Moritz Fago
2016-Oct-27 19:55 UTC
Bugreport: managesieve-login won't start without a ssl-key
Hello,
If you don?t have a ssl_key and ssl_cert configured in your dovecot config
managesieve-login will fail to start with the following error message: dovecot:
managesieve-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM
routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY, even if you
haven?t enabled ssl for managesieve-login.
Infos according to http://www.dovecot.org/bugreport.html:
Filesystem: ext4
doveconf -n:
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
auth_default_realm = toppoint.de
auth_mechanisms = plain login
auth_username_format = %Ln
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
args = dovecot
driver = pam
}
plugin {
sieve = ~/.sieve/dovecot.sieve
sieve_dir = ~/.sieve
}
protocols = " imap lmtp sieve pop3"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
ssl = yes
}
}
ssl = required
ssl_cert = </etc/ssl/private/imap.toppoint.de.crt
ssl_cipher_list =
HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/imap.toppoint.de.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv3 !SSLv2
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = sieve
}
protocol imap {
ssl_cert = </etc/ssl/private/imap.toppoint.de.crt
ssl_key = </etc/ssl/private/imap.toppoint.de.pem
}
protocol pop3 {
ssl_cert = </etc/ssl/private/pop3.toppoint.de.crt
ssl_key = </etc/ssl/private/pop3.toppoint.de.pem
}
P.S I used doveconf -n to generate the config output, the website says you
should use dovecot -n, is this an error or intentional?
Stephan Bosch
2016-Oct-28 07:18 UTC
Bugreport: managesieve-login won't start without a ssl-key
Op 10/27/2016 om 9:55 PM schreef Moritz Fago:> Hello, > > If you don?t have a ssl_key and ssl_cert configured in your dovecot config managesieve-login will fail to start with the following error message: dovecot: managesieve-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY, even if you haven?t enabled ssl for managesieve-login.I must say I don't really know what that error means. I see a few things though:> Infos according to http://www.dovecot.org/bugreport.html: > > Filesystem: ext4 > doveconf -n: > # 2.2.13: /etc/dovecot/dovecot.conf > # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 > auth_default_realm = toppoint.de > auth_mechanisms = plain login > auth_username_format = %Ln > mail_location = maildir:~/Maildir > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > args = dovecot > driver = pam > } > plugin { > sieve = ~/.sieve/dovecot.sieve > sieve_dir = ~/.sieve > } > protocols = " imap lmtp sieve pop3" > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > service managesieve-login { > inet_listener sieve { > port = 4190 > ssl = yes > }This means that you're making a 'sieves' protocol, i.e. ManageSieve with TLS from the start. It doesn't exist by the standard. ManageSieve only uses the STARTTLS command. Leave out the ssl=yes here.> } > ssl = required > ssl_cert = </etc/ssl/private/imap.toppoint.de.crt > ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES > ssl_dh_parameters_length = 2048 > ssl_key = </etc/ssl/private/imap.toppoint.de.pem > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv3 !SSLv2 > userdb { > driver = passwd > } > protocol lmtp { > mail_plugins = sieve > } > protocol imap { > ssl_cert = </etc/ssl/private/imap.toppoint.de.crt > ssl_key = </etc/ssl/private/imap.toppoint.de.pem > } > protocol pop3 { > ssl_cert = </etc/ssl/private/pop3.toppoint.de.crt > ssl_key = </etc/ssl/private/pop3.toppoint.de.pem > }I see you have these set for imap and pop3, but not for "protocol sieve". Is that intentional? Regards, Stephan.
Aki Tuomi
2016-Oct-28 07:28 UTC
Bugreport: managesieve-login won't start without a ssl-key
On 28.10.2016 10:18, Stephan Bosch wrote:> Op 10/27/2016 om 9:55 PM schreef Moritz Fago: >> Hello, >> >> If you don?t have a ssl_key and ssl_cert configured in your dovecot config managesieve-login will fail to start with the following error message: dovecot: managesieve-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY, even if you haven?t enabled ssl for managesieve-login. > I must say I don't really know what that error means. I see a few things > though: > >> Infos according to http://www.dovecot.org/bugreport.html: >> >> Filesystem: ext4 >> doveconf -n: >> # 2.2.13: /etc/dovecot/dovecot.conf >> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 >> auth_default_realm = toppoint.de >> auth_mechanisms = plain login >> auth_username_format = %Ln >> mail_location = maildir:~/Maildir >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave >> namespace inbox { >> inbox = yes >> location >> mailbox Drafts { >> special_use = \Drafts >> } >> mailbox Junk { >> special_use = \Junk >> } >> mailbox Sent { >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Trash { >> special_use = \Trash >> } >> prefix >> } >> passdb { >> args = dovecot >> driver = pam >> } >> plugin { >> sieve = ~/.sieve/dovecot.sieve >> sieve_dir = ~/.sieve >> } >> protocols = " imap lmtp sieve pop3" >> service auth { >> unix_listener /var/spool/postfix/private/auth { >> group = postfix >> mode = 0660 >> user = postfix >> } >> } >> service lmtp { >> unix_listener /var/spool/postfix/private/dovecot-lmtp { >> group = postfix >> mode = 0600 >> user = postfix >> } >> } >> service managesieve-login { >> inet_listener sieve { >> port = 4190 >> ssl = yes >> } > This means that you're making a 'sieves' protocol, i.e. ManageSieve with > TLS from the start. It doesn't exist by the standard. ManageSieve only > uses the STARTTLS command. Leave out the ssl=yes here. > >> } >> ssl = required >> ssl_cert = </etc/ssl/private/imap.toppoint.de.crt >> ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES >> ssl_dh_parameters_length = 2048 >> ssl_key = </etc/ssl/private/imap.toppoint.de.pem >> ssl_prefer_server_ciphers = yes >> ssl_protocols = !SSLv3 !SSLv2 >> userdb { >> driver = passwd >> } >> protocol lmtp { >> mail_plugins = sieve >> } >> protocol imap { >> ssl_cert = </etc/ssl/private/imap.toppoint.de.crt >> ssl_key = </etc/ssl/private/imap.toppoint.de.pem >> } >> protocol pop3 { >> ssl_cert = </etc/ssl/private/pop3.toppoint.de.crt >> ssl_key = </etc/ssl/private/pop3.toppoint.de.pem >> } > I see you have these set for imap and pop3, but not for "protocol > sieve". Is that intentional? > > Regards, > > Stephan.I can also see that imap.toppoint.de.crt is specified in main config body and inside imap protocol as well. Aki
Possibly Parallel Threads
- Bugreport: managesieve-login won't start without a ssl-key
- openssl question
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- [Bug 451] New: new config-Option: IPv4or6
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."