dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Aki Tuomi aki.tuomi at dovecot.fi
Tue Oct 31 15:01:31 EET 2017 


On 31.10.2017 15:00, Reuben Farrelly wrote:
> Hi,
>
> On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote:
>> Message: 6
>> Date: Mon, 30 Oct 2017 10:22:42 +0200
>> From: Teemu Huovila <teemu.huovila at dovecot.fi>
>> To: dovecot at dovecot.org
>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
>> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi>
>> Content-Type: text/plain; charset=utf-8
>>
>>
>>
>> On 30.10.2017 09:10, Aki Tuomi wrote:
>>>
>>>
>>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>>> Hi Aki,
>>>>
>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>>> <reuben-dovecot at reub.net> wrote:
>>>>>>
>>>>>>
>>>>>> Hi again,
>>>>>>
>>>>>> Chasing down one last problem which seems to have been missed
>>>>>> from my
>>>>>> last email:
>>>>>>
>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>>
>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly
>>>>>>>>> <reuben-dovecot at reub.net>
>>>>>>>>> wrote:
>>>>>> This problem below is still present in 2.3 -git, as of version
>>>>>> 2.3.devel
>>>>>> (6fc40674e)
>>>>>>
>>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf:
>>>>>>>>>
>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>
>>>>>>>>> Yet the file is there:
>>>>>>>>>
>>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>>>>>>>>
>>>>>>>>> And the config is there as well:
>>>>>>>>>
>>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> thunderstorm dovecot #
>>>>>>>>>
>>>>>>>>> It appears that this warning is being triggered by the
>>>>>>>>> presence of
>>>>>>>>> the ssl-parameters.dat file because when I remove it the warning
>>>>>>>>> goes away. Perhaps the warning could be made a bit more specific
>>>>>>>>> about this file being removed if it is not required because at
>>>>>>>>> the
>>>>>>>>> moment the warning message is not related to the trigger.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Reuben
>>>>>> Thanks,
>>>>>> Reuben
>>>>> It is triggered when there is ssl-parameters.dat file *AND* there is
>>>>> no ssl_dh=< explicitly set in config file.
>>>>>
>>>>> Aki
>>>>
>>>> I have this already in my 10-ssl.conf file:
>>>>
>>>> lightning dovecot # /etc/init.d/dovecot reload
>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>> doveconf: Warning: You can generate it with: dd
>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>> -inform der > /etc/dovecot/dh.pem
>>>> ?* Reloading dovecot configs and restarting auth/login processes
>>>> ...????? [ ok ]
>>>> lightning dovecot #
>>>>
>>>> However:
>>>>
>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>>> # gives on startup when ssl_dh is unset.
>>>> ssl_dh=</etc/dovecot/dh.pem
>>>> lightning dovecot #
>>>>
>>>> and the file is there:
>>>>
>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>>> lightning dovecot #
>>>>
>>>> So it is actually configured and yet the warning still is present.
>>>>
>>>> Reuben
>>>
>>> Hi!
>>>
>>> I gave this a try, and I was not able to repeat this issue. Perhaps you
>>> are still missing ssl_dh somewhere?
>>>
>>> Aki
>>>
>> Hello
>>
>> Just a guess, but at this point I would recommend reviewing the
>> output of "doveconf -n" to make sure the appropriate settings are
>> present.
>>
>> br,
>> Teemu
>
> I still can't see anything amiss.  Here's the output from doveconf -n:
>
> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.devel (f4659224)
> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release
> 2.4.1
> auth_mechanisms = plain login
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_username_format = %Ln
> doveadm_password =  # hidden, use -P to show it
> first_valid_uid = 1000
> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
> last_valid_uid = 1100
> login_log_format_elements = user=<%u> auth-method=%m remote=%r
> local=%l %k
> login_trusted_networks = 192.168.0.0/16
> mail_location = maildir:~/Maildir
> mail_plugins = stats notify replication fts fts_lucene
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = failure_show_msg=yes %s
>   driver = pam
> }
> plugin {
>   fts = lucene
>   fts_autoindex = yes
>   fts_languages = en
>   fts_lucene = whitespace_chars=@.
>   mail_replica = tcps:inside-mail.reub.net:4813
>   replication_full_sync_interval = 4 hours
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   stats_refresh = 30 secs
>   stats_track_cmds = yes
> }
> protocols = imap lmtp sieve
> recipient_delimiter = -
> service aggregator {
>   fifo_listener replication-notify-fifo {
>     mode = 0666
>     user = root
>   }
>   unix_listener replication-notify {
>     mode = 0666
>     user = root
>   }
> }
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0666
>     user = postfix
>   }
>   unix_listener auth-userdb {
>     mode = 0777
>   }
> }
> service doveadm {
>   inet_listener {
>     address = 2400:8901:e001:3a::20
>     port = 4813
>     ssl = yes
>   }
>   user = root
> }
> service imap {
>   executable = imap postlogin
> }
> service lmtp {
>   inet_listener lmtp {
>     address = ::1
>     port = 24
>   }
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
> }
> service postlogin {
>   executable = script-login -d rawlog
> }
> service replicator {
>   process_min_avail = 1
>   unix_listener replicator-doveadm {
>     mode = 0666
>   }
> }
> service stats {
>   fifo_listener stats-mail {
>     mode = 0666
>   }
> }
> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
> ssl_client_ca_dir = /etc/ssl/certs
> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
> ssl_dh =  # hidden, use -P to show it
> ssl_key =  # hidden, use -P to show it
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
> userdb {
>   driver = passwd
> }
> protocol lmtp {
>   mail_plugins = stats notify replication fts fts_lucene sieve
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol !indexer-worker {
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol lda {
>   mail_plugins = stats notify replication fts fts_lucene sieve
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol imap {
>   mail_plugins = stats notify replication fts fts_lucene imap_stats
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol sieve {
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol pop3 {
>   ssl_dh =  # hidden, use -P to show it
> }
>
> And showing with -P as an example:
>
> protocol pop3 {
>   ssl_dh = -----BEGIN DH PARAMETERS-----
> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
> ...
> AAAAAAAAAAAAAAAAAAAAAAAAAAA=
> -----END DH PARAMETERS-----
>
> There is a single set of valid DH parameters for every protocol as
> listed above.
>
> It seems odd that ssl_dh is defined all of these protocols
> specifically too.  This specific per-protocol definition of ssl_dh
> isn't specified in any config file.
>
> Reuben

Can you try with doveconf -nP  and ensure all those ssl_dh lines are of
form ssl_dh =</file?

Aki

More information about the dovecot mailing list