Unable to connect/authenticate after Debian SSL update

paul paul at anastrophe.com
Wed Oct 2 03:15:20 EEST 2019 

And as usually happens, right after posting this I found the problem by 
looking in the right place!:

Oct 01 17:06:58 Error: pop3-login: Failed to initialize SSL server 
context: Can't load DH parameters: error:1408518A:SSL 
routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=199.73.114.98, 
lip=10.0.0.81, session=<s/ZZP+KTVszHSXJi>

fixed with:

root at relay: /etc/dovecot # openssl dhparam 4096 > dh.pem

sorry for the noise.

On 2019-10-01 17:05, paul via dovecot wrote:
> Just applied Debian SSL updates, due to vulnerabilities reported:
> 
> "Package        : openssl
> CVE ID         : CVE-2019-1547 CVE-2019-1549 CVE-2019-1563
> 
> Three security issues were discovered in OpenSSL: A timing attack 
> against
> ECDSA, a padding oracle in PKCS7_dataDecode() and 
> CMS_decrypt_set1_pkey()
> and it was discovered that a feature of the random number generator 
> (RNG)
> intended to protect against shared RNG state between parent and child
> processes in the event of a fork() syscall was not used by default.
> 
> For the oldstable distribution (stretch), these problems have been 
> fixed
> in version 1.1.0l-1~deb9u1.
> 
> For the stable distribution (buster), these problems have been fixed in
> version 1.1.1d-0+deb10u1."
> 
> I am running Buster. Upon installing these updates, Dovecot
> immediately stopped allowing authentication:
> 
> Oct  1 16:47:11 relay monit[539]: 'dovecot' failed protocol test
> [IMAP] at [localhost]:993 [TCP/IP TLS] -- SSL connection error:
> error:00000000:lib(0):func(0):reason(0)
> Oct  1 16:50:22 relay monit[539]: 'dovecot' failed protocol test
> [IMAP] at [localhost]:993 [TCP/IP TLS] -- SSL connection error:
> error:00000000:lib(0):func(0):reason(0)
> 
> and
> 
> Oct 01 16:51:18 imap-login: Info: Disconnected: TLS initialization
> failed. (no auth attempts in 0 secs): user=<>, rip=71.198.57.170,
> lip=10.0.0.81, session=<0EdTB+KT+/NHxjmq>
> 
> Each time this occurs, dovecot restarts:
> Oct 01 16:50:23 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
> for pop3, imap (core dumps disabled)
> Oct 01 16:50:42 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
> for pop3, imap (core dumps disabled)
> Oct 01 16:51:10 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
> for pop3, imap (core dumps disabled)
> Oct 01 16:53:35 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
> for pop3, imap (core dumps disabled)
> Oct 01 16:56:46 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
> for pop3, imap (core dumps disabled)
> Oct 01 16:59:57 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
> for pop3, imap (core dumps disabled)
> Oct 01 17:03:08 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
> for pop3, imap (core dumps disabled)
> 
> I am at a loss. Dovecot had been working fine for ages. It's not clear
> to me why a routine SSL update would completely break it. I'm unclear
> how to proceed. This is a small personal server, but nevertheless I
> have a number of people using it who rely on it.
> 
> Here is my local.conf ( I added the ssl_protocols and ssl_min_protocol
> entries just a few minutes ago while attempting to resolve)
> 
> auth_cache_size = 100 k
> auth_cache_ttl = 12 hours
> auth_cache_negative_ttl = 12 hours
> auth_cache_verify_password_with_worker=yes
> auth_verbose = yes
> auth_failure_delay = 7 secs
> default_client_limit = 500
> default_process_limit = 50
> default_vsz_limit = 100 M
> verbose_proctitle = yes
> protocols = pop3 imap
> pop3_uidl_format = %08Xu%08Xv
> imap_idle_notify_interval = 244 secs
> info_log_path = /var/log/dovecot-info.log
> log_path = /var/log/dovecot-error.log
> maildir_very_dirty_syncs=yes
> mail_location = maildir:~/Maildir
> mailbox_idle_check_interval = 244 secs
> mailbox_list_index = yes
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> 
> passdb {
>   driver = passwd-file
>   args = /etc/dovecot/deny
>   deny = yes
> }
> 
> passdb {
>   driver = pam
> }
> userdb {
>   driver = passwd
> }
> 
> service auth {
>   unix_listener auth-client {
>     mode = 0660
>     user = Debian-exim
>   }
> }
> service imap-login {
>   inet_listener imap {
>     port = 143
>   }
>   inet_listener imaps {
>     port = 993
>     ssl = yes
>   }
> }
> service pop3-login {
>   inet_listener pop3 {
>     port = 110
>   }
>   inet_listener pop3s {
>     port = 995
>     ssl = yes
>   }
> }
> 
> protocol imap {
>   mail_max_userip_connections = 20
> }
> 
> service imap {
>   unix_listener imap-master {
>     user = dovecot
>   }
> }
> imap_hibernate_timeout = 1 mins
> service imap {
>   extra_groups = dovenull
> }
> service imap-hibernate {
>   unix_listener imap-hibernate {
>     mode = 0660
>     group = dovenull
>   }
> }
> ssl = required
> ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
> ssl_min_protocol=TLSv1
> ssl_dh=</etc/dovecot/dh.pem
> ssl_cert = </etc/letsencrypt/live/relay.anastrophe.com/fullchain.pem
> ssl_key = </etc/letsencrypt/live/relay.anastrophe.com/privkey.pem

More information about the dovecot mailing list