Reuben Farrelly
2017-Oct-31 13:00 UTC
dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
Hi, On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote:> Message: 6 > Date: Mon, 30 Oct 2017 10:22:42 +0200 > From: Teemu Huovila <teemu.huovila at dovecot.fi> > To: dovecot at dovecot.org > Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error > Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi> > Content-Type: text/plain; charset=utf-8 > > > > On 30.10.2017 09:10, Aki Tuomi wrote: >> >> >> On 30.10.2017 00:23, Reuben Farrelly wrote: >>> Hi Aki, >>> >>> On 30/10/2017 12:43 AM, Aki Tuomi wrote: >>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly >>>>> <reuben-dovecot at reub.net> wrote: >>>>> >>>>> >>>>> Hi again, >>>>> >>>>> Chasing down one last problem which seems to have been missed from my >>>>> last email: >>>>> >>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote: >>>>>> >>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly <reuben-dovecot at reub.net> >>>>>>>> wrote: >>>>> This problem below is still present in 2.3 -git, as of version >>>>> 2.3.devel >>>>> (6fc40674e) >>>>> >>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>> >>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>> >>>>>>>> Yet the file is there: >>>>>>>> >>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>>>>>>> >>>>>>>> And the config is there as well: >>>>>>>> >>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>>>>>>> ssl_dh = </etc/dovecot/dh.pem >>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>> thunderstorm dovecot # >>>>>>>> >>>>>>>> It appears that this warning is being triggered by the presence of >>>>>>>> the ssl-parameters.dat file because when I remove it the warning >>>>>>>> goes away. Perhaps the warning could be made a bit more specific >>>>>>>> about this file being removed if it is not required because at the >>>>>>>> moment the warning message is not related to the trigger. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Reuben >>>>> Thanks, >>>>> Reuben >>>> It is triggered when there is ssl-parameters.dat file *AND* there is >>>> no ssl_dh=< explicitly set in config file. >>>> >>>> Aki >>> >>> I have this already in my 10-ssl.conf file: >>> >>> lightning dovecot # /etc/init.d/dovecot reload >>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der > /etc/dovecot/dh.pem >>> ?* Reloading dovecot configs and restarting auth/login processes >>> ...????? [ ok ] >>> lightning dovecot # >>> >>> However: >>> >>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf >>> # gives on startup when ssl_dh is unset. >>> ssl_dh=</etc/dovecot/dh.pem >>> lightning dovecot # >>> >>> and the file is there: >>> >>> lightning dovecot # ls -la /etc/dovecot/dh.pem >>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem >>> lightning dovecot # >>> >>> So it is actually configured and yet the warning still is present. >>> >>> Reuben >> >> Hi! >> >> I gave this a try, and I was not able to repeat this issue. Perhaps you >> are still missing ssl_dh somewhere? >> >> Aki >> > Hello > > Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present. > > br, > TeemuI still can't see anything amiss. Here's the output from doveconf -n: # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (f4659224) # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1 auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_username_format = %Ln doveadm_password = # hidden, use -P to show it first_valid_uid = 1000 imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep last_valid_uid = 1100 login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k login_trusted_networks = 192.168.0.0/16 mail_location = maildir:~/Maildir mail_plugins = stats notify replication fts fts_lucene managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { args = failure_show_msg=yes %s driver = pam } plugin { fts = lucene fts_autoindex = yes fts_languages = en fts_lucene = whitespace_chars=@. mail_replica = tcps:inside-mail.reub.net:4813 replication_full_sync_interval = 4 hours sieve = file:~/sieve;active=~/.dovecot.sieve stats_refresh = 30 secs stats_track_cmds = yes } protocols = imap lmtp sieve recipient_delimiter = - service aggregator { fifo_listener replication-notify-fifo { mode = 0666 user = root } unix_listener replication-notify { mode = 0666 user = root } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0777 } } service doveadm { inet_listener { address = 2400:8901:e001:3a::20 port = 4813 ssl = yes } user = root } service imap { executable = imap postlogin } service lmtp { inet_listener lmtp { address = ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service postlogin { executable = script-login -d rawlog } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } service stats { fifo_listener stats-mail { mode = 0666 } } ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt ssl_cert = </etc/ssl/dovecot/*.reub.net.crt ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 !TLSv1 userdb { driver = passwd } protocol lmtp { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol !indexer-worker { ssl_dh = # hidden, use -P to show it } protocol lda { mail_plugins = stats notify replication fts fts_lucene sieve ssl_dh = # hidden, use -P to show it } protocol imap { mail_plugins = stats notify replication fts fts_lucene imap_stats ssl_dh = # hidden, use -P to show it } protocol sieve { ssl_dh = # hidden, use -P to show it } protocol pop3 { ssl_dh = # hidden, use -P to show it } And showing with -P as an example: protocol pop3 { ssl_dh = -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s ... AAAAAAAAAAAAAAAAAAAAAAAAAAA-----END DH PARAMETERS----- There is a single set of valid DH parameters for every protocol as listed above. It seems odd that ssl_dh is defined all of these protocols specifically too. This specific per-protocol definition of ssl_dh isn't specified in any config file. Reuben
Aki Tuomi
2017-Oct-31 13:01 UTC
dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
On 31.10.2017 15:00, Reuben Farrelly wrote:> Hi, > > On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote: >> Message: 6 >> Date: Mon, 30 Oct 2017 10:22:42 +0200 >> From: Teemu Huovila <teemu.huovila at dovecot.fi> >> To: dovecot at dovecot.org >> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error >> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi> >> Content-Type: text/plain; charset=utf-8 >> >> >> >> On 30.10.2017 09:10, Aki Tuomi wrote: >>> >>> >>> On 30.10.2017 00:23, Reuben Farrelly wrote: >>>> Hi Aki, >>>> >>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote: >>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly >>>>>> <reuben-dovecot at reub.net> wrote: >>>>>> >>>>>> >>>>>> Hi again, >>>>>> >>>>>> Chasing down one last problem which seems to have been missed >>>>>> from my >>>>>> last email: >>>>>> >>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote: >>>>>>> >>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>>>>>>>> <reuben-dovecot at reub.net> >>>>>>>>> wrote: >>>>>> This problem below is still present in 2.3 -git, as of version >>>>>> 2.3.devel >>>>>> (6fc40674e) >>>>>> >>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>>> >>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>> >>>>>>>>> Yet the file is there: >>>>>>>>> >>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>>>>>>>> >>>>>>>>> And the config is there as well: >>>>>>>>> >>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>>>>>>>> ssl_dh = </etc/dovecot/dh.pem >>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> thunderstorm dovecot # >>>>>>>>> >>>>>>>>> It appears that this warning is being triggered by the >>>>>>>>> presence of >>>>>>>>> the ssl-parameters.dat file because when I remove it the warning >>>>>>>>> goes away. Perhaps the warning could be made a bit more specific >>>>>>>>> about this file being removed if it is not required because at >>>>>>>>> the >>>>>>>>> moment the warning message is not related to the trigger. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Reuben >>>>>> Thanks, >>>>>> Reuben >>>>> It is triggered when there is ssl-parameters.dat file *AND* there is >>>>> no ssl_dh=< explicitly set in config file. >>>>> >>>>> Aki >>>> >>>> I have this already in my 10-ssl.conf file: >>>> >>>> lightning dovecot # /etc/init.d/dovecot reload >>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>> doveconf: Warning: You can generate it with: dd >>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>> -inform der > /etc/dovecot/dh.pem >>>> ?* Reloading dovecot configs and restarting auth/login processes >>>> ...????? [ ok ] >>>> lightning dovecot # >>>> >>>> However: >>>> >>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf >>>> # gives on startup when ssl_dh is unset. >>>> ssl_dh=</etc/dovecot/dh.pem >>>> lightning dovecot # >>>> >>>> and the file is there: >>>> >>>> lightning dovecot # ls -la /etc/dovecot/dh.pem >>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem >>>> lightning dovecot # >>>> >>>> So it is actually configured and yet the warning still is present. >>>> >>>> Reuben >>> >>> Hi! >>> >>> I gave this a try, and I was not able to repeat this issue. Perhaps you >>> are still missing ssl_dh somewhere? >>> >>> Aki >>> >> Hello >> >> Just a guess, but at this point I would recommend reviewing the >> output of "doveconf -n" to make sure the appropriate settings are >> present. >> >> br, >> Teemu > > I still can't see anything amiss.? Here's the output from doveconf -n: > > # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.devel (f4659224) > # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release > 2.4.1 > auth_mechanisms = plain login > auth_socket_path = /var/run/dovecot/auth-userdb > auth_username_format = %Ln > doveadm_password =? # hidden, use -P to show it > first_valid_uid = 1000 > imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep > last_valid_uid = 1100 > login_log_format_elements = user=<%u> auth-method=%m remote=%r > local=%l %k > login_trusted_networks = 192.168.0.0/16 > mail_location = maildir:~/Maildir > mail_plugins = stats notify replication fts fts_lucene > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext > namespace inbox { > ? inbox = yes > ? location > ? mailbox Drafts { > ??? special_use = \Drafts > ? } > ? mailbox Junk { > ??? special_use = \Junk > ? } > ? mailbox Sent { > ??? special_use = \Sent > ? } > ? mailbox "Sent Messages" { > ??? special_use = \Sent > ? } > ? mailbox Trash { > ??? special_use = \Trash > ? } > ? prefix > } > passdb { > ? args = failure_show_msg=yes %s > ? driver = pam > } > plugin { > ? fts = lucene > ? fts_autoindex = yes > ? fts_languages = en > ? fts_lucene = whitespace_chars=@. > ? mail_replica = tcps:inside-mail.reub.net:4813 > ? replication_full_sync_interval = 4 hours > ? sieve = file:~/sieve;active=~/.dovecot.sieve > ? stats_refresh = 30 secs > ? stats_track_cmds = yes > } > protocols = imap lmtp sieve > recipient_delimiter = - > service aggregator { > ? fifo_listener replication-notify-fifo { > ??? mode = 0666 > ??? user = root > ? } > ? unix_listener replication-notify { > ??? mode = 0666 > ??? user = root > ? } > } > service auth { > ? unix_listener /var/spool/postfix/private/auth { > ??? group = postfix > ??? mode = 0666 > ??? user = postfix > ? } > ? unix_listener auth-userdb { > ??? mode = 0777 > ? } > } > service doveadm { > ? inet_listener { > ??? address = 2400:8901:e001:3a::20 > ??? port = 4813 > ??? ssl = yes > ? } > ? user = root > } > service imap { > ? executable = imap postlogin > } > service lmtp { > ? inet_listener lmtp { > ??? address = ::1 > ??? port = 24 > ? } > ? unix_listener /var/spool/postfix/private/dovecot-lmtp { > ??? group = postfix > ??? mode = 0660 > ??? user = postfix > ? } > } > service postlogin { > ? executable = script-login -d rawlog > } > service replicator { > ? process_min_avail = 1 > ? unix_listener replicator-doveadm { > ??? mode = 0666 > ? } > } > service stats { > ? fifo_listener stats-mail { > ??? mode = 0666 > ? } > } > ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt > ssl_cert = </etc/ssl/dovecot/*.reub.net.crt > ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 > ssl_client_ca_dir = /etc/ssl/certs > ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt > ssl_dh =? # hidden, use -P to show it > ssl_key =? # hidden, use -P to show it > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 > userdb { > ? driver = passwd > } > protocol lmtp { > ? mail_plugins = stats notify replication fts fts_lucene sieve > ? ssl_dh =? # hidden, use -P to show it > } > protocol !indexer-worker { > ? ssl_dh =? # hidden, use -P to show it > } > protocol lda { > ? mail_plugins = stats notify replication fts fts_lucene sieve > ? ssl_dh =? # hidden, use -P to show it > } > protocol imap { > ? mail_plugins = stats notify replication fts fts_lucene imap_stats > ? ssl_dh =? # hidden, use -P to show it > } > protocol sieve { > ? ssl_dh =? # hidden, use -P to show it > } > protocol pop3 { > ? ssl_dh =? # hidden, use -P to show it > } > > And showing with -P as an example: > > protocol pop3 { > ? ssl_dh = -----BEGIN DH PARAMETERS----- > MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s > ... > AAAAAAAAAAAAAAAAAAAAAAAAAAA> -----END DH PARAMETERS----- > > There is a single set of valid DH parameters for every protocol as > listed above. > > It seems odd that ssl_dh is defined all of these protocols > specifically too.? This specific per-protocol definition of ssl_dh > isn't specified in any config file. > > ReubenCan you try with doveconf -nP? and ensure all those ssl_dh lines are of form ssl_dh =</file? Aki
Reuben Farrelly
2017-Nov-01 11:51 UTC
dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
Hi again, On 1/11/2017 12:01 AM, Aki Tuomi wrote:> > On 31.10.2017 15:00, Reuben Farrelly wrote: >> Hi, >> >> On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote: >>> Message: 6 >>> Date: Mon, 30 Oct 2017 10:22:42 +0200 >>> From: Teemu Huovila <teemu.huovila at dovecot.fi> >>> To: dovecot at dovecot.org >>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error >>> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi> >>> Content-Type: text/plain; charset=utf-8 >>> >>> >>> >>> On 30.10.2017 09:10, Aki Tuomi wrote: >>>> >>>> On 30.10.2017 00:23, Reuben Farrelly wrote: >>>>> Hi Aki, >>>>> >>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote: >>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly >>>>>>> <reuben-dovecot at reub.net> wrote: >>>>>>> >>>>>>> >>>>>>> Hi again, >>>>>>> >>>>>>> Chasing down one last problem which seems to have been missed >>>>>>> from my >>>>>>> last email: >>>>>>> >>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote: >>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>>>>>>>>> <reuben-dovecot at reub.net> >>>>>>>>>> wrote: >>>>>>> This problem below is still present in 2.3 -git, as of version >>>>>>> 2.3.devel >>>>>>> (6fc40674e) >>>>>>> >>>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>>>> >>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>>> >>>>>>>>>> Yet the file is there: >>>>>>>>>> >>>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>>>>>>>>> >>>>>>>>>> And the config is there as well: >>>>>>>>>> >>>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem >>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> thunderstorm dovecot # >>>>>>>>>> >>>>>>>>>> It appears that this warning is being triggered by the >>>>>>>>>> presence of >>>>>>>>>> the ssl-parameters.dat file because when I remove it the warning >>>>>>>>>> goes away. Perhaps the warning could be made a bit more specific >>>>>>>>>> about this file being removed if it is not required because at >>>>>>>>>> the >>>>>>>>>> moment the warning message is not related to the trigger. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Reuben >>>>>>> Thanks, >>>>>>> Reuben >>>>>> It is triggered when there is ssl-parameters.dat file *AND* there is >>>>>> no ssl_dh=< explicitly set in config file. >>>>>> >>>>>> Aki >>>>> I have this already in my 10-ssl.conf file: >>>>> >>>>> lightning dovecot # /etc/init.d/dovecot reload >>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>> doveconf: Warning: You can generate it with: dd >>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>> -inform der > /etc/dovecot/dh.pem >>>>> ?* Reloading dovecot configs and restarting auth/login processes >>>>> ...????? [ ok ] >>>>> lightning dovecot # >>>>> >>>>> However: >>>>> >>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf >>>>> # gives on startup when ssl_dh is unset. >>>>> ssl_dh=</etc/dovecot/dh.pem >>>>> lightning dovecot # >>>>> >>>>> and the file is there: >>>>> >>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem >>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem >>>>> lightning dovecot # >>>>> >>>>> So it is actually configured and yet the warning still is present. >>>>> >>>>> Reuben >>>> Hi! >>>> >>>> I gave this a try, and I was not able to repeat this issue. Perhaps you >>>> are still missing ssl_dh somewhere? >>>> >>>> Aki >>>> >>> Hello >>> >>> Just a guess, but at this point I would recommend reviewing the >>> output of "doveconf -n" to make sure the appropriate settings are >>> present. >>> >>> br, >>> Teemu >> I still can't see anything amiss.? Here's the output from doveconf -n: >> >> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf >> # Pigeonhole version 0.5.devel (f4659224) >> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release >> 2.4.1 >> auth_mechanisms = plain login >> auth_socket_path = /var/run/dovecot/auth-userdb >> auth_username_format = %Ln >> doveadm_password =? # hidden, use -P to show it >> first_valid_uid = 1000 >> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep >> last_valid_uid = 1100 >> login_log_format_elements = user=<%u> auth-method=%m remote=%r >> local=%l %k >> login_trusted_networks = 192.168.0.0/16 >> mail_location = maildir:~/Maildir >> mail_plugins = stats notify replication fts fts_lucene >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress comparator-i;ascii-numeric >> relational regex imap4flags copy include variables body enotify >> environment mailbox date index ihave duplicate mime foreverypart >> extracttext >> namespace inbox { >> ? inbox = yes >> ? location >> ? mailbox Drafts { >> ??? special_use = \Drafts >> ? } >> ? mailbox Junk { >> ??? special_use = \Junk >> ? } >> ? mailbox Sent { >> ??? special_use = \Sent >> ? } >> ? mailbox "Sent Messages" { >> ??? special_use = \Sent >> ? } >> ? mailbox Trash { >> ??? special_use = \Trash >> ? } >> ? prefix >> } >> passdb { >> ? args = failure_show_msg=yes %s >> ? driver = pam >> } >> plugin { >> ? fts = lucene >> ? fts_autoindex = yes >> ? fts_languages = en >> ? fts_lucene = whitespace_chars=@. >> ? mail_replica = tcps:inside-mail.reub.net:4813 >> ? replication_full_sync_interval = 4 hours >> ? sieve = file:~/sieve;active=~/.dovecot.sieve >> ? stats_refresh = 30 secs >> ? stats_track_cmds = yes >> } >> protocols = imap lmtp sieve >> recipient_delimiter = - >> service aggregator { >> ? fifo_listener replication-notify-fifo { >> ??? mode = 0666 >> ??? user = root >> ? } >> ? unix_listener replication-notify { >> ??? mode = 0666 >> ??? user = root >> ? } >> } >> service auth { >> ? unix_listener /var/spool/postfix/private/auth { >> ??? group = postfix >> ??? mode = 0666 >> ??? user = postfix >> ? } >> ? unix_listener auth-userdb { >> ??? mode = 0777 >> ? } >> } >> service doveadm { >> ? inet_listener { >> ??? address = 2400:8901:e001:3a::20 >> ??? port = 4813 >> ??? ssl = yes >> ? } >> ? user = root >> } >> service imap { >> ? executable = imap postlogin >> } >> service lmtp { >> ? inet_listener lmtp { >> ??? address = ::1 >> ??? port = 24 >> ? } >> ? unix_listener /var/spool/postfix/private/dovecot-lmtp { >> ??? group = postfix >> ??? mode = 0660 >> ??? user = postfix >> ? } >> } >> service postlogin { >> ? executable = script-login -d rawlog >> } >> service replicator { >> ? process_min_avail = 1 >> ? unix_listener replicator-doveadm { >> ??? mode = 0666 >> ? } >> } >> service stats { >> ? fifo_listener stats-mail { >> ??? mode = 0666 >> ? } >> } >> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt >> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt >> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 >> ssl_client_ca_dir = /etc/ssl/certs >> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt >> ssl_dh =? # hidden, use -P to show it >> ssl_key =? # hidden, use -P to show it >> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 >> userdb { >> ? driver = passwd >> } >> protocol lmtp { >> ? mail_plugins = stats notify replication fts fts_lucene sieve >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol !indexer-worker { >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol lda { >> ? mail_plugins = stats notify replication fts fts_lucene sieve >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol imap { >> ? mail_plugins = stats notify replication fts fts_lucene imap_stats >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol sieve { >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol pop3 { >> ? ssl_dh =? # hidden, use -P to show it >> } >> >> And showing with -P as an example: >> >> protocol pop3 { >> ? ssl_dh = -----BEGIN DH PARAMETERS----- >> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s >> ... >> AAAAAAAAAAAAAAAAAAAAAAAAAAA>> -----END DH PARAMETERS----- >> >> There is a single set of valid DH parameters for every protocol as >> listed above. >> >> It seems odd that ssl_dh is defined all of these protocols >> specifically too.? This specific per-protocol definition of ssl_dh >> isn't specified in any config file. >> >> Reuben > Can you try with doveconf -nP? and ensure all those ssl_dh lines are of > form ssl_dh =</file? > > AkiThat's the thing.? Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files. There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file.? See here: lightning dovecot # grep ssl_dh * grep: conf.d: Is a directory lightning dovecot # grep ssl_dh */* conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem lightning dovecot # The rest of them must be being inherited from that statement above. But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf? output.? Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too. To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled.? Something buggy with backwards compatibility perhaps? [Also tested with latest 2.3 -git as of today - same result] Reuben
Maybe Matching Threads
- dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
- dovecot-2.3 (-git) Warning and Fatal Compile Error
- dovecot-2.3 (-git) Warning and Fatal Compile Error
- dovecot-2.3 (-git) Warning and Fatal Compile Error
- dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)