dovecot - Oct 2020 - BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."

hi,

On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote:
> I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7
to?Dovecot v2.3.8 on Centos-8
My report is specifically/solely about the addition/use of the 

	Options = ServerPreference

parameter.

I don't see that in your configuration.

Are you using it? In a config using Dovecot's submission proxy?

Hi,

In my Centos-8 server, it was not necessary using  "Options
ServerPreference" parameter.

My openssl.conf look like that :

openssl_conf = default_modules
[ default_modules ]
ssl_conf = ssl_module
[ ssl_module ]
system_default = crypto_policy
[ crypto_policy ]
*.include /etc/crypto-policies/back-ends/opensslcnf.config*

And /etc/crypto-policies/back-ends/opensslcnf.config :
CipherString
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
MinProtocol = *TLSv1.1*
MaxProtocol = TLSv1.3

Regards

Le jeu. 1 oct. 2020 ? 17:29, PGNet Dev <pgnet.dev at gmail.com> a ?crit :
> hi,
>
> On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote:
> > I had the same problem when migrating from Dovecot V2.2.36 on,
Centos-7
> to Dovecot v2.3.8 on Centos-8
>
> My report is specifically/solely about the addition/use of the
>
>         Options = ServerPreference
>
> parameter.
>
> I don't see that in your configuration.
>
> Are you using it? In a config using Dovecot's submission proxy?
>

-- 
--  Jean-Paul Chapalain - Arkea - DEXT/IAAS
--  1 rue Louis Lichou - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE
--  +33298002873 (int:302873)
--  Pgpkey=9f7a25a76f7e036a2c07fcb16eccd41c015d5fca

-- 
*Ce?message?et toutes les pi?ces jointes (ci-apr?s le "message") sont?
confidentiels?et ?tablis ? l'intention exclusive de ses destinataires. 
Toute utilisation ou diffusion non autoris?e?est?interdite. Tout?message?
?tant susceptible d'alt?ration, l'?metteur d?cline toute responsabilit?
au
titre de?ce?message?s'il a ?t? alt?r?, d?form? ou falsifi?.?**__*This?
message?and any attachments (the "message") are confidential and
intended
solely for the addressees. Any unauthorised use or dissemination is 
prohibited. As e-mails are susceptible to alteration, the issuer shall not 
be liable for the?message?if altered, changed or falsified.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201001/e0dabbef/attachment-0001.html>

Hi,

In my case, it's value for MinProtocol that was wrong : must by TLSv1.1

Regards


Regards

Le jeu. 1 oct. 2020 ? 17:52, JEAN-PAUL CHAPALAIN <
jean-paul.chapalain at arkea.com> a ?crit :
> Hi,
>
> In my Centos-8 server, it was not necessary using  "Options >
ServerPreference" parameter.
>
> My openssl.conf look like that :
>
> openssl_conf = default_modules
> [ default_modules ]
> ssl_conf = ssl_module
> [ ssl_module ]
> system_default = crypto_policy
> [ crypto_policy ]
> *.include /etc/crypto-policies/back-ends/opensslcnf.config*
>
> And /etc/crypto-policies/back-ends/opensslcnf.config :
> CipherString >
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
> Ciphersuites >
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
> MinProtocol = *TLSv1.1*
> MaxProtocol = TLSv1.3
>
> Regards
>
> Le jeu. 1 oct. 2020 ? 17:29, PGNet Dev <pgnet.dev at gmail.com> a
?crit :
>
>> hi,
>>
>> On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote:
>> > I had the same problem when migrating from Dovecot V2.2.36 on,
Centos-7
>> to Dovecot v2.3.8 on Centos-8
>>
>> My report is specifically/solely about the addition/use of the
>>
>>         Options = ServerPreference
>>
>> parameter.
>>
>> I don't see that in your configuration.
>>
>> Are you using it? In a config using Dovecot's submission proxy?
>>
>
>
> --
> --  Jean-Paul Chapalain - Arkea - DEXT/IAAS
> --  1 rue Louis Lichou - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE
> --  +33298002873 (int:302873)
> --  Pgpkey=9f7a25a76f7e036a2c07fcb16eccd41c015d5fca
>

-- 
--  Jean-Paul Chapalain - Arkea - DEXT/IAAS
--  1 rue Louis Lichou - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE
--  +33298002873 (int:302873)
--  Pgpkey=9f7a25a76f7e036a2c07fcb16eccd41c015d5fca

-- 
*Ce?message?et toutes les pi?ces jointes (ci-apr?s le "message") sont?
confidentiels?et ?tablis ? l'intention exclusive de ses destinataires. 
Toute utilisation ou diffusion non autoris?e?est?interdite. Tout?message?
?tant susceptible d'alt?ration, l'?metteur d?cline toute responsabilit?
au
titre de?ce?message?s'il a ?t? alt?r?, d?form? ou falsifi?.?**__*This?
message?and any attachments (the "message") are confidential and
intended
solely for the addressees. Any unauthorised use or dissemination is 
prohibited. As e-mails are susceptible to alteration, the issuer shall not 
be liable for the?message?if altered, changed or falsified.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201001/11f113bd/attachment.html>

On 10/1/20 8:52 AM, JEAN-PAUL CHAPALAIN wrote:
> In my Centos-8 server, it was not necessary using? "Options =
ServerPreference" parameter.
sry, then i'm unclear re: the point you're trying to make.

this issue is ONLY about the problem re: THAT parameter's use, not re:
general SSL error messages/causes.