<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>Aki hello, thank you. Hopefully excerpts and top posting are acceptable in the mailing list? </div><div><br></div><div>On that assumption:</div><div><br></div><div>Thanks for the input. I've checked out your suggestions (details below) but unfortunately no joy.</div><div><br></div><div>I also restored my backup <b>10-ssl.conf</b>. It indeed has the "<" sign with a space before the explicit paths to the files:</div><div> ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem</div><div> ssl_key = </etc/certbot/live/privustech.com/privkey.pem</div><div><br></div><div> It returns several complaints after restarting dovecot which I addressed:</div><div> <a href="https://wiki2.dovecot.org/Upgrading/2.3">https://wiki2.dovecot.org/Upgrading/2.3</a></div><div> <a href="https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf">https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf</a></div><div>• Changed <b>ssl_protocols</b> to <b>ssl_min_protocol = TLSv1</b></div><div>• Added <b>ssl_dh = </etc/dovecot/dh.pem</b> and check it with <b>cat</b>. It reads as a properly hashed <b>DH PARAMETERS</b> file.</div><div>At this point we are back to the complaint about <b>ssl_cert</b>: <b>Permission denied. </b></div><div> The certificates are <b>root:root 0777</b> and of course dovecot is running as <b>root</b>. The <b>conf </b>files are <b>andy:user 0644</b>.</div><div> The documentation says </div><blockquote type="cite"><div># PEM encoded X.509 SSL/TLS certificate and private key. They're opened before</div></blockquote><blockquote type="cite"><div># dropping root privileges, so keep the key file unreadable by anyone but</div><div># root</div></blockquote><table class="highlight tab-size js-file-line-container" data-tab-size="8" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; tab-size: 8; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);"><tbody style="box-sizing: border-box;"></tbody></table><div><br></div><div><div>However if I remove the < then dovecot starts up correctly. </div><div> I delete them one at a time, test, and it shows that file read, but then fails on the next. So carry on. After the ssl_cert and ssl_key < are removed dovecot runs (ssl_dh still has <):</div><div><code> Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email server.<br></code><code> Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1 (8e2f634) <br></code><code> starting up for imap, pop3, lmtp<br></code><br></div><pre> But then logging in imap fails:</pre><pre><span class="Apple-tab-span" style="white-space:pre"> </span>open(old-stats-user) failed: Permission denied</pre><pre><span class="Apple-tab-span" style="white-space:pre"> </span>The documentation for 2.3 says to remove stats from mail-plugin settings, but I do not find that in either dovecot.conf or 10-mail.conf.</pre><pre><br></pre><pre>The mail system is working correctly. Mail is received and stored in /home/alavarre/Maildir/new</pre><div><br></div><div><div><div>I'm sure it's something simple, since it worked before the version upgrade. So maybe the answer is just go back to the older version... :-(</div><div><br></div></div><div>Thanks again.</div><div>Andy</div></div><div><br></div></div><div>~~~~</div><div>Here are the results of addressing your suggestions, thank you again:</div><div><br></div><div>>You should set <code>ssl_prefer_server_ciphers = yes</code><br><span class="Apple-tab-span" style="white-space:pre"> </span>Done. No change in status however...<br> <br>><span style="color:#737373;">>4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files.</span><br><span style="color:#737373;">> </span><i>Yes, this is probably indication that you are missing the files </i><br> The files are not missing or corrupted. <code><b>cat</b></code> shows apparently properly hashed certificates and keys.<br> <br><i>>or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this.</i><br> Mmmmm:<br> <a href="https://wiki.archlinux.org/index.php/Chroot">https://wiki.archlinux.org/index.php/Chroot</a><br> I did not intentionally or explicitly chroot dovecot. However, it is possible that <strong>yast2</strong> may have done this to perform the upgrade from Leap 42.3 to 15.0 and didn't undo it?<br> However, this does not seem to have happened:<br> <a href="https://stackoverflow.com/questions/75182/detecting-a-chroot-jail-from-within">https://stackoverflow.com/questions/75182/detecting-a-chroot-jail-from-within</a><br> <code> <b>stat</b></code> indicates that root is indeed the normal root:<br> <code> stat -c %i /</code><br> returns 2. (But thanks for the education! :-) I now know about chroot...)<br><br>>You should use<br>> <code>ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem <br></code>> <code>ssl_key =</etc/certbot/live/privustech.com/privkey.pem<br></code>> <code>ssl_dh =</etc/dovecot/dh.pem</code><br> <br> When I do that (= <, with) or (=< without) a space between = and < and try restarting dovecot I receive:<br> <code> Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 16: <br></code><code> ssl_cert: Can't open file /etc/certbot/live/privustech.com/fullchain.pem:<br></code><code> Permission denied </code><br> <br> However if I remove the < then dovecot starts up correctly:<br> <code> Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email server.<br></code><code> Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1 (8e2f634) <br></code><code> starting up for imap, pop3, lmtp<br></code><br></div><pre> But then logging in imap fails:<br> <code>Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 0 secs): user=<>, rip=107.107.60.219, lip=70.186.159.22, session=<D6gm3f18gcZrazzb><br> Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate.: user=<>, rip=107.107.60.219, lip=70.186.159.22, session=<XWQo3f18IcVrazzb><br></code><br></pre><div>I'm inclined to think that the "less than" symbol is the problem. The documentation says </div><div><span class="Apple-tab-span" style="white-space:pre"> </span><i>the <paths/to/files "are relative to the currently parsed config file's directory (/etc/dovecot/conf.d), similar to how !include works. The file is read immediately whenever parsing the configuration file." </i>It also shows a space between = and <.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>By that logic I should use</div><div> ssl_cert = <../../certbot/live/privustech.com/fullchain.pem<br> ssl_key = <../../certbot/live/privustech.com/privkey.pem <br> ssl_dh = <../../dovecot/dh.pem<br></div>
<div> but this doesn't work either. Restoring the explicit path without < gets us back to dovecot starting up but not able to log in with imap...</div><div><br></div><div><div><br></div></div><div>On Fri, 2018-12-14 at 07:19 +0200, Aki Tuomi wrote:</div><blockquote type="cite"><pre><blockquote type="cite">
On 14 December 2018 at 02:12 "C. Andrews Lavarre" <<a href="mailto:alavarre@gmail.com">alavarre@gmail.com</a>> wrote:
Problem:
We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we
upgraded openSUSE to Leap 15.0.
In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer
works and I haven't figured out how to downgrade to the older working
version.
The key issue seems to be the change to requiring dh.pem and changing s
sl_protocols to ssl_min_protocols. I think I've navigated both
correctly, but it still doesn't work.
The error is
auth: Error: stats: open(old-stats-user) failed: Permission denied
as a consequence of which we get
imap-login: Error: Failed to initialize SSL server context: Can't
load SSL certificate: There is no valid PEM certificate.
We have followed the instructions at <a href="https://wiki.dovecot.org/S">https://wiki.dovecot.org/S</a>
SL/DovecotConfiguration
1. We have created /etc/dovecot/dh.pem (yes it took five
hours)
2. We have edited 10-ssl.conf as directed by the Wiki:
ssl = yes
ssl_cert =
/etc/certbot/live/privustech.com/fullchain.pem
ssl_key = /etc/certbot/live/privustech.com/privkey.pem
ssl_dh = /etc/dovecot
</blockquote>
/dh.pem #(yes, it took five hours to create...)
Hi! You should use
ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem
ssl_key =</etc/certbot/live/privustech.com/privkey.pem
ssl_dh =</etc/dovecot/dh.pem
<blockquote type="cite">
ssl_min_protocol = TLSv1
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = no
</blockquote>
You should set ssl_prefer_server_ciphers = yes.
<blockquote type="cite">
3. We have checked 10-ssl.conf against the 2.3 default at
<a href="https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf">https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf</a>
4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files.
</blockquote>
Yes, this is probably indication that you are missing the files or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this.
<blockquote type="cite">
5. we have checked all the pem keys, certificates, and dh
files with cat, they all exist and are in the expected hash format.
6. We have followed the instructions to set their permissions
root:root 0444 and 0400 accordingly.
7. We have rebooted the host.
</blockquote>
This is correct.
<blockquote type="cite">
Any help or clues would be most appreciated.
Kind regards, Andy
</blockquote></pre></blockquote></body></html>