dovecot - Dec 2018 - "no shared cypher", no matter what I try

Hello Aki,

maybe I misunderstood you, but both adding an "ssl = yes" line to this
section of dovecot.conf, and commenting out the whole "four lines
starting at "inet_listener imaps" do not have any effect :

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

this is the error I still get after restarting dovecot, and trying
again to connect with mutt:

ogin: Debug: SSL: where=0x10, ret=1: before/accept initialization
[my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv2/v3 read client hello A
[my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
Dec 11 11:06:47 SERVERNAME dovecot: imap-login: Disconnected
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=my.home.ip.address, lip=server.ip.address, TLS handshaking:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher,
session=<zdRFPbx8xp4vNZ88>
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: Read auth token
secret from /var/run/dovecot/auth-token-secret.dat
Dec 11 11:06:47 SERVERNAME dovecot: auth: Debug: passwd-file
/etc/imap.v_users: Read 1 users
Il giorno mar 11 dic 2018 alle ore 11:01 Aki Tuomi
<aki.tuomi at open-xchange.com> ha scritto:
>
> Hi!
>
> You have misconfigured service imap-login, remove the 993 listener
> config (it's there by default) or add ssl = yes to it.
>
> Aki
>
> On 11.12.2018 11.58, Marco Fioretti wrote:
> > hello, and some update
> > short version: the error is still there, but I have some more data to
> > share, thanks in advance for further advice
> >
> > first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
> > not an obsolete version.
> > second... at the moment I can send email through postfix on the same
> > server, with the
> > same certificates (almost: I still have to fix some stuff, but is NOT
> > related to SSL/TLS, e.g
> > reverse DNS).
> >
> > However, running openssl as requested returns "no peer
certificate
> > available", and when
> > I connect with mutt to dovecot I still get the "no shared
cipher"
> > error. These are the permissions
> > on the certificate files:
> >
> > ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
> > /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
> > -r--------. 1 root root 3546 Dec  7 11:59
> > /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
> > -r--------. 1 root root 1704 Dec  7 11:59
> > /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
> >
> > output of openssl, dovecot -n, its current SSL settings and excerpt of
> > the log file are all below.
> >
> > openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
> > CONNECTED(00000003)
> > 140141825717912:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> > failure:s23_clnt.c:769:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 7 bytes and written 305 bytes
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : 0000
> >     Session-ID:
> >     Session-ID-ctx:
> >     Master-Key:
> >     Key-Arg   : None
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     Start Time: 1544521696
> >     Timeout   : 300 (sec)
> >     Verify return code: 0 (ok)
> > ---
> >
> > current SSL dovecot settings in conf.d/10-ssl.conf
> >
> > ssl = yes
> >
> > ssl_prefer_server_ciphers = yes
> >
> > ssl_dh_parameters_length = 2048
> >
> > sl_min_protocol = TLSv1.2
> >
> > ssl_cert =
</etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
> > ssl_key =  </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
> >
> > ssl_cipher_list = ALL
> >
> > output of dovecot -n:
> >
> > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
> > 7.6.1810 (Core)  ext4
> > # Hostname: SERVER NAME
> > auth_debug = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > mail_location = maildir:/var/mail/mymail_storage/base/
> > passdb {
> >   args = /etc/imap.v_users
> >   driver = passwd-file
> > }
> > service auth {
> >   unix_listener /var/spool/postfix/private/auth {
> >     group = postfix
> >     mode = 0660
> >     user = postfix
> >   }
> > }
> > service imap-login {
> >   inet_listener imap {
> >     port = 0
> >   }
> >   inet_listener imaps {
> >     port = 993
> >   }
> > }
> > ssl = required
> > userdb {
> >   args = /etc/imap.v_users
> >   driver = passwd-file
> > }
> > verbose_ssl = yes
> >
> >
> >
> >
> >
> > this is the error message I get by when I tried to connect with mutt:
> >
> >
> > Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
> > starting up for imap, pop3, lmtp (core dumps disabled)
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
> > ret=1: before/accept initialization [my.home.ip.address]
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> > where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> > where=0x2002, ret=-1: SSLv2/v3 read client hello A
> > [my.home.ip.address]
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
> > where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> > where=0x2002, ret=-1: error [my.home.ip.address]
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> > where=0x2002, ret=-1: error [my.home.ip.address]
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
> > SSL_accept() failed: error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:
> > Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
> > (disconnected before auth was ready, waited 0 secs): user=<>,
> > rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
> > haking: SSL_accept() failed: error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:no shared cipher,
> > session=<H8roHLp86psvNZ88>
> > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
> > directory: /usr/lib64/dovecot/auth
> > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
> > /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
> > /usr/lib64/dovecot/auth/libdriver_sqlite.so
> > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret
> > from /var/run/dovecot/auth-token-secret.dat
> > Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file
> > /etc/imap.v_users: Read 1 users in 0 secs

Marco Fioretti skrev den 2018-12-11 11:12:
> maybe I misunderstood you, but both adding an "ssl = yes" line to
this
> section of dovecot.conf, and commenting out the whole "four lines
> starting at "inet_listener imaps" do not have any effect :
you should not edit dovecot.conf :/

edit config files in conf.d

start from zerro now

The problem is solved, thanks to Aki. I was missing the "include"
directive in dovecot.conf, because it was not needed in the dovecot
version I was using previously.

Now I have a related question, and... another problem :-)

The question: what is a safer/more sensible value for ssl_cipher_list
than the current "ALL"?

The problem: now that I can login, a permission/ownership problem came
out. In the old server, the mailboxes were owned by user mail_manager,
group mail_management

In the new server I recreated those users, copied the mailboxes as
they were. Postfix / procmail are using that userid, and can write
successfully to the mailboxes.

Dovecot, instead, cannot. Even if I added the dovecot user to the
mail_management group, it keeps generating plenty of errors like this

Dec 11 12:34:13 SERVERNAME dovecot: imap(USERNAME): Error:
file_dotlock_create(/var/mail/mymail_storage/base/.archive.2018.12/dovecot-uidlist)
failed: Permission denied (euid=5000(<unknown>)
egid=5000(mail_management) missing +w perm:
/var/mail/mymail_storage/base/.archive.2018.12, dir owned by 1001:5000
mode=0755)

of course it cannot create the log file because the owner is the
mail_manager user (euid 5000)

so the question is: what is the good/best practice now?  Make dovecot
run as user mail_manager? And if yes, how? Or should I change the
permissions of all the mailboxes and mail files with chmod -r 775 ?

Thanks,
Marco