Re: BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
hi,
On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote:
I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7 to Dovecot v2.3.8 on Centos-8
My report is specifically/solely about the addition/use of the
Options = ServerPreference
parameter.
I don't see that in your configuration.
Are you using it? In a config using Dovecot's submission proxy?
Hi,
In my Centos-8 server, it was not necessary using "Options = ServerPreference" parameter.
My openssl.conf look like that :
openssl_conf = default_modules [ default_modules ] ssl_conf = ssl_module [ ssl_module ] system_default = crypto_policy [ crypto_policy ] *.include /etc/crypto-policies/back-ends/opensslcnf.config*
And /etc/crypto-policies/back-ends/opensslcnf.config : CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 MinProtocol = *TLSv1.1* MaxProtocol = TLSv1.3
Regards
Le jeu. 1 oct. 2020 à 17:29, PGNet Dev <pgnet.dev@gmail.com> a écrit :
hi,
On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote:
I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7 to Dovecot v2.3.8 on Centos-8
My report is specifically/solely about the addition/use of the
Options = ServerPreference
parameter.
I don't see that in your configuration.
Are you using it? In a config using Dovecot's submission proxy?
-- -- Jean-Paul Chapalain - Arkea - DEXT/IAAS -- 1 rue Louis Lichou - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- +33298002873 (int:302873) -- Pgpkey=9f7a25a76f7e036a2c07fcb16eccd41c015d5fca
-- *Ce message et toutes les pièces jointes (ci-après le "message") sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisée est interdite. Tout message étant susceptible d'altération, l'émetteur décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. **__*This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. As e-mails are susceptible to alteration, the issuer shall not be liable for the message if altered, changed or falsified.
Hi,
In my case, it's value for MinProtocol that was wrong : must by TLSv1.1
Regards
Regards
Le jeu. 1 oct. 2020 à 17:52, JEAN-PAUL CHAPALAIN < jean-paul.chapalain@arkea.com> a écrit :
Hi,
In my Centos-8 server, it was not necessary using "Options = ServerPreference" parameter.
My openssl.conf look like that :
openssl_conf = default_modules [ default_modules ] ssl_conf = ssl_module [ ssl_module ] system_default = crypto_policy [ crypto_policy ] *.include /etc/crypto-policies/back-ends/opensslcnf.config*
And /etc/crypto-policies/back-ends/opensslcnf.config : CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 MinProtocol = *TLSv1.1* MaxProtocol = TLSv1.3
Regards
Le jeu. 1 oct. 2020 à 17:29, PGNet Dev <pgnet.dev@gmail.com> a écrit :
hi,
On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote:
I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7 to Dovecot v2.3.8 on Centos-8
My report is specifically/solely about the addition/use of the
Options = ServerPreference
parameter.
I don't see that in your configuration.
Are you using it? In a config using Dovecot's submission proxy?
-- -- Jean-Paul Chapalain - Arkea - DEXT/IAAS -- 1 rue Louis Lichou - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- +33298002873 (int:302873) -- Pgpkey=9f7a25a76f7e036a2c07fcb16eccd41c015d5fca
-- -- Jean-Paul Chapalain - Arkea - DEXT/IAAS -- 1 rue Louis Lichou - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- +33298002873 (int:302873) -- Pgpkey=9f7a25a76f7e036a2c07fcb16eccd41c015d5fca
-- *Ce message et toutes les pièces jointes (ci-après le "message") sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisée est interdite. Tout message étant susceptible d'altération, l'émetteur décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. **__*This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. As e-mails are susceptible to alteration, the issuer shall not be liable for the message if altered, changed or falsified.
On 10/1/20 8:52 AM, JEAN-PAUL CHAPALAIN wrote:
In my Centos-8 server, it was not necessary using "Options = ServerPreference" parameter.
sry, then i'm unclear re: the point you're trying to make.
this issue is ONLY about the problem re: THAT parameter's use, not re: general SSL error messages/causes.
participants (2)
-
JEAN-PAUL CHAPALAIN
-
PGNet Dev