ssl_prefer_server_ciphers = yes
Done. No change in status however...
>>4. We do NOT include the less than (<) symbol before the paths
because then dovecot fails to load complaining it cannot find the
files.
> Yes, this is probably indication that you are missing the files
The files are not missing or corrupted. cat shows apparently
properly hashed certificates and keys.
>or are chrooting dovecot in unsupported way. Not including the <
symbol will not help with this.
Mmmmm:
https://wiki.archlinux.org/index.php/Chroot
I did not intentionally or explicitly chroot dovecot. However, it
is possible that yast2 may have done this to perform the upgrade from
Leap 42.3 to 15.0 and didn't undo it?
However, this does not seem to have happened:
https://stackoverflow.com/questions/75182/detecting-a-chroot-
jail-from-within
stat indicates that root is indeed the normal root:
stat -c %i /
returns 2. (But thanks for the education! :-) I now know
about chroot...)
>You should use
> ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem > ssl_key =</etc/certbot/live/privustech.com/privkey.pem> ssl_dh =</etc/dovecot/dh.pem
When I do that (= <, with) or (=< without) a space between = and < and try restarting dovecot I receive:
Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: ssl_cert: Can't open file /etc/certbot/live/privustech.com/fullchain.pem: Permission denied
However if I remove the < then dovecot starts up correctly:
Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email server. Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1 (8e2f634) starting up for imap, pop3, lmtp But then logging in imap fails:
Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=107.107.60.219, lip=70.186.159.22, session=<D6gm3f18gcZrazzb>
Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate.: user=<>, rip=107.107.60.219, lip=70.186.159.22, session=<XWQo3f18IcVrazzb>I'm inclined to think that the "less than" symbol is the problem. The
documentation says
the <paths/to/files "are relative to the currently parsed
config file's directory (/etc/dovecot/conf.d), similar to how !include
works. The file is read immediately whenever parsing the configuration
file." It also shows a space between = and <.
By that logic I should use
ssl_cert = <../../certbot/live/privustech.com/fullchain.pem
ssl_key = <../../certbot/live/privustech.com/privkey.pem
ssl_dh = <../../dovecot/dh.pem
but this doesn't work either. Restoring the explicit path without <
gets us back to dovecot starting up but not able to log in with imap...
On Fri, 2018-12-14 at 07:19 +0200, Aki Tuomi wrote:
> >
> > On 14 December 2018 at 02:12 "C. Andrews Lavarre"
> > om> wrote:
> >
> >
> > Problem:
> > We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But
> > we
> > upgraded openSUSE to Leap 15.0.
> > In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no
> > longer
> > works and I haven't figured out how to downgrade to the older
> > working
> > version.
> >
> > The key issue seems to be the change to requiring dh.pem and
> > changing s
> > sl_protocols to ssl_min_protocols. I think I've navigated both
> > correctly, but it still doesn't work.
> > The error is
> > auth: Error: stats: open(old-stats-user) failed:
> > Permission denied
> >
> > as a consequence of which we get
> > imap-login: Error: Failed to initialize SSL server
> > context: Can't
> > load SSL certificate: There is no valid PEM certificate.
> >
> > We have followed the instructions at https://wiki.dovecot.o
> > rg/S
> > SL/DovecotConfiguration
> > 1. We have created /etc/dovecot/dh.pem (yes it took five
> > hours)
> >
> > 2. We have edited 10-ssl.conf as directed by the Wiki:
> > ssl = yes
> > ssl_cert =
> > /etc/certbot/live/privustech.com/fullchain.pem
> > ssl_key =
> > /etc/certbot/live/privustech.com/privkey.pem
> > ssl_dh = /etc/dovecot
> /dh.pem #(yes, it took five hours to create...)
>
>
> Hi! You should use
>
> ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem
> ssl_key =</etc/certbot/live/privustech.com/privkey.pem
> ssl_dh =</etc/dovecot/dh.pem
>
> >
> > ssl_min_protocol = TLSv1
> > ssl_cipher_list =
> > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PS
> > K:!RC4:!ADH:!LOW@STRENGTH
> > ssl_prefer_server_ciphers = no
> >
> You should set ssl_prefer_server_ciphers = yes.
>
> >
> > 3. We have checked 10-ssl.conf against the 2.3 default at
> > https://github.com/dovecot/core/blob/master/doc/example
> > -config/conf.d/10-ssl.conf
> >
> > 4. We do NOT include the less than (<) symbol before the paths
> > because then dovecot fails to load complaining it cannot find the
> > files.
> >
> Yes, this is probably indication that you are missing the files or
> are chrooting dovecot in unsupported way. Not including the < symbol
> will not help with this.
>
> >
> > 5. we have checked all the pem keys, certificates, and dh
> > files with cat, they all exist and are in the expected hash format.
> >
> > 6. We have followed the instructions to set their permissions
> > root:root 0444 and 0400 accordingly.
> > 7. We have rebooted the host.
> >
> This is correct.
>
> >
> > Any help or clues would be most appreciated.
> >
> > Kind regards, Andy
> >