search for: serverpreference

...HE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 Options = PrioritizeChaCha,ServerPreference However, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf, ==> /var/log/dovecot/dovecot.log <== ... 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn i...

...HACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > > Options = PrioritizeChaCha,ServerPreference > > > > However, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf, > > > > ==> /var/log/dovecot/dovecot.log <== > > ... > > 2020-08-24 17:04:42 submission(testuser at exam...

...DSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > Options = PrioritizeChaCha,ServerPreference > > However, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf, > > ==> /var/log/dovecot/dovecot.log <== > ... > 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH&g...

hi, On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote: > I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7 to?Dovecot v2.3.8 on Centos-8 My report is specifically/solely about the addition/use of the Options = ServerPreference parameter. I don't see that in your configuration. Are you using it? In a config using Dovecot's submission proxy?

...does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. > > I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended. > > It's ONLY Dovecot that's reproducibly firing the error, as reported above. > > It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in...

Hi, In my Centos-8 server, it was not necessary using "Options = ServerPreference" parameter. My openssl.conf look like that : openssl_conf = default_modules [ default_modules ] ssl_conf = ssl_module [ ssl_module ] system_default = crypto_policy [ crypto_policy ] *.include /etc/crypto-policies/back-ends/opensslcnf.config* And /etc/crypto-policies/back-ends/opensslcnf.con...

..., dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended. It's ONLY Dovecot that's reproducibly firing the error, as reported above. It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behavin...

On 10/1/20 8:52 AM, JEAN-PAUL CHAPALAIN wrote: > In my Centos-8 server, it was not necessary using? "Options = ServerPreference" parameter. sry, then i'm unclear re: the point you're trying to make. this issue is ONLY about the problem re: THAT parameter's use, not re: general SSL error messages/causes.

On 9/23/20 2:14 AM, Aki Tuomi wrote: > I tried to reproduce this with the config you provided. I made sure openssl uses the configuration, but alas, it works just fine for me. ugh. well, good to know. with my my full-blown configs, it's definitely reproducible here. I'll see if I can reduce this to a simple demonstrator ...