Hi,
On 30/10/2017 7:22 PM, [email protected] wrote:
Message: 6
Date: Mon, 30 Oct 2017 10:22:42 +0200
From: Teemu Huovila <[email protected]>
To: [email protected]
Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
On 30.10.2017 09:10, Aki Tuomi wrote:
On 30.10.2017 00:23, Reuben Farrelly wrote:
Hi Aki,
On 30/10/2017 12:43 AM, Aki Tuomi wrote:
On October 29, 2017 at 1:55 PM Reuben Farrelly
<[email protected]> wrote:
Hi again,
Chasing down one last problem which seems to have been missed from my
last email:
On 20/10/2017 9:22 PM, Stephan Bosch wrote:
Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
On 18/10/2017 11:40 PM, Timo Sirainen wrote:
On 18 Oct 2017, at 6.34, Reuben Farrelly <[email protected]>
wrote:
This problem below is still present in 2.3 -git, as of version
2.3.devel
(6fc40674e)
Secondly, this ssl_dh messages is always printed from doveconf:
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
-inform der > /etc/dovecot/dh.pem
Yet the file is there:
thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
-rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
And the config is there as well:
thunderstorm dovecot # doveconf -P | grep ssl_dh
ssl_dh = </etc/dovecot/dh.pem
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
-inform der > /etc/dovecot/dh.pem
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
thunderstorm dovecot #
It appears that this warning is being triggered by the presence of
the ssl-parameters.dat file because when I remove it the warning
goes away. Perhaps the warning could be made a bit more specific
about this file being removed if it is not required because at the
moment the warning message is not related to the trigger.
Thanks,
Reuben
Thanks,
Reuben
It is triggered when there is ssl-parameters.dat file *AND* there is
no ssl_dh=< explicitly set in config file.
Aki
I have this already in my 10-ssl.conf file:
lightning dovecot # /etc/init.d/dovecot reload
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
-inform der > /etc/dovecot/dh.pem
?* Reloading dovecot configs and restarting auth/login processes
...????? [ ok ]
lightning dovecot #
However:
lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
# gives on startup when ssl_dh is unset.
ssl_dh=</etc/dovecot/dh.pem
lightning dovecot #
and the file is there:
lightning dovecot # ls -la /etc/dovecot/dh.pem
-rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
lightning dovecot #
So it is actually configured and yet the warning still is present.
Reuben
Hi!
I gave this a try, and I was not able to repeat this issue. Perhaps you
are still missing ssl_dh somewhere?
Aki
Hello
Just a guess, but at this point I would recommend reviewing the output of "doveconf
-n" to make sure the appropriate settings are present.
br,
Teemu
I still can't see anything amiss. Here's the output from doveconf -n:
# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.devel (f4659224)
# OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_username_format = %Ln
doveadm_password = # hidden, use -P to show it
first_valid_uid = 1000
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
last_valid_uid = 1100
login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k
login_trusted_networks = 192.168.0.0/16
mail_location = maildir:~/Maildir
mail_plugins = stats notify replication fts fts_lucene
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = failure_show_msg=yes %s
driver = pam
}
plugin {
fts = lucene
fts_autoindex = yes
fts_languages = en
fts_lucene = whitespace_chars=@.
mail_replica = tcps:inside-mail.reub.net:4813
replication_full_sync_interval = 4 hours
sieve = file:~/sieve;active=~/.dovecot.sieve
stats_refresh = 30 secs
stats_track_cmds = yes
}
protocols = imap lmtp sieve
recipient_delimiter = -
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
user = root
}
unix_listener replication-notify {
mode = 0666
user = root
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0777
}
}
service doveadm {
inet_listener {
address = 2400:8901:e001:3a::20
port = 4813
ssl = yes
}
user = root
}
service imap {
executable = imap postlogin
}
service lmtp {
inet_listener lmtp {
address = ::1
port = 24
}
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service postlogin {
executable = script-login -d rawlog
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
service stats {
fifo_listener stats-mail {
mode = 0666
}
}
ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
ssl_client_ca_dir = /etc/ssl/certs
ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = stats notify replication fts fts_lucene sieve
ssl_dh = # hidden, use -P to show it
}
protocol !indexer-worker {
ssl_dh = # hidden, use -P to show it
}
protocol lda {
mail_plugins = stats notify replication fts fts_lucene sieve
ssl_dh = # hidden, use -P to show it
}
protocol imap {
mail_plugins = stats notify replication fts fts_lucene imap_stats
ssl_dh = # hidden, use -P to show it
}
protocol sieve {
ssl_dh = # hidden, use -P to show it
}
protocol pop3 {
ssl_dh = # hidden, use -P to show it
}
And showing with -P as an example:
protocol pop3 {
ssl_dh = -----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
...
AAAAAAAAAAAAAAAAAAAAAAAAAAA=
-----END DH PARAMETERS-----
There is a single set of valid DH parameters for every protocol as
listed above.
It seems odd that ssl_dh is defined all of these protocols specifically
too. This specific per-protocol definition of ssl_dh isn't specified in
any config file.
Reuben
