Package: dovecot-core
Version: 1:2.3.4.1-1
Severity: normal

My dovecot installation dates from 2014 (2.2.13) and on upgrade to this
version, it started failing on ssl connections:

Mar 13 19:01:40 kite dovecot[9278]: imap-login: Error: Failed to initialize SSL 
server context: Can't load DH parameters: error:1408518A:SSL 
routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx, lip=xxx, 
session=<45XeyQGEZOzOSmkw>

Fixing this involved adding this line to the config:
ssl_dh = </usr/share/dovecot/dh.pem

There was no ssl_dh setting in my config before, so I guess it was using
some other file by default which no longer provides valid DH params.

I also moved /var/lib/dovecot/ssl-parameters.dat out of the way, 
which may or may not have been needed.

This seems like the kind of upgrade breakage that would be worth documenting,
or avoiding, rather than leave the user to diff conffiles and scratch their
head.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dovecot-core depends on:
ii  adduser              3.118
ii  libapparmor1         2.13.2-9
ii  libbz2-1.0           1.0.6-9
ii  libc6                2.28-8
ii  libexttextcat-2.0-0  3.4.5-1
ii  libicu63             63.1-6
ii  liblua5.3-0          5.3.3-1.1
ii  liblz4-1             1.8.3-1
ii  liblzma5             5.2.4-1
ii  libpam-runtime       1.3.1-5
ii  libpam0g             1.3.1-5
ii  libsodium23          1.0.17-1
ii  libssl1.1            1.1.1b-1
ii  libstemmer0d         0+svn585-1+b2
ii  libwrap0             7.6.q-28
ii  lsb-base             10.2018112800
ii  openssl              1.1.1b-1
ii  ssl-cert             1.0.39
ii  ucf                  3.0038+nmu1
ii  zlib1g               1:1.2.11.dfsg-1

dovecot-core recommends no packages.

Versions of packages dovecot-core suggests:
pn  dovecot-gssapi        <none>
ii  dovecot-imapd         1:2.3.4.1-1
pn  dovecot-ldap          <none>
pn  dovecot-lmtpd         <none>
pn  dovecot-lucene        <none>
pn  dovecot-managesieved  <none>
pn  dovecot-mysql         <none>
pn  dovecot-pgsql         <none>
ii  dovecot-pop3d         1:2.3.4.1-1
ii  dovecot-sieve         1:2.3.4.1-1
pn  dovecot-solr          <none>
pn  dovecot-sqlite        <none>
pn  dovecot-submissiond   <none>
ii  ntp                   1:4.2.8p12+dfsg-3

Versions of packages dovecot-core is related to:
ii  dovecot-core [dovecot-common]  1:2.3.4.1-1
pn  dovecot-dev                    <none>
pn  dovecot-gssapi                 <none>
ii  dovecot-imapd                  1:2.3.4.1-1
pn  dovecot-ldap                   <none>
pn  dovecot-lmtpd                  <none>
pn  dovecot-managesieved           <none>
pn  dovecot-mysql                  <none>
pn  dovecot-pgsql                  <none>
ii  dovecot-pop3d                  1:2.3.4.1-1
ii  dovecot-sieve                  1:2.3.4.1-1
pn  dovecot-sqlite                 <none>

-- debconf information excluded

-- 
see shy jo

Reply via email to