Reuben Farrelly
2017-Nov-01 11:51 UTC
dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
Hi again, On 1/11/2017 12:01 AM, Aki Tuomi wrote:> > On 31.10.2017 15:00, Reuben Farrelly wrote: >> Hi, >> >> On 30/10/2017 7:22 PM, dovecot-request at dovecot.org wrote: >>> Message: 6 >>> Date: Mon, 30 Oct 2017 10:22:42 +0200 >>> From: Teemu Huovila <teemu.huovila at dovecot.fi> >>> To: dovecot at dovecot.org >>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error >>> Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9a96 at dovecot.fi> >>> Content-Type: text/plain; charset=utf-8 >>> >>> >>> >>> On 30.10.2017 09:10, Aki Tuomi wrote: >>>> >>>> On 30.10.2017 00:23, Reuben Farrelly wrote: >>>>> Hi Aki, >>>>> >>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote: >>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly >>>>>>> <reuben-dovecot at reub.net> wrote: >>>>>>> >>>>>>> >>>>>>> Hi again, >>>>>>> >>>>>>> Chasing down one last problem which seems to have been missed >>>>>>> from my >>>>>>> last email: >>>>>>> >>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote: >>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>>>>>>>>> <reuben-dovecot at reub.net> >>>>>>>>>> wrote: >>>>>>> This problem below is still present in 2.3 -git, as of version >>>>>>> 2.3.devel >>>>>>> (6fc40674e) >>>>>>> >>>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>>>> >>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>>> >>>>>>>>>> Yet the file is there: >>>>>>>>>> >>>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>>>>>>>>> >>>>>>>>>> And the config is there as well: >>>>>>>>>> >>>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem >>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>>> thunderstorm dovecot # >>>>>>>>>> >>>>>>>>>> It appears that this warning is being triggered by the >>>>>>>>>> presence of >>>>>>>>>> the ssl-parameters.dat file because when I remove it the warning >>>>>>>>>> goes away. Perhaps the warning could be made a bit more specific >>>>>>>>>> about this file being removed if it is not required because at >>>>>>>>>> the >>>>>>>>>> moment the warning message is not related to the trigger. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Reuben >>>>>>> Thanks, >>>>>>> Reuben >>>>>> It is triggered when there is ssl-parameters.dat file *AND* there is >>>>>> no ssl_dh=< explicitly set in config file. >>>>>> >>>>>> Aki >>>>> I have this already in my 10-ssl.conf file: >>>>> >>>>> lightning dovecot # /etc/init.d/dovecot reload >>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>> doveconf: Warning: You can generate it with: dd >>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>> -inform der > /etc/dovecot/dh.pem >>>>> ?* Reloading dovecot configs and restarting auth/login processes >>>>> ...????? [ ok ] >>>>> lightning dovecot # >>>>> >>>>> However: >>>>> >>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf >>>>> # gives on startup when ssl_dh is unset. >>>>> ssl_dh=</etc/dovecot/dh.pem >>>>> lightning dovecot # >>>>> >>>>> and the file is there: >>>>> >>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem >>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem >>>>> lightning dovecot # >>>>> >>>>> So it is actually configured and yet the warning still is present. >>>>> >>>>> Reuben >>>> Hi! >>>> >>>> I gave this a try, and I was not able to repeat this issue. Perhaps you >>>> are still missing ssl_dh somewhere? >>>> >>>> Aki >>>> >>> Hello >>> >>> Just a guess, but at this point I would recommend reviewing the >>> output of "doveconf -n" to make sure the appropriate settings are >>> present. >>> >>> br, >>> Teemu >> I still can't see anything amiss.? Here's the output from doveconf -n: >> >> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf >> # Pigeonhole version 0.5.devel (f4659224) >> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release >> 2.4.1 >> auth_mechanisms = plain login >> auth_socket_path = /var/run/dovecot/auth-userdb >> auth_username_format = %Ln >> doveadm_password =? # hidden, use -P to show it >> first_valid_uid = 1000 >> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep >> last_valid_uid = 1100 >> login_log_format_elements = user=<%u> auth-method=%m remote=%r >> local=%l %k >> login_trusted_networks = 192.168.0.0/16 >> mail_location = maildir:~/Maildir >> mail_plugins = stats notify replication fts fts_lucene >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress comparator-i;ascii-numeric >> relational regex imap4flags copy include variables body enotify >> environment mailbox date index ihave duplicate mime foreverypart >> extracttext >> namespace inbox { >> ? inbox = yes >> ? location >> ? mailbox Drafts { >> ??? special_use = \Drafts >> ? } >> ? mailbox Junk { >> ??? special_use = \Junk >> ? } >> ? mailbox Sent { >> ??? special_use = \Sent >> ? } >> ? mailbox "Sent Messages" { >> ??? special_use = \Sent >> ? } >> ? mailbox Trash { >> ??? special_use = \Trash >> ? } >> ? prefix >> } >> passdb { >> ? args = failure_show_msg=yes %s >> ? driver = pam >> } >> plugin { >> ? fts = lucene >> ? fts_autoindex = yes >> ? fts_languages = en >> ? fts_lucene = whitespace_chars=@. >> ? mail_replica = tcps:inside-mail.reub.net:4813 >> ? replication_full_sync_interval = 4 hours >> ? sieve = file:~/sieve;active=~/.dovecot.sieve >> ? stats_refresh = 30 secs >> ? stats_track_cmds = yes >> } >> protocols = imap lmtp sieve >> recipient_delimiter = - >> service aggregator { >> ? fifo_listener replication-notify-fifo { >> ??? mode = 0666 >> ??? user = root >> ? } >> ? unix_listener replication-notify { >> ??? mode = 0666 >> ??? user = root >> ? } >> } >> service auth { >> ? unix_listener /var/spool/postfix/private/auth { >> ??? group = postfix >> ??? mode = 0666 >> ??? user = postfix >> ? } >> ? unix_listener auth-userdb { >> ??? mode = 0777 >> ? } >> } >> service doveadm { >> ? inet_listener { >> ??? address = 2400:8901:e001:3a::20 >> ??? port = 4813 >> ??? ssl = yes >> ? } >> ? user = root >> } >> service imap { >> ? executable = imap postlogin >> } >> service lmtp { >> ? inet_listener lmtp { >> ??? address = ::1 >> ??? port = 24 >> ? } >> ? unix_listener /var/spool/postfix/private/dovecot-lmtp { >> ??? group = postfix >> ??? mode = 0660 >> ??? user = postfix >> ? } >> } >> service postlogin { >> ? executable = script-login -d rawlog >> } >> service replicator { >> ? process_min_avail = 1 >> ? unix_listener replicator-doveadm { >> ??? mode = 0666 >> ? } >> } >> service stats { >> ? fifo_listener stats-mail { >> ??? mode = 0666 >> ? } >> } >> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt >> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt >> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 >> ssl_client_ca_dir = /etc/ssl/certs >> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt >> ssl_dh =? # hidden, use -P to show it >> ssl_key =? # hidden, use -P to show it >> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 >> userdb { >> ? driver = passwd >> } >> protocol lmtp { >> ? mail_plugins = stats notify replication fts fts_lucene sieve >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol !indexer-worker { >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol lda { >> ? mail_plugins = stats notify replication fts fts_lucene sieve >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol imap { >> ? mail_plugins = stats notify replication fts fts_lucene imap_stats >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol sieve { >> ? ssl_dh =? # hidden, use -P to show it >> } >> protocol pop3 { >> ? ssl_dh =? # hidden, use -P to show it >> } >> >> And showing with -P as an example: >> >> protocol pop3 { >> ? ssl_dh = -----BEGIN DH PARAMETERS----- >> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s >> ... >> AAAAAAAAAAAAAAAAAAAAAAAAAAA>> -----END DH PARAMETERS----- >> >> There is a single set of valid DH parameters for every protocol as >> listed above. >> >> It seems odd that ssl_dh is defined all of these protocols >> specifically too.? This specific per-protocol definition of ssl_dh >> isn't specified in any config file. >> >> Reuben > Can you try with doveconf -nP? and ensure all those ssl_dh lines are of > form ssl_dh =</file? > > AkiThat's the thing.? Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files. There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file.? See here: lightning dovecot # grep ssl_dh * grep: conf.d: Is a directory lightning dovecot # grep ssl_dh */* conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem lightning dovecot # The rest of them must be being inherited from that statement above. But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf? output.? Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too. To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled.? Something buggy with backwards compatibility perhaps? [Also tested with latest 2.3 -git as of today - same result] Reuben
Timo Sirainen
2017-Nov-02 00:01 UTC
dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dovecot at reub.net> wrote:> > > That's the thing. Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files. > > There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file. See here: > > lightning dovecot # grep ssl_dh * > grep: conf.d: Is a directory > lightning dovecot # grep ssl_dh */* > conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. > conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem > lightning dovecot # > > The rest of them must be being inherited from that statement above. > > But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf output. Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too. > > To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled. Something buggy with backwards compatibility perhaps? > > [Also tested with latest 2.3 -git as of today - same result]Looks like this is pretty easily reproducible: a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem
Aki Tuomi
2017-Nov-02 12:21 UTC
dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
On 02.11.2017 02:01, Timo Sirainen wrote:> On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dovecot at reub.net> wrote: >> >> That's the thing. Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files. >> >> There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file. See here: >> >> lightning dovecot # grep ssl_dh * >> grep: conf.d: Is a directory >> lightning dovecot # grep ssl_dh */* >> conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. >> conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem >> lightning dovecot # >> >> The rest of them must be being inherited from that statement above. >> >> But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf output. Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too. >> >> To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled. Something buggy with backwards compatibility perhaps? >> >> [Also tested with latest 2.3 -git as of today - same result] > Looks like this is pretty easily reproducible: > > a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo > > b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo > doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pemHi! This has been fixed, see https://github.com/dovecot/core/commit/a70d867d1fe3584149811c65eb6213deb72be824.patch Aki
Seemingly Similar Threads
- dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
- dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
- dovecot-2.3 (-git) Warning and Fatal Compile Error
- dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
- dovecot-2.3 (-git) Warning and Fatal Compile Error