dovecot - Nov 2017 - dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Hi,

On 30/10/2017 7:22 PM, dovecot-request at dovecot.org
wrote:
> Message: 6
> Date: Mon, 30 Oct 2017 10:22:42 +0200
> From: Teemu Huovila <teemu.huovila at dovecot.fi>
> To: dovecot at dovecot.org
> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi>
> Content-Type: text/plain; charset=utf-8
> 
> 
> 
> On 30.10.2017 09:10, Aki Tuomi wrote:
>>
>>
>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>> Hi Aki,
>>>
>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>> <reuben-dovecot at reub.net> wrote:
>>>>>
>>>>>
>>>>> Hi again,
>>>>>
>>>>> Chasing down one last problem which seems to have been
missed from my
>>>>> last email:
>>>>>
>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>
>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly
<reuben-dovecot at reub.net>
>>>>>>>> wrote:
>>>>> This problem below is still present in 2.3 -git, as of
version
>>>>> 2.3.devel
>>>>> (6fc40674e)
>>>>>
>>>>>>>> Secondly, this ssl_dh messages is always
printed from doveconf:
>>>>>>>>
>>>>>>>> doveconf: Warning: please set
ssl_dh=</etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1
skip=88 | openssl dh
>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>
>>>>>>>> Yet the file is there:
>>>>>>>>
>>>>>>>> thunderstorm conf.d # ls -la
/etc/dovecot/dh.pem
>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55
/etc/dovecot/dh.pem
>>>>>>>>
>>>>>>>> And the config is there as well:
>>>>>>>>
>>>>>>>> thunderstorm dovecot # doveconf -P | grep
ssl_dh
>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: please set
ssl_dh=</etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1
skip=88 | openssl dh
>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> thunderstorm dovecot #
>>>>>>>>
>>>>>>>> It appears that this warning is being triggered
by the presence of
>>>>>>>> the ssl-parameters.dat file because when I
remove it the warning
>>>>>>>> goes away. Perhaps the warning could be made a
bit more specific
>>>>>>>> about this file being removed if it is not
required because at the
>>>>>>>> moment the warning message is not related to
the trigger.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Reuben
>>>>> Thanks,
>>>>> Reuben
>>>> It is triggered when there is ssl-parameters.dat file *AND*
there is
>>>> no ssl_dh=< explicitly set in config file.
>>>>
>>>> Aki
>>>
>>> I have this already in my 10-ssl.conf file:
>>>
>>> lightning dovecot # /etc/init.d/dovecot reload
>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>> doveconf: Warning: You can generate it with: dd
>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>> -inform der > /etc/dovecot/dh.pem
>>> ?* Reloading dovecot configs and restarting auth/login processes
>>> ...????? [ ok ]
>>> lightning dovecot #
>>>
>>> However:
>>>
>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>> # gives on startup when ssl_dh is unset.
>>> ssl_dh=</etc/dovecot/dh.pem
>>> lightning dovecot #
>>>
>>> and the file is there:
>>>
>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>> lightning dovecot #
>>>
>>> So it is actually configured and yet the warning still is present.
>>>
>>> Reuben
>>
>> Hi!
>>
>> I gave this a try, and I was not able to repeat this issue. Perhaps you
>> are still missing ssl_dh somewhere?
>>
>> Aki
>>
> Hello
> 
> Just a guess, but at this point I would recommend reviewing the output of
"doveconf -n" to make sure the appropriate settings are present.
> 
> br,
> Teemu
I still can't see anything amiss.  Here's the output from doveconf -n:

# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.devel (f4659224)
# OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_username_format = %Ln
doveadm_password =  # hidden, use -P to show it
first_valid_uid = 1000
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
last_valid_uid = 1100
login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k
login_trusted_networks = 192.168.0.0/16
mail_location = maildir:~/Maildir
mail_plugins = stats notify replication fts fts_lucene
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix }
passdb {
   args = failure_show_msg=yes %s
   driver = pam
}
plugin {
   fts = lucene
   fts_autoindex = yes
   fts_languages = en
   fts_lucene = whitespace_chars=@.
   mail_replica = tcps:inside-mail.reub.net:4813
   replication_full_sync_interval = 4 hours
   sieve = file:~/sieve;active=~/.dovecot.sieve
   stats_refresh = 30 secs
   stats_track_cmds = yes
}
protocols = imap lmtp sieve
recipient_delimiter = -
service aggregator {
   fifo_listener replication-notify-fifo {
     mode = 0666
     user = root
   }
   unix_listener replication-notify {
     mode = 0666
     user = root
   }
}
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0666
     user = postfix
   }
   unix_listener auth-userdb {
     mode = 0777
   }
}
service doveadm {
   inet_listener {
     address = 2400:8901:e001:3a::20
     port = 4813
     ssl = yes
   }
   user = root
}
service imap {
   executable = imap postlogin
}
service lmtp {
   inet_listener lmtp {
     address = ::1
     port = 24
   }
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
     mode = 0660
     user = postfix
   }
}
service postlogin {
   executable = script-login -d rawlog
}
service replicator {
   process_min_avail = 1
   unix_listener replicator-doveadm {
     mode = 0666
   }
}
service stats {
   fifo_listener stats-mail {
     mode = 0666
   }
}
ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
ssl_client_ca_dir = /etc/ssl/certs
ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_dh =  # hidden, use -P to show it
ssl_key =  # hidden, use -P to show it
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
userdb {
   driver = passwd
}
protocol lmtp {
   mail_plugins = stats notify replication fts fts_lucene sieve
   ssl_dh =  # hidden, use -P to show it
}
protocol !indexer-worker {
   ssl_dh =  # hidden, use -P to show it
}
protocol lda {
   mail_plugins = stats notify replication fts fts_lucene sieve
   ssl_dh =  # hidden, use -P to show it
}
protocol imap {
   mail_plugins = stats notify replication fts fts_lucene imap_stats
   ssl_dh =  # hidden, use -P to show it
}
protocol sieve {
   ssl_dh =  # hidden, use -P to show it
}
protocol pop3 {
   ssl_dh =  # hidden, use -P to show it
}

And showing with -P as an example:

protocol pop3 {
   ssl_dh = -----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
...
AAAAAAAAAAAAAAAAAAAAAAAAAAA-----END DH PARAMETERS-----

There is a single set of valid DH parameters for every protocol as 
listed above.

It seems odd that ssl_dh is defined all of these protocols specifically 
too.  This specific per-protocol definition of ssl_dh isn't specified in 
any config file.

Reuben

On 31.10.2017 15:00, Reuben Farrelly wrote:
> Hi,
>
> On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote:
>> Message: 6
>> Date: Mon, 30 Oct 2017 10:22:42 +0200
>> From: Teemu Huovila <teemu.huovila at dovecot.fi>
>> To: dovecot at dovecot.org
>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
>> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi>
>> Content-Type: text/plain; charset=utf-8
>>
>>
>>
>> On 30.10.2017 09:10, Aki Tuomi wrote:
>>>
>>>
>>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>>> Hi Aki,
>>>>
>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>>> <reuben-dovecot at reub.net> wrote:
>>>>>>
>>>>>>
>>>>>> Hi again,
>>>>>>
>>>>>> Chasing down one last problem which seems to have been
missed
>>>>>> from my
>>>>>> last email:
>>>>>>
>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>>
>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly
>>>>>>>>> <reuben-dovecot at reub.net>
>>>>>>>>> wrote:
>>>>>> This problem below is still present in 2.3 -git, as of
version
>>>>>> 2.3.devel
>>>>>> (6fc40674e)
>>>>>>
>>>>>>>>> Secondly, this ssl_dh messages is always
printed from doveconf:
>>>>>>>>>
>>>>>>>>> doveconf: Warning: please set
ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: You can generate it
with: dd
>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1
skip=88 | openssl dh
>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>
>>>>>>>>> Yet the file is there:
>>>>>>>>>
>>>>>>>>> thunderstorm conf.d # ls -la
/etc/dovecot/dh.pem
>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55
/etc/dovecot/dh.pem
>>>>>>>>>
>>>>>>>>> And the config is there as well:
>>>>>>>>>
>>>>>>>>> thunderstorm dovecot # doveconf -P | grep
ssl_dh
>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: please set
ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: You can generate it
with: dd
>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1
skip=88 | openssl dh
>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> thunderstorm dovecot #
>>>>>>>>>
>>>>>>>>> It appears that this warning is being
triggered by the
>>>>>>>>> presence of
>>>>>>>>> the ssl-parameters.dat file because when I
remove it the warning
>>>>>>>>> goes away. Perhaps the warning could be
made a bit more specific
>>>>>>>>> about this file being removed if it is not
required because at
>>>>>>>>> the
>>>>>>>>> moment the warning message is not related
to the trigger.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Reuben
>>>>>> Thanks,
>>>>>> Reuben
>>>>> It is triggered when there is ssl-parameters.dat file *AND*
there is
>>>>> no ssl_dh=< explicitly set in config file.
>>>>>
>>>>> Aki
>>>>
>>>> I have this already in my 10-ssl.conf file:
>>>>
>>>> lightning dovecot # /etc/init.d/dovecot reload
>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>> doveconf: Warning: You can generate it with: dd
>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl
dh
>>>> -inform der > /etc/dovecot/dh.pem
>>>> ?* Reloading dovecot configs and restarting auth/login
processes
>>>> ...????? [ ok ]
>>>> lightning dovecot #
>>>>
>>>> However:
>>>>
>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>>> # gives on startup when ssl_dh is unset.
>>>> ssl_dh=</etc/dovecot/dh.pem
>>>> lightning dovecot #
>>>>
>>>> and the file is there:
>>>>
>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>>> lightning dovecot #
>>>>
>>>> So it is actually configured and yet the warning still is
present.
>>>>
>>>> Reuben
>>>
>>> Hi!
>>>
>>> I gave this a try, and I was not able to repeat this issue. Perhaps
you
>>> are still missing ssl_dh somewhere?
>>>
>>> Aki
>>>
>> Hello
>>
>> Just a guess, but at this point I would recommend reviewing the
>> output of "doveconf -n" to make sure the appropriate settings
are
>> present.
>>
>> br,
>> Teemu
>
> I still can't see anything amiss.? Here's the output from doveconf
-n:
>
> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.devel (f4659224)
> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release
> 2.4.1
> auth_mechanisms = plain login
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_username_format = %Ln
> doveadm_password =? # hidden, use -P to show it
> first_valid_uid = 1000
> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
> last_valid_uid = 1100
> login_log_format_elements = user=<%u> auth-method=%m remote=%r
> local=%l %k
> login_trusted_networks = 192.168.0.0/16
> mail_location = maildir:~/Maildir
> mail_plugins = stats notify replication fts fts_lucene
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
> namespace inbox {
> ? inbox = yes
> ? location > ? mailbox Drafts {
> ??? special_use = \Drafts
> ? }
> ? mailbox Junk {
> ??? special_use = \Junk
> ? }
> ? mailbox Sent {
> ??? special_use = \Sent
> ? }
> ? mailbox "Sent Messages" {
> ??? special_use = \Sent
> ? }
> ? mailbox Trash {
> ??? special_use = \Trash
> ? }
> ? prefix > }
> passdb {
> ? args = failure_show_msg=yes %s
> ? driver = pam
> }
> plugin {
> ? fts = lucene
> ? fts_autoindex = yes
> ? fts_languages = en
> ? fts_lucene = whitespace_chars=@.
> ? mail_replica = tcps:inside-mail.reub.net:4813
> ? replication_full_sync_interval = 4 hours
> ? sieve = file:~/sieve;active=~/.dovecot.sieve
> ? stats_refresh = 30 secs
> ? stats_track_cmds = yes
> }
> protocols = imap lmtp sieve
> recipient_delimiter = -
> service aggregator {
> ? fifo_listener replication-notify-fifo {
> ??? mode = 0666
> ??? user = root
> ? }
> ? unix_listener replication-notify {
> ??? mode = 0666
> ??? user = root
> ? }
> }
> service auth {
> ? unix_listener /var/spool/postfix/private/auth {
> ??? group = postfix
> ??? mode = 0666
> ??? user = postfix
> ? }
> ? unix_listener auth-userdb {
> ??? mode = 0777
> ? }
> }
> service doveadm {
> ? inet_listener {
> ??? address = 2400:8901:e001:3a::20
> ??? port = 4813
> ??? ssl = yes
> ? }
> ? user = root
> }
> service imap {
> ? executable = imap postlogin
> }
> service lmtp {
> ? inet_listener lmtp {
> ??? address = ::1
> ??? port = 24
> ? }
> ? unix_listener /var/spool/postfix/private/dovecot-lmtp {
> ??? group = postfix
> ??? mode = 0660
> ??? user = postfix
> ? }
> }
> service postlogin {
> ? executable = script-login -d rawlog
> }
> service replicator {
> ? process_min_avail = 1
> ? unix_listener replicator-doveadm {
> ??? mode = 0666
> ? }
> }
> service stats {
> ? fifo_listener stats-mail {
> ??? mode = 0666
> ? }
> }
> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
> ssl_client_ca_dir = /etc/ssl/certs
> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
> ssl_dh =? # hidden, use -P to show it
> ssl_key =? # hidden, use -P to show it
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
> userdb {
> ? driver = passwd
> }
> protocol lmtp {
> ? mail_plugins = stats notify replication fts fts_lucene sieve
> ? ssl_dh =? # hidden, use -P to show it
> }
> protocol !indexer-worker {
> ? ssl_dh =? # hidden, use -P to show it
> }
> protocol lda {
> ? mail_plugins = stats notify replication fts fts_lucene sieve
> ? ssl_dh =? # hidden, use -P to show it
> }
> protocol imap {
> ? mail_plugins = stats notify replication fts fts_lucene imap_stats
> ? ssl_dh =? # hidden, use -P to show it
> }
> protocol sieve {
> ? ssl_dh =? # hidden, use -P to show it
> }
> protocol pop3 {
> ? ssl_dh =? # hidden, use -P to show it
> }
>
> And showing with -P as an example:
>
> protocol pop3 {
> ? ssl_dh = -----BEGIN DH PARAMETERS-----
> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
> ...
> AAAAAAAAAAAAAAAAAAAAAAAAAAA> -----END DH PARAMETERS-----
>
> There is a single set of valid DH parameters for every protocol as
> listed above.
>
> It seems odd that ssl_dh is defined all of these protocols
> specifically too.? This specific per-protocol definition of ssl_dh
> isn't specified in any config file.
>
> Reuben
Can you try with doveconf -nP? and ensure all those ssl_dh lines are of
form ssl_dh =</file?

Aki

Hi again,


On 1/11/2017 12:01 AM, Aki Tuomi wrote:
>
> On 31.10.2017 15:00, Reuben Farrelly wrote:
>> Hi,
>>
>> On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote:
>>> Message: 6
>>> Date: Mon, 30 Oct 2017 10:22:42 +0200
>>> From: Teemu Huovila <teemu.huovila at dovecot.fi>
>>> To: dovecot at dovecot.org
>>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
>>> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at
dovecot.fi>
>>> Content-Type: text/plain; charset=utf-8
>>>
>>>
>>>
>>> On 30.10.2017 09:10, Aki Tuomi wrote:
>>>>
>>>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>>>> Hi Aki,
>>>>>
>>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>>>> <reuben-dovecot at reub.net> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hi again,
>>>>>>>
>>>>>>> Chasing down one last problem which seems to have
been missed
>>>>>>> from my
>>>>>>> last email:
>>>>>>>
>>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen
wrote:
>>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben
Farrelly
>>>>>>>>>> <reuben-dovecot at reub.net>
>>>>>>>>>> wrote:
>>>>>>> This problem below is still present in 2.3 -git, as
of version
>>>>>>> 2.3.devel
>>>>>>> (6fc40674e)
>>>>>>>
>>>>>>>>>> Secondly, this ssl_dh messages is
always printed from doveconf:
>>>>>>>>>>
>>>>>>>>>> doveconf: Warning: please set
ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: You can generate it
with: dd
>>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat
bs=1 skip=88 | openssl dh
>>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>>
>>>>>>>>>> Yet the file is there:
>>>>>>>>>>
>>>>>>>>>> thunderstorm conf.d # ls -la
/etc/dovecot/dh.pem
>>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55
/etc/dovecot/dh.pem
>>>>>>>>>>
>>>>>>>>>> And the config is there as well:
>>>>>>>>>>
>>>>>>>>>> thunderstorm dovecot # doveconf -P |
grep ssl_dh
>>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: please set
ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: You can generate it
with: dd
>>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat
bs=1 skip=88 | openssl dh
>>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH
PARAMETERS-----
>>>>>>>>>> thunderstorm dovecot #
>>>>>>>>>>
>>>>>>>>>> It appears that this warning is being
triggered by the
>>>>>>>>>> presence of
>>>>>>>>>> the ssl-parameters.dat file because
when I remove it the warning
>>>>>>>>>> goes away. Perhaps the warning could be
made a bit more specific
>>>>>>>>>> about this file being removed if it is
not required because at
>>>>>>>>>> the
>>>>>>>>>> moment the warning message is not
related to the trigger.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Reuben
>>>>>>> Thanks,
>>>>>>> Reuben
>>>>>> It is triggered when there is ssl-parameters.dat file
*AND* there is
>>>>>> no ssl_dh=< explicitly set in config file.
>>>>>>
>>>>>> Aki
>>>>> I have this already in my 10-ssl.conf file:
>>>>>
>>>>> lightning dovecot # /etc/init.d/dovecot reload
>>>>> doveconf: Warning: please set
ssl_dh=</etc/dovecot/dh.pem
>>>>> doveconf: Warning: You can generate it with: dd
>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 |
openssl dh
>>>>> -inform der > /etc/dovecot/dh.pem
>>>>> ?* Reloading dovecot configs and restarting auth/login
processes
>>>>> ...????? [ ok ]
>>>>> lightning dovecot #
>>>>>
>>>>> However:
>>>>>
>>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>>>> # gives on startup when ssl_dh is unset.
>>>>> ssl_dh=</etc/dovecot/dh.pem
>>>>> lightning dovecot #
>>>>>
>>>>> and the file is there:
>>>>>
>>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>>>> lightning dovecot #
>>>>>
>>>>> So it is actually configured and yet the warning still is
present.
>>>>>
>>>>> Reuben
>>>> Hi!
>>>>
>>>> I gave this a try, and I was not able to repeat this issue.
Perhaps you
>>>> are still missing ssl_dh somewhere?
>>>>
>>>> Aki
>>>>
>>> Hello
>>>
>>> Just a guess, but at this point I would recommend reviewing the
>>> output of "doveconf -n" to make sure the appropriate
settings are
>>> present.
>>>
>>> br,
>>> Teemu
>> I still can't see anything amiss.? Here's the output from
doveconf -n:
>>
>> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.5.devel (f4659224)
>> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release
>> 2.4.1
>> auth_mechanisms = plain login
>> auth_socket_path = /var/run/dovecot/auth-userdb
>> auth_username_format = %Ln
>> doveadm_password =? # hidden, use -P to show it
>> first_valid_uid = 1000
>> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
>> last_valid_uid = 1100
>> login_log_format_elements = user=<%u> auth-method=%m remote=%r
>> local=%l %k
>> login_trusted_networks = 192.168.0.0/16
>> mail_location = maildir:~/Maildir
>> mail_plugins = stats notify replication fts fts_lucene
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date index ihave duplicate mime foreverypart
>> extracttext
>> namespace inbox {
>>  ? inbox = yes
>>  ? location >>  ? mailbox Drafts {
>>  ??? special_use = \Drafts
>>  ? }
>>  ? mailbox Junk {
>>  ??? special_use = \Junk
>>  ? }
>>  ? mailbox Sent {
>>  ??? special_use = \Sent
>>  ? }
>>  ? mailbox "Sent Messages" {
>>  ??? special_use = \Sent
>>  ? }
>>  ? mailbox Trash {
>>  ??? special_use = \Trash
>>  ? }
>>  ? prefix >> }
>> passdb {
>>  ? args = failure_show_msg=yes %s
>>  ? driver = pam
>> }
>> plugin {
>>  ? fts = lucene
>>  ? fts_autoindex = yes
>>  ? fts_languages = en
>>  ? fts_lucene = whitespace_chars=@.
>>  ? mail_replica = tcps:inside-mail.reub.net:4813
>>  ? replication_full_sync_interval = 4 hours
>>  ? sieve = file:~/sieve;active=~/.dovecot.sieve
>>  ? stats_refresh = 30 secs
>>  ? stats_track_cmds = yes
>> }
>> protocols = imap lmtp sieve
>> recipient_delimiter = -
>> service aggregator {
>>  ? fifo_listener replication-notify-fifo {
>>  ??? mode = 0666
>>  ??? user = root
>>  ? }
>>  ? unix_listener replication-notify {
>>  ??? mode = 0666
>>  ??? user = root
>>  ? }
>> }
>> service auth {
>>  ? unix_listener /var/spool/postfix/private/auth {
>>  ??? group = postfix
>>  ??? mode = 0666
>>  ??? user = postfix
>>  ? }
>>  ? unix_listener auth-userdb {
>>  ??? mode = 0777
>>  ? }
>> }
>> service doveadm {
>>  ? inet_listener {
>>  ??? address = 2400:8901:e001:3a::20
>>  ??? port = 4813
>>  ??? ssl = yes
>>  ? }
>>  ? user = root
>> }
>> service imap {
>>  ? executable = imap postlogin
>> }
>> service lmtp {
>>  ? inet_listener lmtp {
>>  ??? address = ::1
>>  ??? port = 24
>>  ? }
>>  ? unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>  ??? group = postfix
>>  ??? mode = 0660
>>  ??? user = postfix
>>  ? }
>> }
>> service postlogin {
>>  ? executable = script-login -d rawlog
>> }
>> service replicator {
>>  ? process_min_avail = 1
>>  ? unix_listener replicator-doveadm {
>>  ??? mode = 0666
>>  ? }
>> }
>> service stats {
>>  ? fifo_listener stats-mail {
>>  ??? mode = 0666
>>  ? }
>> }
>> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
>> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
>> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
>> ssl_client_ca_dir = /etc/ssl/certs
>> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
>> ssl_dh =? # hidden, use -P to show it
>> ssl_key =? # hidden, use -P to show it
>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
>> userdb {
>>  ? driver = passwd
>> }
>> protocol lmtp {
>>  ? mail_plugins = stats notify replication fts fts_lucene sieve
>>  ? ssl_dh =? # hidden, use -P to show it
>> }
>> protocol !indexer-worker {
>>  ? ssl_dh =? # hidden, use -P to show it
>> }
>> protocol lda {
>>  ? mail_plugins = stats notify replication fts fts_lucene sieve
>>  ? ssl_dh =? # hidden, use -P to show it
>> }
>> protocol imap {
>>  ? mail_plugins = stats notify replication fts fts_lucene imap_stats
>>  ? ssl_dh =? # hidden, use -P to show it
>> }
>> protocol sieve {
>>  ? ssl_dh =? # hidden, use -P to show it
>> }
>> protocol pop3 {
>>  ? ssl_dh =? # hidden, use -P to show it
>> }
>>
>> And showing with -P as an example:
>>
>> protocol pop3 {
>>  ? ssl_dh = -----BEGIN DH PARAMETERS-----
>> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
>> ...
>> AAAAAAAAAAAAAAAAAAAAAAAAAAA>> -----END DH PARAMETERS-----
>>
>> There is a single set of valid DH parameters for every protocol as
>> listed above.
>>
>> It seems odd that ssl_dh is defined all of these protocols
>> specifically too.? This specific per-protocol definition of ssl_dh
>> isn't specified in any config file.
>>
>> Reuben
> Can you try with doveconf -nP? and ensure all those ssl_dh lines are of
> form ssl_dh =</file?
>
> Aki
That's the thing.? Those extra ssl_dh lines aren't actually specified in
my conf files, they have been inherited from somewhere - so I can't 
change them to be of any particular form because they aren't defined as 
being that way in my configuration files.

There is only one place where ssl_dh is defined and that's in the global 
10-ssl.conf file.? See here:

lightning dovecot # grep ssl_dh *
grep: conf.d: Is a directory
lightning dovecot # grep ssl_dh */*
conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
lightning dovecot #

The rest of them must be being inherited from that statement above.

But back to the original question, if I *remove* the ssl-parameters.dat 
file from /var/lib/dovecot/ then without any other configuration changes 
the error goes away on reload and from doveconf? output.? Not only that, 
but if the ssl-parameters.dat file is removed then those ssl_dh lines 
per-protocol in doveconf -n also disappear too.

To me that indicates that the mere presence of the ssl-parameters.dat 
file is doing something odd with the way the ssl_dh configuration 
statements are being handled.? Something buggy with backwards 
compatibility perhaps?

[Also tested with latest 2.3 -git as of today - same result]

Reuben