dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
Reuben Farrelly
reuben-dovecot at reub.net
Wed Nov 1 13:51:14 EET 2017
Hi again,
On 1/11/2017 12:01 AM, Aki Tuomi wrote:
>
> On 31.10.2017 15:00, Reuben Farrelly wrote:
>> Hi,
>>
>> On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote:
>>> Message: 6
>>> Date: Mon, 30 Oct 2017 10:22:42 +0200
>>> From: Teemu Huovila <teemu.huovila at dovecot.fi>
>>> To: dovecot at dovecot.org
>>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
>>> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi>
>>> Content-Type: text/plain; charset=utf-8
>>>
>>>
>>>
>>> On 30.10.2017 09:10, Aki Tuomi wrote:
>>>>
>>>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>>>> Hi Aki,
>>>>>
>>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>>>> <reuben-dovecot at reub.net> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hi again,
>>>>>>>
>>>>>>> Chasing down one last problem which seems to have been missed
>>>>>>> from my
>>>>>>> last email:
>>>>>>>
>>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly
>>>>>>>>>> <reuben-dovecot at reub.net>
>>>>>>>>>> wrote:
>>>>>>> This problem below is still present in 2.3 -git, as of version
>>>>>>> 2.3.devel
>>>>>>> (6fc40674e)
>>>>>>>
>>>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf:
>>>>>>>>>>
>>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>>
>>>>>>>>>> Yet the file is there:
>>>>>>>>>>
>>>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>>>>>>>>>
>>>>>>>>>> And the config is there as well:
>>>>>>>>>>
>>>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> thunderstorm dovecot #
>>>>>>>>>>
>>>>>>>>>> It appears that this warning is being triggered by the
>>>>>>>>>> presence of
>>>>>>>>>> the ssl-parameters.dat file because when I remove it the warning
>>>>>>>>>> goes away. Perhaps the warning could be made a bit more specific
>>>>>>>>>> about this file being removed if it is not required because at
>>>>>>>>>> the
>>>>>>>>>> moment the warning message is not related to the trigger.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Reuben
>>>>>>> Thanks,
>>>>>>> Reuben
>>>>>> It is triggered when there is ssl-parameters.dat file *AND* there is
>>>>>> no ssl_dh=< explicitly set in config file.
>>>>>>
>>>>>> Aki
>>>>> I have this already in my 10-ssl.conf file:
>>>>>
>>>>> lightning dovecot # /etc/init.d/dovecot reload
>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>> doveconf: Warning: You can generate it with: dd
>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>> -inform der > /etc/dovecot/dh.pem
>>>>> ?* Reloading dovecot configs and restarting auth/login processes
>>>>> ...????? [ ok ]
>>>>> lightning dovecot #
>>>>>
>>>>> However:
>>>>>
>>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>>>> # gives on startup when ssl_dh is unset.
>>>>> ssl_dh=</etc/dovecot/dh.pem
>>>>> lightning dovecot #
>>>>>
>>>>> and the file is there:
>>>>>
>>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>>>> lightning dovecot #
>>>>>
>>>>> So it is actually configured and yet the warning still is present.
>>>>>
>>>>> Reuben
>>>> Hi!
>>>>
>>>> I gave this a try, and I was not able to repeat this issue. Perhaps you
>>>> are still missing ssl_dh somewhere?
>>>>
>>>> Aki
>>>>
>>> Hello
>>>
>>> Just a guess, but at this point I would recommend reviewing the
>>> output of "doveconf -n" to make sure the appropriate settings are
>>> present.
>>>
>>> br,
>>> Teemu
>> I still can't see anything amiss. Here's the output from doveconf -n:
>>
>> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.5.devel (f4659224)
>> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release
>> 2.4.1
>> auth_mechanisms = plain login
>> auth_socket_path = /var/run/dovecot/auth-userdb
>> auth_username_format = %Ln
>> doveadm_password = # hidden, use -P to show it
>> first_valid_uid = 1000
>> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
>> last_valid_uid = 1100
>> login_log_format_elements = user=<%u> auth-method=%m remote=%r
>> local=%l %k
>> login_trusted_networks = 192.168.0.0/16
>> mail_location = maildir:~/Maildir
>> mail_plugins = stats notify replication fts fts_lucene
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date index ihave duplicate mime foreverypart
>> extracttext
>> namespace inbox {
>> inbox = yes
>> location =
>> mailbox Drafts {
>> special_use = \Drafts
>> }
>> mailbox Junk {
>> special_use = \Junk
>> }
>> mailbox Sent {
>> special_use = \Sent
>> }
>> mailbox "Sent Messages" {
>> special_use = \Sent
>> }
>> mailbox Trash {
>> special_use = \Trash
>> }
>> prefix =
>> }
>> passdb {
>> args = failure_show_msg=yes %s
>> driver = pam
>> }
>> plugin {
>> fts = lucene
>> fts_autoindex = yes
>> fts_languages = en
>> fts_lucene = whitespace_chars=@.
>> mail_replica = tcps:inside-mail.reub.net:4813
>> replication_full_sync_interval = 4 hours
>> sieve = file:~/sieve;active=~/.dovecot.sieve
>> stats_refresh = 30 secs
>> stats_track_cmds = yes
>> }
>> protocols = imap lmtp sieve
>> recipient_delimiter = -
>> service aggregator {
>> fifo_listener replication-notify-fifo {
>> mode = 0666
>> user = root
>> }
>> unix_listener replication-notify {
>> mode = 0666
>> user = root
>> }
>> }
>> service auth {
>> unix_listener /var/spool/postfix/private/auth {
>> group = postfix
>> mode = 0666
>> user = postfix
>> }
>> unix_listener auth-userdb {
>> mode = 0777
>> }
>> }
>> service doveadm {
>> inet_listener {
>> address = 2400:8901:e001:3a::20
>> port = 4813
>> ssl = yes
>> }
>> user = root
>> }
>> service imap {
>> executable = imap postlogin
>> }
>> service lmtp {
>> inet_listener lmtp {
>> address = ::1
>> port = 24
>> }
>> unix_listener /var/spool/postfix/private/dovecot-lmtp {
>> group = postfix
>> mode = 0660
>> user = postfix
>> }
>> }
>> service postlogin {
>> executable = script-login -d rawlog
>> }
>> service replicator {
>> process_min_avail = 1
>> unix_listener replicator-doveadm {
>> mode = 0666
>> }
>> }
>> service stats {
>> fifo_listener stats-mail {
>> mode = 0666
>> }
>> }
>> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
>> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
>> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
>> ssl_client_ca_dir = /etc/ssl/certs
>> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
>> ssl_dh = # hidden, use -P to show it
>> ssl_key = # hidden, use -P to show it
>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
>> userdb {
>> driver = passwd
>> }
>> protocol lmtp {
>> mail_plugins = stats notify replication fts fts_lucene sieve
>> ssl_dh = # hidden, use -P to show it
>> }
>> protocol !indexer-worker {
>> ssl_dh = # hidden, use -P to show it
>> }
>> protocol lda {
>> mail_plugins = stats notify replication fts fts_lucene sieve
>> ssl_dh = # hidden, use -P to show it
>> }
>> protocol imap {
>> mail_plugins = stats notify replication fts fts_lucene imap_stats
>> ssl_dh = # hidden, use -P to show it
>> }
>> protocol sieve {
>> ssl_dh = # hidden, use -P to show it
>> }
>> protocol pop3 {
>> ssl_dh = # hidden, use -P to show it
>> }
>>
>> And showing with -P as an example:
>>
>> protocol pop3 {
>> ssl_dh = -----BEGIN DH PARAMETERS-----
>> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
>> ...
>> AAAAAAAAAAAAAAAAAAAAAAAAAAA=
>> -----END DH PARAMETERS-----
>>
>> There is a single set of valid DH parameters for every protocol as
>> listed above.
>>
>> It seems odd that ssl_dh is defined all of these protocols
>> specifically too. This specific per-protocol definition of ssl_dh
>> isn't specified in any config file.
>>
>> Reuben
> Can you try with doveconf -nP and ensure all those ssl_dh lines are of
> form ssl_dh =</file?
>
> Aki
That's the thing. Those extra ssl_dh lines aren't actually specified in
my conf files, they have been inherited from somewhere - so I can't
change them to be of any particular form because they aren't defined as
being that way in my configuration files.
There is only one place where ssl_dh is defined and that's in the global
10-ssl.conf file. See here:
lightning dovecot # grep ssl_dh *
grep: conf.d: Is a directory
lightning dovecot # grep ssl_dh */*
conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
lightning dovecot #
The rest of them must be being inherited from that statement above.
But back to the original question, if I *remove* the ssl-parameters.dat
file from /var/lib/dovecot/ then without any other configuration changes
the error goes away on reload and from doveconf output. Not only that,
but if the ssl-parameters.dat file is removed then those ssl_dh lines
per-protocol in doveconf -n also disappear too.
To me that indicates that the mere presence of the ssl-parameters.dat
file is doing something odd with the way the ssl_dh configuration
statements are being handled. Something buggy with backwards
compatibility perhaps?
[Also tested with latest 2.3 -git as of today - same result]
Reuben
More information about the dovecot
mailing list