Your message dated Tue, 29 Nov 2016 13:47:42 +0100
with message-id
<1480423662.3306870.802378825.03750...@webmail.messagingengine.com>
and subject line courier 0.75.0 uses 2048 bits for dhparam by default
has caused the Debian Bug report #829576,
regarding courier-imap-ssl: Generated dhparams.pem is too weak
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
829576: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829576
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: courier-imap-ssl
Version: 4.15-1.6
Severity: important
Dear Maintainer,
Fresh install on new debian jessie, it generated /etc/courier/dhparams.pem
However "openssl s_client -connect ip:143 -starttls imap" is unable to connect
with this error message:
140640772830864:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh
key too small:s3_clnt.c:3424:
Openssl in jessie (and so all other software using it like php/perl imap
modules) is configured to reject all connections using DH less than
2048 bits. However the one generated by courier-imap-ssl upon install is
only 768 bits.
server:~:# openssl dhparam -text -in /etc/courier/dhparams.pem -noout
PKCS#3 DH Parameters: (768 bit)
This makes default installation of courier-imap-ssl unusable.
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages courier-imap-ssl depends on:
ii courier-imap 4.15-1.6
ii courier-ssl 0.73.1-1.6
ii debconf 1.5.56
ii openssl 1.0.1t-1+deb8u2
courier-imap-ssl recommends no packages.
Versions of packages courier-imap-ssl suggests:
pn courier-doc <none>
ii heirloom-mailx [imap-client] 12.5-4
-- Configuration Files:
/etc/courier/imapd-ssl changed [not included]
/etc/courier/imapd.cnf [Errno 2] No such file or directory:
u'/etc/courier/imapd.cnf'
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Version: 0.75.0-1
Hi,
diff 0.73.1..0.75.0:
BITS="$DH_BITS"
if test "@ssllib@" = "openssl"
then
if test "$BITS" = ""
then
- BITS=768
+ BITS=2048
fi
That should be ok for now.
Cheers,
--
Ondřej Surý <[email protected]>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
--- End Message ---
