Hi Scott,

Am 19.06.24 um 06:41 schrieb Aki Tuomi via dovecot:

...

On 19/06/2024 06:58 EEST Scott Q. via dovecot dovecot@dovecot.org wrote:

I'm on Debian 12.5 which comes with openssl 3.0.11

You can use the backport available from your trusty Debian maintainers: https://packages.debian.org/source/stable-backports/dovecot (currently 2.3.21+dfsg1-3~bpo12+1)

It has been patched to work with OpenSSL 3: https://sources.debian.org/patches/dovecot/1:2.3.21%2Bdfsg1-3~bpo12%2B1/Supp... and has some other upstream bugs fixed as well.

Kind regards, Daniel

Hi Scott,

Am 19.06.24 um 14:59 schrieb Scott Q.:

Thank you - just this patch ? Because I installed it and I get the same behavior unfortunately...

You need to install the whole set of backports packages and matching Debian OpenSSL packages (currently 3.0.11-1~deb12u2). That one patch alone will not help you much.

If you installed the backports packages from Debian and still see that bug, please use reportbug to file a bug with the Debian project.

Kind regards, Daniel

Hi Richard,

Am 21.06.24 um 06:20 schrieb Richard Hector via dovecot:

Is that the patch that Aki said doesn't always work?

I am sure Aki has some corner cases where Dovecot will not work with OpenSSL 3. That is one of the reasons Open-Xchange has not been releasing their community builds against Debian 12 (bookworm) cf. https://repo.dovecot.org/ce-2.3-latest/debian/ :

Index of /ce-2.3-latest/debian/ ../ bullseye/ 14-Sep-2023 11:41 buster/ 14-Sep-2023 11:41

If you do not use EC crypt for mail-crypt-plugin (or not encrypt stored mails at the dovecot level at all), you should be avoiding the most likely area of corner-cases by design.

I'm also on Debian 12.5 (recently upgraded), with debian-packaged dovecot, but I haven't seen any issues - should I be worried?

Debian has received no bug reports on that, so you can be reasonably sure it works well. Sysadmins running thousands of mail servers have tested before you.

If it makes you feel better, the patch originated from Red Hat and is included in their RHEL product as well: https://bugzilla.redhat.com/show_bug.cgi?id=1962035

Kind regards, Daniel

Answering my own question. It works although it's not enough to set compiler flags as per the docs to the custom openssl dir

I had to also add the library to ldconfig

Otherwise, it seems to work just fine.

Thank you all

On Wednesday, 19/06/2024 at 09:11 Scott Q. via dovecot wrote:

Thank you Aki.

do you know if I can compile it against openssl1.1.1w and also use mysql which is compiled against openssl 3.0 ?

On Wednesday, 19/06/2024 at 00:41 Aki Tuomi wrote:

Jun 18 20:50:01 mail kernel: Code: c2 31 d2 31 ff c3 66 0f 1f 44 00 00 31 d2 31 ff c3 0f 1f 00 31 c0 48 85 ff 74 41 48 8b 57 08 8b 87 8c 00 00 00 48 85 d2 74 22  8b 52 68 48 85 d2 74 19 48 83 ec 08 ff d2 31 d2 85 c0 0f 48 c2

Anyone encountered something similar and knows how to fix it ?

On 19/06/2024 06:58 EEST Scott Q. via dovecot  wrote:

   I'm on Debian 12.5 which comes with openssl 3.0.11

I compiled Dovecot 2.3.21 with some pretty vanilla options: /configure --prefix=/usr/local/dovecot --with-sql --with-mysql --with-docs --with-ssl --without-shadow --without-pam --without-ldap --without-pgsql --without-sqlite --with-systemd systemunitdir=/lib/systemd/system

when I connect to it via SSL it core-dumps:

Jun 18 20:50:01 mail kernel: imap-login[396438]: segfault at 69 ip 00007f2e5ee19556 sp 00007fffd7ca38f8 error 4 in libcrypto.so.3[7f2e5ecc5000+279000] likely on CPU 8 (core 8, socket

Dovecot 2.3 does not support OpenSSL3. It will be supported by 2.4.

Unfortunately the 2.3.21 shipped in Debian 12 is using a broken patch that does not always work. You should open an issue in Debian bug tracker for this.

Aki

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org