On Sat, 2018-12-08 at 11:03 +0100, Marco Fioretti wrote:
Greetings, I have had to reinstall my email server on another Linux (centos 7.6) VPS, with a newer version of dovecot, other software and a brand new letsencrypt certificate just for email withpostfix and dovecot (that certificate works fine with postfix). Output of dovecot --version and dovecot -n on the new server is below.
Here is my 10-ssl.conf on my CentOS box. I am using the TLS config from https://weakdh.org/sysadmin.html
ssl = yes
ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes
#regenerates every week ssl_dh_parameters_length = 2048
ssl_cert = </etc/pki/tls/certs/XXXXXXX+chain-crt.pem ssl_key = </etc/pki/tls/private/XXXXXXX-key.pem
My hook script for letsencrypt copies the cert and key into /etc/pki/tls/. Check to make sure selinux is not denying access to /etc/letsencrypt for dovecot.
You can also test with gnutls-cli or openssl. E.g.
openssl s_client -host imap.XXXXX -port 993 or gnutls-cli --port 993 imap.XXXXX
-- Greg