Moritz Fago
2016-Oct-27 19:55 UTC
Bugreport: managesieve-login won't start without a ssl-key
Hello, If you don?t have a ssl_key and ssl_cert configured in your dovecot config managesieve-login will fail to start with the following error message: dovecot: managesieve-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY, even if you haven?t enabled ssl for managesieve-login. Infos according to http://www.dovecot.org/bugreport.html: Filesystem: ext4 doveconf -n: # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 auth_default_realm = toppoint.de auth_mechanisms = plain login auth_username_format = %Ln mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { args = dovecot driver = pam } plugin { sieve = ~/.sieve/dovecot.sieve sieve_dir = ~/.sieve } protocols = " imap lmtp sieve pop3" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } } ssl = required ssl_cert = </etc/ssl/private/imap.toppoint.de.crt ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/imap.toppoint.de.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv3 !SSLv2 userdb { driver = passwd } protocol lmtp { mail_plugins = sieve } protocol imap { ssl_cert = </etc/ssl/private/imap.toppoint.de.crt ssl_key = </etc/ssl/private/imap.toppoint.de.pem } protocol pop3 { ssl_cert = </etc/ssl/private/pop3.toppoint.de.crt ssl_key = </etc/ssl/private/pop3.toppoint.de.pem } P.S I used doveconf -n to generate the config output, the website says you should use dovecot -n, is this an error or intentional?
Stephan Bosch
2016-Oct-28 07:18 UTC
Bugreport: managesieve-login won't start without a ssl-key
Op 10/27/2016 om 9:55 PM schreef Moritz Fago:> Hello, > > If you don?t have a ssl_key and ssl_cert configured in your dovecot config managesieve-login will fail to start with the following error message: dovecot: managesieve-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY, even if you haven?t enabled ssl for managesieve-login.I must say I don't really know what that error means. I see a few things though:> Infos according to http://www.dovecot.org/bugreport.html: > > Filesystem: ext4 > doveconf -n: > # 2.2.13: /etc/dovecot/dovecot.conf > # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 > auth_default_realm = toppoint.de > auth_mechanisms = plain login > auth_username_format = %Ln > mail_location = maildir:~/Maildir > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > args = dovecot > driver = pam > } > plugin { > sieve = ~/.sieve/dovecot.sieve > sieve_dir = ~/.sieve > } > protocols = " imap lmtp sieve pop3" > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > service managesieve-login { > inet_listener sieve { > port = 4190 > ssl = yes > }This means that you're making a 'sieves' protocol, i.e. ManageSieve with TLS from the start. It doesn't exist by the standard. ManageSieve only uses the STARTTLS command. Leave out the ssl=yes here.> } > ssl = required > ssl_cert = </etc/ssl/private/imap.toppoint.de.crt > ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES > ssl_dh_parameters_length = 2048 > ssl_key = </etc/ssl/private/imap.toppoint.de.pem > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv3 !SSLv2 > userdb { > driver = passwd > } > protocol lmtp { > mail_plugins = sieve > } > protocol imap { > ssl_cert = </etc/ssl/private/imap.toppoint.de.crt > ssl_key = </etc/ssl/private/imap.toppoint.de.pem > } > protocol pop3 { > ssl_cert = </etc/ssl/private/pop3.toppoint.de.crt > ssl_key = </etc/ssl/private/pop3.toppoint.de.pem > }I see you have these set for imap and pop3, but not for "protocol sieve". Is that intentional? Regards, Stephan.
Aki Tuomi
2016-Oct-28 07:28 UTC
Bugreport: managesieve-login won't start without a ssl-key
On 28.10.2016 10:18, Stephan Bosch wrote:> Op 10/27/2016 om 9:55 PM schreef Moritz Fago: >> Hello, >> >> If you don?t have a ssl_key and ssl_cert configured in your dovecot config managesieve-login will fail to start with the following error message: dovecot: managesieve-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY, even if you haven?t enabled ssl for managesieve-login. > I must say I don't really know what that error means. I see a few things > though: > >> Infos according to http://www.dovecot.org/bugreport.html: >> >> Filesystem: ext4 >> doveconf -n: >> # 2.2.13: /etc/dovecot/dovecot.conf >> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 >> auth_default_realm = toppoint.de >> auth_mechanisms = plain login >> auth_username_format = %Ln >> mail_location = maildir:~/Maildir >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave >> namespace inbox { >> inbox = yes >> location >> mailbox Drafts { >> special_use = \Drafts >> } >> mailbox Junk { >> special_use = \Junk >> } >> mailbox Sent { >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Trash { >> special_use = \Trash >> } >> prefix >> } >> passdb { >> args = dovecot >> driver = pam >> } >> plugin { >> sieve = ~/.sieve/dovecot.sieve >> sieve_dir = ~/.sieve >> } >> protocols = " imap lmtp sieve pop3" >> service auth { >> unix_listener /var/spool/postfix/private/auth { >> group = postfix >> mode = 0660 >> user = postfix >> } >> } >> service lmtp { >> unix_listener /var/spool/postfix/private/dovecot-lmtp { >> group = postfix >> mode = 0600 >> user = postfix >> } >> } >> service managesieve-login { >> inet_listener sieve { >> port = 4190 >> ssl = yes >> } > This means that you're making a 'sieves' protocol, i.e. ManageSieve with > TLS from the start. It doesn't exist by the standard. ManageSieve only > uses the STARTTLS command. Leave out the ssl=yes here. > >> } >> ssl = required >> ssl_cert = </etc/ssl/private/imap.toppoint.de.crt >> ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES >> ssl_dh_parameters_length = 2048 >> ssl_key = </etc/ssl/private/imap.toppoint.de.pem >> ssl_prefer_server_ciphers = yes >> ssl_protocols = !SSLv3 !SSLv2 >> userdb { >> driver = passwd >> } >> protocol lmtp { >> mail_plugins = sieve >> } >> protocol imap { >> ssl_cert = </etc/ssl/private/imap.toppoint.de.crt >> ssl_key = </etc/ssl/private/imap.toppoint.de.pem >> } >> protocol pop3 { >> ssl_cert = </etc/ssl/private/pop3.toppoint.de.crt >> ssl_key = </etc/ssl/private/pop3.toppoint.de.pem >> } > I see you have these set for imap and pop3, but not for "protocol > sieve". Is that intentional? > > Regards, > > Stephan.I can also see that imap.toppoint.de.crt is specified in main config body and inside imap protocol as well. Aki
Possibly Parallel Threads
- Bugreport: managesieve-login won't start without a ssl-key
- openssl question
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- [Bug 451] New: new config-Option: IPv4or6
- openssl question