Aki hello, thank you. Hopefully excerpts and top posting are acceptable in the mailing list? 

On that assumption:

Thanks for the input. I've checked out your suggestions (details below) but unfortunately no joy.

I also restored my backup 10-ssl.conf. It indeed has the "<" sign with a space before the explicit paths to the files:
    ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem
    ssl_key = </etc/certbot/live/privustech.com/privkey.pem

 It returns several complaints after restarting dovecot which I addressed:
    https://wiki2.dovecot.org/Upgrading/2.3
    https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf
• Changed ssl_protocols to ssl_min_protocol = TLSv1
• Added ssl_dh = </etc/dovecot/dh.pem and check it with cat. It reads as a properly hashed DH PARAMETERS file.
At this point we are back to the complaint about ssl_cert: Permission denied. 
    The certificates are root:root 0777 and of course dovecot is running as root. The conf files are andy:user 0644.
    The documentation says        
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root

However if I remove the < then dovecot starts up correctly.  
    I delete them one at a time, test, and it shows that file read, but then fails on the next. So carry on. After the ssl_cert and ssl_key  < are removed dovecot runs (ssl_dh still has <):
    Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email server.
    Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1 (8e2f634) 
    starting up for imap, pop3, lmtp

	But then logging in imap fails:
		open(old-stats-user) failed: Permission denied
	The documentation for 2.3 says to remove stats from mail-plugin settings, but I do not find that in either dovecot.conf or 10-mail.conf.

The mail system is working correctly. Mail is received and stored in /home/alavarre/Maildir/new

I'm sure it's something simple, since it worked before the version upgrade. So maybe the answer is just go back to the older version... :-(

Thanks again.
Andy

~~~~
Here are the results of addressing your suggestions, thank you again:

>You should set ssl_prefer_server_ciphers = yes
Done. No change in status however...

>>4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files.
> Yes, this is probably indication that you are missing the files
    The files are not missing or corrupted. cat shows apparently properly hashed certificates and keys.

>or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this.
Mmmmm:
      https://wiki.archlinux.org/index.php/Chroot
    I did not intentionally or explicitly chroot dovecot. However, it is possible that yast2 may have done this to perform the upgrade from Leap 42.3 to 15.0 and didn't undo it?
    However, this does not seem to have happened:
          https://stackoverflow.com/questions/75182/detecting-a-chroot-jail-from-within
   stat indicates that root is indeed the normal root:
     stat -c %i /
              returns 2. (But thanks for the education! :-) I now know about chroot...)

>You should use
> ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem
> ssl_key =</etc/certbot/live/privustech.com/privkey.pem
> ssl_dh =</etc/dovecot/dh.pem

When I do that (= <, with) or (=< without) a space between = and < and try restarting dovecot I receive:
    Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16:
    ssl_cert: Can't open file /etc/certbot/live/privustech.com/fullchain.pem:
    Permission denied

However if I remove the < then dovecot starts up correctly:
    Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email server.
    Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1 (8e2f634)
    starting up for imap, pop3, lmtp

	But then logging in imap fails:
		Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=107.107.60.219, lip=70.186.159.22, session=<D6gm3f18gcZrazzb>
		Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate.: user=<>, rip=107.107.60.219, lip=70.186.159.22, session=<XWQo3f18IcVrazzb>

I'm inclined to think that the "less than" symbol is the problem. The documentation says 
the <paths/to/files "are relative to the currently parsed config file's directory (/etc/dovecot/conf.d), similar to how !include works. The file is read immediately whenever parsing the configuration file." It also shows a space between  = and <.
By that logic I should use
           ssl_cert = <../../certbot/live/privustech.com/fullchain.pem
           ssl_key = <../../certbot/live/privustech.com/privkey.pem
           ssl_dh = <../../dovecot/dh.pem
    but this doesn't work either. Restoring the explicit path without < gets us back to dovecot starting up but not able to log in with imap...


On Fri, 2018-12-14 at 07:19 +0200, Aki Tuomi wrote:

On 14 December 2018 at 02:12 "C. Andrews Lavarre" <alavarre@gmail.com> wrote:


Problem:
We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we
upgraded openSUSE to Leap 15.0.
In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer
works and I haven't figured out how to downgrade to the older working
version.

The key issue seems to be the change to requiring dh.pem and changing s
sl_protocols to ssl_min_protocols. I think I've navigated both
correctly, but it still doesn't work.
The error is
	     auth: Error: stats: open(old-stats-user) failed: Permission denied

	as a consequence of which we get
		    imap-login: Error: Failed to initialize SSL server context: Can't
    load SSL certificate: There is no valid PEM certificate.

We have followed the instructions at 	https://wiki.dovecot.org/S
SL/DovecotConfiguration
	1. We have created /etc/dovecot/dh.pem (yes it took five
hours) 

	2. We have edited 10-ssl.conf as directed by the Wiki:
			    	    ssl = yes
			    	    ssl_cert =
    /etc/certbot/live/privustech.com/fullchain.pem
			    	    ssl_key = /etc/certbot/live/privustech.com/privkey.pem
			    	    ssl_dh = /etc/dovecot


/dh.pem    	    #(yes, it took five hours to create...)


Hi! You should use

ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem  
ssl_key =</etc/certbot/live/privustech.com/privkey.pem
ssl_dh =</etc/dovecot/dh.pem



			    	    ssl_min_protocol = TLSv1
			    	    ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
			    	    ssl_prefer_server_ciphers = no




You should set ssl_prefer_server_ciphers = yes. 



	3. We have checked 10-ssl.conf against the 2.3 default at
		https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf

	4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files.




Yes, this is probably indication that you are missing the files or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this.



	5. we have checked all the pem keys, certificates, and  dh
files with cat, they all exist and are in the expected hash format.

	6. We have followed the instructions to set their permissions
root:root 0444 and 0400 accordingly.
	7. We have rebooted the host.




This is correct.
 


Any help or clues would be most appreciated.

Kind regards, Andy