dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
Hi,
On 30/10/2017 7:22 PM, dovecot-request@dovecot.org wrote:
Message: 6 Date: Mon, 30 Oct 2017 10:22:42 +0200 From: Teemu Huovila <teemu.huovila@dovecot.fi> To: dovecot@dovecot.org Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96@dovecot.fi> Content-Type: text/plain; charset=utf-8
On 30.10.2017 09:10, Aki Tuomi wrote:
On 30.10.2017 00:23, Reuben Farrelly wrote:
Hi Aki,
On 30/10/2017 12:43 AM, Aki Tuomi wrote:
On October 29, 2017 at 1:55 PM Reuben Farrelly <reuben-dovecot@reub.net> wrote:
Hi again,
Chasing down one last problem which seems to have been missed from my last email:
On 20/10/2017 9:22 PM, Stephan Bosch wrote:
Op 20-10-2017 om 4:23 schreef Reuben Farrelly: > On 18/10/2017 11:40 PM, Timo Sirainen wrote: >> On 18 Oct 2017, at 6.34, Reuben Farrelly <reuben-dovecot@reub.net> >> wrote:
This problem below is still present in 2.3 -git, as of version 2.3.devel (6fc40674e)
>> Secondly, this ssl_dh messages is always printed from doveconf: >> >> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >> doveconf: Warning: You can generate it with: dd >> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >> -inform der > /etc/dovecot/dh.pem >> >> Yet the file is there: >> >> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >> >> And the config is there as well: >> >> thunderstorm dovecot # doveconf -P | grep ssl_dh >> ssl_dh = </etc/dovecot/dh.pem >> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >> doveconf: Warning: You can generate it with: dd >> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >> -inform der > /etc/dovecot/dh.pem >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >> thunderstorm dovecot # >> >> It appears that this warning is being triggered by the presence of >> the ssl-parameters.dat file because when I remove it the warning >> goes away. Perhaps the warning could be made a bit more specific >> about this file being removed if it is not required because at the >> moment the warning message is not related to the trigger. >> >> Thanks, >> Reuben Thanks, Reuben It is triggered when there is ssl-parameters.dat file *AND* there is no ssl_dh=< explicitly set in config file.
Aki
I have this already in my 10-ssl.conf file:
lightning dovecot # /etc/init.d/dovecot reload doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem ?* Reloading dovecot configs and restarting auth/login processes ...????? [ ok ] lightning dovecot #
However:
lightning dovecot # grep ssl_dh conf.d/10-ssl.conf # gives on startup when ssl_dh is unset. ssl_dh=</etc/dovecot/dh.pem lightning dovecot #
and the file is there:
lightning dovecot # ls -la /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem lightning dovecot #
So it is actually configured and yet the warning still is present.
Reuben
Hi!
I gave this a try, and I was not able to repeat this issue. Perhaps you are still missing ssl_dh somewhere?
Aki
Hello
Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present.
br, Teemu
I still can't see anything amiss. Here's the output from doveconf -n:
# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (f4659224) # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_username_format = %Ln doveadm_password = # hidden, use -P to show it first_valid_uid = 1000 imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep last_valid_uid = 1100 login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k login_trusted_networks = 192.168.0.0/16 mail_location = maildir:~/Maildir mail_plugins = stats notify replication fts fts_lucene managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = failure_show_msg=yes %s driver = pam } plugin { fts = lucene fts_autoindex = yes fts_languages = en fts_lucene = whitespace_chars=@. mail_replica = tcps:inside-mail.reub.net:4813 replication_full_sync_interval = 4 hours sieve = file:~/sieve;active=~/.dovecot.sieve stats_refresh = 30 secs stats_track_cmds = yes } protocols = imap lmtp sieve recipient_delimiter = - service aggregator { fifo_listener replication-notify-fifo { mode = 0666 user = root } unix_listener replication-notify { mode = 0666 user = root } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0777 } } service doveadm { inet_listener { address = 2400:8901:e001:3a::20 port = 4813 ssl = yes } user = root } service imap { executable = imap postlogin } service lmtp { inet_listener lmtp { address = ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service postlogin { executable = script-login -d rawlog } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } service stats { fifo_listener stats-mail { mode = 0666 } } ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt ssl_cert = </etc/ssl/dovecot/*.reub.net.crt ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 !TLSv1 userdb { driver = passwd } protocol lmtp { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol !indexer-worker { ssl_dh = # hidden, use -P to show it } protocol lda { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol imap { mail_plugins = stats notify replication fts fts_lucene imap_stats ssl_dh = # hidden, use -P to show it } protocol sieve { ssl_dh = # hidden, use -P to show it } protocol pop3 { ssl_dh = # hidden, use -P to show it }
And showing with -P as an example:
protocol pop3 { ssl_dh = -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s ... AAAAAAAAAAAAAAAAAAAAAAAAAAA= -----END DH PARAMETERS-----
There is a single set of valid DH parameters for every protocol as listed above.
It seems odd that ssl_dh is defined all of these protocols specifically too. This specific per-protocol definition of ssl_dh isn't specified in any config file.
Reuben
On 31.10.2017 15:00, Reuben Farrelly wrote:
Hi,
On 30/10/2017 7:22 PM, dovecot-request@dovecot.org wrote:
Message: 6 Date: Mon, 30 Oct 2017 10:22:42 +0200 From: Teemu Huovila <teemu.huovila@dovecot.fi> To: dovecot@dovecot.org Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96@dovecot.fi> Content-Type: text/plain; charset=utf-8
On 30.10.2017 09:10, Aki Tuomi wrote:
On 30.10.2017 00:23, Reuben Farrelly wrote:
Hi Aki,
On 30/10/2017 12:43 AM, Aki Tuomi wrote:
On October 29, 2017 at 1:55 PM Reuben Farrelly <reuben-dovecot@reub.net> wrote:
Hi again,
Chasing down one last problem which seems to have been missed from my last email:
On 20/10/2017 9:22 PM, Stephan Bosch wrote: > > Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>> <reuben-dovecot@reub.net> >>> wrote: This problem below is still present in 2.3 -git, as of version 2.3.devel (6fc40674e)
>>> Secondly, this ssl_dh messages is always printed from doveconf: >>> >>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der > /etc/dovecot/dh.pem >>> >>> Yet the file is there: >>> >>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>> >>> And the config is there as well: >>> >>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>> ssl_dh = </etc/dovecot/dh.pem >>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der > /etc/dovecot/dh.pem >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>> thunderstorm dovecot # >>> >>> It appears that this warning is being triggered by the >>> presence of >>> the ssl-parameters.dat file because when I remove it the warning >>> goes away. Perhaps the warning could be made a bit more specific >>> about this file being removed if it is not required because at >>> the >>> moment the warning message is not related to the trigger. >>> >>> Thanks, >>> Reuben Thanks, Reuben It is triggered when there is ssl-parameters.dat file *AND* there is no ssl_dh=< explicitly set in config file.
Aki
I have this already in my 10-ssl.conf file:
lightning dovecot # /etc/init.d/dovecot reload doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem ?* Reloading dovecot configs and restarting auth/login processes ...????? [ ok ] lightning dovecot #
However:
lightning dovecot # grep ssl_dh conf.d/10-ssl.conf # gives on startup when ssl_dh is unset. ssl_dh=</etc/dovecot/dh.pem lightning dovecot #
and the file is there:
lightning dovecot # ls -la /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem lightning dovecot #
So it is actually configured and yet the warning still is present.
Reuben
Hi!
I gave this a try, and I was not able to repeat this issue. Perhaps you are still missing ssl_dh somewhere?
Aki
Hello
Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present.
br, Teemu
I still can't see anything amiss. Here's the output from doveconf -n:
# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (f4659224) # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_username_format = %Ln doveadm_password = # hidden, use -P to show it first_valid_uid = 1000 imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep last_valid_uid = 1100 login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k login_trusted_networks = 192.168.0.0/16 mail_location = maildir:~/Maildir mail_plugins = stats notify replication fts fts_lucene managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = failure_show_msg=yes %s driver = pam } plugin { fts = lucene fts_autoindex = yes fts_languages = en fts_lucene = whitespace_chars=@. mail_replica = tcps:inside-mail.reub.net:4813 replication_full_sync_interval = 4 hours sieve = file:~/sieve;active=~/.dovecot.sieve stats_refresh = 30 secs stats_track_cmds = yes } protocols = imap lmtp sieve recipient_delimiter = - service aggregator { fifo_listener replication-notify-fifo { mode = 0666 user = root } unix_listener replication-notify { mode = 0666 user = root } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0777 } } service doveadm { inet_listener { address = 2400:8901:e001:3a::20 port = 4813 ssl = yes } user = root } service imap { executable = imap postlogin } service lmtp { inet_listener lmtp { address = ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service postlogin { executable = script-login -d rawlog } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } service stats { fifo_listener stats-mail { mode = 0666 } } ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt ssl_cert = </etc/ssl/dovecot/*.reub.net.crt ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 !TLSv1 userdb { driver = passwd } protocol lmtp { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol !indexer-worker { ssl_dh = # hidden, use -P to show it } protocol lda { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol imap { mail_plugins = stats notify replication fts fts_lucene imap_stats ssl_dh = # hidden, use -P to show it } protocol sieve { ssl_dh = # hidden, use -P to show it } protocol pop3 { ssl_dh = # hidden, use -P to show it }
And showing with -P as an example:
protocol pop3 { ssl_dh = -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s ... AAAAAAAAAAAAAAAAAAAAAAAAAAA= -----END DH PARAMETERS-----
There is a single set of valid DH parameters for every protocol as listed above.
It seems odd that ssl_dh is defined all of these protocols specifically too. This specific per-protocol definition of ssl_dh isn't specified in any config file.
Reuben
Can you try with doveconf -nP and ensure all those ssl_dh lines are of form ssl_dh =</file?
Aki
Hi again,
On 1/11/2017 12:01 AM, Aki Tuomi wrote:
Hi,
On 30/10/2017 7:22 PM, dovecot-request@dovecot.org wrote:
Message: 6 Date: Mon, 30 Oct 2017 10:22:42 +0200 From: Teemu Huovila <teemu.huovila@dovecot.fi> To: dovecot@dovecot.org Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96@dovecot.fi> Content-Type: text/plain; charset=utf-8
On 30.10.2017 09:10, Aki Tuomi wrote:
On 30.10.2017 00:23, Reuben Farrelly wrote:
Hi Aki,
On 30/10/2017 12:43 AM, Aki Tuomi wrote:
> On October 29, 2017 at 1:55 PM Reuben Farrelly > <reuben-dovecot@reub.net> wrote: > > > Hi again, > > Chasing down one last problem which seems to have been missed > from my > last email: > > On 20/10/2017 9:22 PM, Stephan Bosch wrote: >> Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >>> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>>> <reuben-dovecot@reub.net> >>>> wrote: > This problem below is still present in 2.3 -git, as of version > 2.3.devel > (6fc40674e) > >>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>> >>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>> doveconf: Warning: You can generate it with: dd >>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>> -inform der > /etc/dovecot/dh.pem >>>> >>>> Yet the file is there: >>>> >>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>>> >>>> And the config is there as well: >>>> >>>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>>> ssl_dh = </etc/dovecot/dh.pem >>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>> doveconf: Warning: You can generate it with: dd >>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>> -inform der > /etc/dovecot/dh.pem >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>> thunderstorm dovecot # >>>> >>>> It appears that this warning is being triggered by the >>>> presence of >>>> the ssl-parameters.dat file because when I remove it the warning >>>> goes away. Perhaps the warning could be made a bit more specific >>>> about this file being removed if it is not required because at >>>> the >>>> moment the warning message is not related to the trigger. >>>> >>>> Thanks, >>>> Reuben > Thanks, > Reuben It is triggered when there is ssl-parameters.dat file *AND* there is no ssl_dh=< explicitly set in config file.
Aki I have this already in my 10-ssl.conf file:
lightning dovecot # /etc/init.d/dovecot reload doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem ?* Reloading dovecot configs and restarting auth/login processes ...????? [ ok ] lightning dovecot #
However:
lightning dovecot # grep ssl_dh conf.d/10-ssl.conf # gives on startup when ssl_dh is unset. ssl_dh=</etc/dovecot/dh.pem lightning dovecot #
and the file is there:
lightning dovecot # ls -la /etc/dovecot/dh.pem -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem lightning dovecot #
So it is actually configured and yet the warning still is present.
Reuben Hi!
I gave this a try, and I was not able to repeat this issue. Perhaps you are still missing ssl_dh somewhere?
Aki
Hello
Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present.
br, Teemu I still can't see anything amiss. Here's the output from doveconf -n:
# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (f4659224) # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_username_format = %Ln doveadm_password = # hidden, use -P to show it first_valid_uid = 1000 imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep last_valid_uid = 1100 login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k login_trusted_networks = 192.168.0.0/16 mail_location = maildir:~/Maildir mail_plugins = stats notify replication fts fts_lucene managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = failure_show_msg=yes %s driver = pam } plugin { fts = lucene fts_autoindex = yes fts_languages = en fts_lucene = whitespace_chars=@. mail_replica = tcps:inside-mail.reub.net:4813 replication_full_sync_interval = 4 hours sieve = file:~/sieve;active=~/.dovecot.sieve stats_refresh = 30 secs stats_track_cmds = yes } protocols = imap lmtp sieve recipient_delimiter = - service aggregator { fifo_listener replication-notify-fifo { mode = 0666 user = root } unix_listener replication-notify { mode = 0666 user = root } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0777 } } service doveadm { inet_listener { address = 2400:8901:e001:3a::20 port = 4813 ssl = yes } user = root } service imap { executable = imap postlogin } service lmtp { inet_listener lmtp { address = ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service postlogin { executable = script-login -d rawlog } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } service stats { fifo_listener stats-mail { mode = 0666 } } ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt ssl_cert = </etc/ssl/dovecot/*.reub.net.crt ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 !TLSv1 userdb { driver = passwd } protocol lmtp { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol !indexer-worker { ssl_dh = # hidden, use -P to show it } protocol lda { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol imap { mail_plugins = stats notify replication fts fts_lucene imap_stats ssl_dh = # hidden, use -P to show it } protocol sieve { ssl_dh = # hidden, use -P to show it } protocol pop3 { ssl_dh = # hidden, use -P to show it }
And showing with -P as an example:
protocol pop3 { ssl_dh = -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s ... AAAAAAAAAAAAAAAAAAAAAAAAAAA= -----END DH PARAMETERS-----
There is a single set of valid DH parameters for every protocol as listed above.
It seems odd that ssl_dh is defined all of these protocols specifically too. This specific per-protocol definition of ssl_dh isn't specified in any config file.
Reuben Can you try with doveconf -nP and ensure all those ssl_dh lines are of
On 31.10.2017 15:00, Reuben Farrelly wrote: form ssl_dh =</file?
Aki
That's the thing. Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files.
There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file. See here:
lightning dovecot # grep ssl_dh * grep: conf.d: Is a directory lightning dovecot # grep ssl_dh */* conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem lightning dovecot #
The rest of them must be being inherited from that statement above.
But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf output. Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too.
To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled. Something buggy with backwards compatibility perhaps?
[Also tested with latest 2.3 -git as of today - same result]
Reuben
On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dovecot@reub.net> wrote:
That's the thing. Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files.
There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file. See here:
lightning dovecot # grep ssl_dh * grep: conf.d: Is a directory lightning dovecot # grep ssl_dh */* conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem lightning dovecot #
The rest of them must be being inherited from that statement above.
But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf output. Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too.
To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled. Something buggy with backwards compatibility perhaps?
[Also tested with latest 2.3 -git as of today - same result]
Looks like this is pretty easily reproducible:
a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo
b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem
On 02.11.2017 02:01, Timo Sirainen wrote:
On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dovecot@reub.net> wrote:
That's the thing. Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files.
There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file. See here:
lightning dovecot # grep ssl_dh * grep: conf.d: Is a directory lightning dovecot # grep ssl_dh */* conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem lightning dovecot #
The rest of them must be being inherited from that statement above.
But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf output. Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too.
To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled. Something buggy with backwards compatibility perhaps?
[Also tested with latest 2.3 -git as of today - same result]
Looks like this is pretty easily reproducible:
a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo
b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem Hi!
This has been fixed, see https://github.com/dovecot/core/commit/a70d867d1fe3584149811c65eb6213deb72be...
Aki
participants (3)
-
Aki Tuomi
-
Reuben Farrelly
-
Timo Sirainen