Aki hello, thank you. Hopefully excerpts and top posting are acceptable
in the mailing list??
On that assumption:
Thanks for the input. I've checked out your suggestions (details below)
but unfortunately no joy.
I also restored my backup 10-ssl.conf. It indeed has the "<" sign
with
a space before the explicit paths to the files:
? ? ssl_cert = </etc/certbot/live/privustech.com/fullchain.pem
? ? ssl_key = </etc/certbot/live/privustech.com/privkey.pem
?It returns several complaints after restarting dovecot which I
addressed:
? ??https://wiki2.dovecot.org/Upgrading/2.3
? ??https://github.com/dovecot/core/blob/master/doc/example-config/conf
.d/10-ssl.conf
? Changed ssl_protocols?to?ssl_min_protocol = TLSv1
? Added?ssl_dh = </etc/dovecot/dh.pem?and check it with cat. It reads
as a properly hashed DH PARAMETERS?file.
At this point we are back to the complaint about ssl_cert: Permission
denied.?
? ? The certificates are root:root 0777?and of course dovecot is
running as root. The conf?files are andy:user 0644.
? ? The documentation says ? ? ? ?> # PEM encoded X.509 SSL/TLS certificate and private key. They're
> opened before
> # dropping root privileges, so keep the key file unreadable by anyone
> but
> # root
However if I remove the < then dovecot starts up correctly. ?
? ? I
delete them one at a time, test, and it shows that file read, but then
fails on the next. So carry on. After the ssl_cert and ssl_key ?< are
removed dovecot runs (ssl_dh still has <):
? ? Dec 14 10:49:31 lavarre
systemd[1]: Started Dovecot IMAP/POP3 email server.? ? Dec 14 10:49:31 lavarre
dovecot[14059]: master: Dovecot v2.3.1 (8e2f634)?? ? starting up for imap, pop3,
lmtp But then logging in imap fails:
open(old-stats-user) failed: Permission denied
The documentation for 2.3 says to remove stats from mail-plugin settings, but I
do not find that in either dovecot.conf or 10-mail.conf.
The mail system is working correctly. Mail is received and stored in
/home/alavarre/Maildir/new
I'm sure it's something simple, since it worked before the version
upgrade. So maybe the answer is just go back to the older version... :-(
Thanks again.
Andy
~~~~
Here are the results of addressing your suggestions, thank you
again:>You should set ssl_prefer_server_ciphers = yes
Done. No change in status however...
>>4. We do NOT include the less than (<) symbol before the paths
because then dovecot fails to load complaining it cannot find the
files.> Yes, this is probably indication that you are missing the files
? ? The files are not missing or corrupted. cat shows apparently
properly hashed certificates and keys.
>or are chrooting dovecot in unsupported way. Not including the <
symbol will not help with this.
Mmmmm:
? ? ??https://wiki.archlinux.org/index.php/Chroot
? ? I did not intentionally or explicitly chroot dovecot. However, it
is possible that yast2 may have done this to perform the upgrade from
Leap 42.3 to 15.0 and didn't undo it?
? ? However, this does not seem to have happened:
? ? ? ? ??https://stackoverflow.com/questions/75182/detecting-a-chroot-
jail-from-within
? ?stat indicates that root is indeed the normal root:
? ? ?stat -c %i /
? ? ? ? ? ? ? returns 2. (But thanks for the education! :-) I now know
about chroot...)
>You should use
> ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem > ssl_key
=</etc/certbot/live/privustech.com/privkey.pem> ssl_dh
=</etc/dovecot/dh.pem
When I do that (= <, with) or (=< without) a space between = and < and
try restarting dovecot I receive:
? ? Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line
16: ? ? ssl_cert: Can't open file
/etc/certbot/live/privustech.com/fullchain.pem:? ? Permission denied
However if I remove the < then dovecot starts up correctly:
? ? Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email
server.? ? Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1
(8e2f634) ? ? starting up for imap, pop3, lmtp But then logging in imap fails:
Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Disconnected: TLS
initialization failed. (no auth attempts in 0 secs): user=<>,
rip=107.107.60.219, lip=70.186.159.22, session=<D6gm3f18gcZrazzb>
Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Error: Failed to
initialize SSL server context: Can't load SSL certificate: There is no valid
PEM certificate.: user=<>, rip=107.107.60.219, lip=70.186.159.22,
session=<XWQo3f18IcVrazzb>I'm inclined to think that the "less
than" symbol is the problem. The
documentation says?
the <paths/to/files "are relative to the currently parsed
config file's directory (/etc/dovecot/conf.d), similar to how !include
works. The file is read immediately whenever parsing the configuration
file." It also shows a space between ?= and <.
By that logic I should use
? ? ? ? ? ?ssl_cert = <../../certbot/live/privustech.com/fullchain.pem
? ? ? ? ? ?ssl_key = <../../certbot/live/privustech.com/privkey.pem
? ? ? ? ? ?ssl_dh = <../../dovecot/dh.pem
? ? but this doesn't work either. Restoring the explicit path without <
gets us back to dovecot starting up but not able to log in with imap...
On Fri, 2018-12-14 at 07:19 +0200, Aki Tuomi wrote:> >
> > On 14 December 2018 at 02:12 "C. Andrews Lavarre"
> > om> wrote:
> >
> >
> > Problem:
> > We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But
> > we
> > upgraded openSUSE to Leap 15.0.
> > In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no
> > longer
> > works and I haven't figured out how to downgrade to the older
> > working
> > version.
> >
> > The key issue seems to be the change to requiring dh.pem and
> > changing s
> > sl_protocols to ssl_min_protocols.?I think I've navigated both
> > correctly, but it still doesn't work.
> > The error is
> > ?????auth: Error: stats: open(old-stats-user) failed:
> > Permission denied
> >
> > as a consequence of which we get
> > ????imap-login: Error: Failed to initialize SSL server
> > context: Can't
> > ????load SSL certificate: There is no valid PEM certificate.
> >
> > We have followed the instructions at? https://wiki.dovecot.o
> > rg/S
> > SL/DovecotConfiguration
> > 1. We have created /etc/dovecot/dh.pem (yes it took five
> > hours)?
> >
> > 2. We have edited 10-ssl.conf as directed by the Wiki:
> > ???? ????ssl = yes
> > ???? ????ssl_cert > >
????/etc/certbot/live/privustech.com/fullchain.pem
> > ???? ????ssl_key > >
/etc/certbot/live/privustech.com/privkey.pem
> > ???? ????ssl_dh = /etc/dovecot
> /dh.pem???? ????#(yes, it took five hours to create...)
>
>
> Hi! You should use
>
> ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem??
> ssl_key =</etc/certbot/live/privustech.com/privkey.pem
> ssl_dh =</etc/dovecot/dh.pem
>
> >
> > ???? ????ssl_min_protocol = TLSv1
> > ???? ????ssl_cipher_list > >
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PS
> > K:!RC4:!ADH:!LOW at STRENGTH
> > ???? ????ssl_prefer_server_ciphers = no
> >
> You should set ssl_prefer_server_ciphers = yes.?
>
> >
> > 3. We have checked 10-ssl.conf against the 2.3 default at
> > https://github.com/dovecot/core/blob/master/doc/example
> > -config/conf.d/10-ssl.conf
> >
> > 4. We do NOT include the less than (<) symbol before the paths
> > because then dovecot fails to load complaining it cannot find the
> > files.
> >
> Yes, this is probably indication that you are missing the files or
> are chrooting dovecot in unsupported way. Not including the < symbol
> will not help with this.
>
> >
> > 5. we have checked all the pem keys, certificates, and??dh
> > files with cat, they all exist and are in the expected hash format.
> >
> > 6. We have followed the instructions to set their permissions
> > root:root 0444 and 0400 accordingly.
> > 7. We have rebooted the host.
> >
> This is correct.
> ?
> >
> > Any help or clues would be most appreciated.
> >
> > Kind regards, Andy
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181214/f5693e86/attachment.html>