On 31.10.2017 15:00, Reuben Farrelly wrote:
Hi,
On 30/10/2017 7:22 PM, dovecot-request@dovecot.org wrote:
Message: 6 Date: Mon, 30 Oct 2017 10:22:42 +0200 From: Teemu Huovila <teemu.huovila@dovecot.fi> To: dovecot@dovecot.org Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96@dovecot.fi> Content-Type: text/plain; charset=utf-8
On 30.10.2017 09:10, Aki Tuomi wrote:
On 30.10.2017 00:23, Reuben Farrelly wrote:
Hi Aki,
On 30/10/2017 12:43 AM, Aki Tuomi wrote:
On October 29, 2017 at 1:55 PM Reuben Farrelly <reuben-dovecot@reub.net> wrote:
Hi again,
Chasing down one last problem which seems to have been missed from my last email:
On 20/10/2017 9:22 PM, Stephan Bosch wrote: > > Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>> <reuben-dovecot@reub.net> >>> wrote: This problem below is still present in 2.3 -git, as of version 2.3.devel (6fc40674e)
>>> Secondly, this ssl_dh messages is always printed from doveconf: >>> >>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der > /etc/dovecot/dh.pem >>> >>> Yet the file is there: >>> >>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>> >>> And the config is there as well: >>> >>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>> ssl_dh = </etc/dovecot/dh.pem >>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der > /etc/dovecot/dh.pem >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> thunderstorm dovecot # >>> >>> It appears that this warning is being triggered by the >>> presence of >>> the ssl-parameters.dat file because when I remove it the warning >>> goes away. Perhaps the warning could be made a bit more specific >>> about this file being removed if it is not required because at >>> the >>> moment the warning message is not related to the trigger. >>> >>> Thanks, >>> Reuben Thanks, Reuben It is triggered when there is ssl-parameters.dat file *AND* there is no ssl_dh=< explicitly set in config file.
Aki
I have this already in my 10-ssl.conf file:
lightning dovecot # /etc/init.d/dovecot reload doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem ?* Reloading dovecot configs and restarting auth/login processes ...????? [ ok ] lightning dovecot #
However:
lightning dovecot # grep ssl_dh conf.d/10-ssl.conf # gives on startup when ssl_dh is unset. ssl_dh=</etc/dovecot/dh.pem lightning dovecot #
and the file is there:
lightning dovecot # ls -la /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem lightning dovecot #
So it is actually configured and yet the warning still is present.
Reuben
Hi!
I gave this a try, and I was not able to repeat this issue. Perhaps you are still missing ssl_dh somewhere?
Aki
Hello
Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present.
br, Teemu
I still can't see anything amiss. Here's the output from doveconf -n:
# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (f4659224) # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_username_format = %Ln doveadm_password = # hidden, use -P to show it first_valid_uid = 1000 imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep last_valid_uid = 1100 login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k login_trusted_networks = 192.168.0.0/16 mail_location = maildir:~/Maildir mail_plugins = stats notify replication fts fts_lucene managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = failure_show_msg=yes %s driver = pam } plugin { fts = lucene fts_autoindex = yes fts_languages = en fts_lucene = whitespace_chars=@. mail_replica = tcps:inside-mail.reub.net:4813 replication_full_sync_interval = 4 hours sieve = file:~/sieve;active=~/.dovecot.sieve stats_refresh = 30 secs stats_track_cmds = yes } protocols = imap lmtp sieve recipient_delimiter = - service aggregator { fifo_listener replication-notify-fifo { mode = 0666 user = root } unix_listener replication-notify { mode = 0666 user = root } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0777 } } service doveadm { inet_listener { address = 2400:8901:e001:3a::20 port = 4813 ssl = yes } user = root } service imap { executable = imap postlogin } service lmtp { inet_listener lmtp { address = ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service postlogin { executable = script-login -d rawlog } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } service stats { fifo_listener stats-mail { mode = 0666 } } ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt ssl_cert = </etc/ssl/dovecot/*.reub.net.crt ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 !TLSv1 userdb { driver = passwd } protocol lmtp { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol !indexer-worker { ssl_dh = # hidden, use -P to show it } protocol lda { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol imap { mail_plugins = stats notify replication fts fts_lucene imap_stats ssl_dh = # hidden, use -P to show it } protocol sieve { ssl_dh = # hidden, use -P to show it } protocol pop3 { ssl_dh = # hidden, use -P to show it }
And showing with -P as an example:
protocol pop3 { ssl_dh = -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s ... AAAAAAAAAAAAAAAAAAAAAAAAAAA= -----END DH PARAMETERS-----
There is a single set of valid DH parameters for every protocol as listed above.
It seems odd that ssl_dh is defined all of these protocols specifically too. This specific per-protocol definition of ssl_dh isn't specified in any config file.
Reuben
Can you try with doveconf -nP and ensure all those ssl_dh lines are of form ssl_dh =</file?
Aki