<html><head></head><body><div>Problem:<br><br></div><div>We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we upgraded openSUSE to Leap 15.0.<br><br></div><div>In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer works and I haven't figured out how to downgrade to the older working version.</div><div><br></div><div>The key issue seems to be the change to requiring dh.pem and changing <b>ssl_protocols</b> to <b>ssl_min_protocols. </b>I think I've navigated both correctly, but it still doesn't work.<br><br></div><div>The error is<br> <div style="margin-left: 3ch;"><code>auth: Error: stats: open(old-stats-user) failed: Permission denied</code></div><br> as a consequence of which we get<br> <div style="margin-left: 3ch;"><code>imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate.</code></div><br>We have followed the instructions at <span class="Apple-tab-span" style="white-space: pre;"> </span><a href="https://wiki.dovecot.org/SSL/DovecotConfiguration">https://wiki.dovecot.org/SSL/DovecotConfiguration</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>1. We have created <code><b>/etc/dovecot/dh.pem</b></code> (yes it took five hours) </div><div><br><span class="Apple-tab-span" style="white-space:pre"> </span>2. We have edited <b>10-ssl.conf</b> as directed by the Wiki:<br> <div style="margin-left: 3ch;"><code><span class="Apple-tab-span" style="white-space:pre"> </span>ssl = yes</code></div> <div style="margin-left: 3ch;"><code><span class="Apple-tab-span" style="white-space:pre"> </span>ssl_cert = /etc/certbot/live/privustech.com/fullchain.pem<br></code></div> <div style="margin-left: 3ch;"><code><span class="Apple-tab-span" style="white-space:pre"> </span>ssl_key = /etc/certbot/live/privustech.com/privkey.pem<br></code></div> <div style="margin-left: 3ch;"><code><span class="Apple-tab-span" style="white-space:pre"> </span>ssl_dh = /etc/dovecot/dh.pem<span class="Apple-tab-span" style="white-space:pre"> </span>#(yes, it took five hours to create...)<br></code></div> <div style="margin-left: 3ch;"><code><span class="Apple-tab-span" style="white-space:pre"> </span>ssl_min_protocol = TLSv1<br></code></div> <div style="margin-left: 3ch;"><code><span class="Apple-tab-span" style="white-space:pre"> </span>ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH<br></code></div> <div style="margin-left: 3ch;"><code><span class="Apple-tab-span" style="white-space:pre"> </span>ssl_prefer_server_ciphers = no<br></code></div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>3. We have checked 10-ssl.conf against the 2.3 default at</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span><a href="https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf">https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf</a></div><div><br></div><span class="Apple-tab-span" style="white-space:pre"> </span>4. We do NOT include the less than (<strong><</strong>) symbol before the paths because then dovecot fails to load complaining it cannot find the files.</div><div><br><span class="Apple-tab-span" style="white-space:pre"> </span>5. we have checked all the pem keys, certificates, and dh files with <code>cat</code>, they all exist and are in the expected hash format.</div><div><br><span class="Apple-tab-span" style="white-space:pre"> </span>6. We have followed the instructions to set their permissions<code> root:root 0444</code> and <code>0400</code> accordingly.<br><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>7. We have rebooted the host.<br><br></div><div><br></div><div>Any help or clues would be most appreciated.</div><div><br></div><div>Kind regards, Andy<br> <br></div></body></html>