On 31.10.2017 15:00, Reuben Farrelly wrote: > Hi, > > On 30/10/2017 7:22 PM, [email protected] wrote: >> Message: 6 >> Date: Mon, 30 Oct 2017 10:22:42 +0200 >> From: Teemu Huovila <[email protected]> >> To: [email protected] >> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=utf-8 >> >> >> >> On 30.10.2017 09:10, Aki Tuomi wrote: >>> >>> >>> On 30.10.2017 00:23, Reuben Farrelly wrote: >>>> Hi Aki, >>>> >>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote: >>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly >>>>>> <[email protected]> wrote: >>>>>> >>>>>> >>>>>> Hi again, >>>>>> >>>>>> Chasing down one last problem which seems to have been missed >>>>>> from my >>>>>> last email: >>>>>> >>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote: >>>>>>> >>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>>>>>>>> <[email protected]> >>>>>>>>> wrote: >>>>>> This problem below is still present in 2.3 -git, as of version >>>>>> 2.3.devel >>>>>> (6fc40674e) >>>>>> >>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>>> >>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>> >>>>>>>>> Yet the file is there: >>>>>>>>> >>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>>>>>>>> >>>>>>>>> And the config is there as well: >>>>>>>>> >>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>>>>>>>> ssl_dh = </etc/dovecot/dh.pem >>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>>>>>>> -inform der > /etc/dovecot/dh.pem >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS----- >>>>>>>>> thunderstorm dovecot # >>>>>>>>> >>>>>>>>> It appears that this warning is being triggered by the >>>>>>>>> presence of >>>>>>>>> the ssl-parameters.dat file because when I remove it the warning >>>>>>>>> goes away. Perhaps the warning could be made a bit more specific >>>>>>>>> about this file being removed if it is not required because at >>>>>>>>> the >>>>>>>>> moment the warning message is not related to the trigger. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Reuben >>>>>> Thanks, >>>>>> Reuben >>>>> It is triggered when there is ssl-parameters.dat file *AND* there is >>>>> no ssl_dh=< explicitly set in config file. >>>>> >>>>> Aki >>>> >>>> I have this already in my 10-ssl.conf file: >>>> >>>> lightning dovecot # /etc/init.d/dovecot reload >>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>> doveconf: Warning: You can generate it with: dd >>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>>> -inform der > /etc/dovecot/dh.pem >>>> ?* Reloading dovecot configs and restarting auth/login processes >>>> ...????? [ ok ] >>>> lightning dovecot # >>>> >>>> However: >>>> >>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf >>>> # gives on startup when ssl_dh is unset. >>>> ssl_dh=</etc/dovecot/dh.pem >>>> lightning dovecot # >>>> >>>> and the file is there: >>>> >>>> lightning dovecot # ls -la /etc/dovecot/dh.pem >>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem >>>> lightning dovecot # >>>> >>>> So it is actually configured and yet the warning still is present. >>>> >>>> Reuben >>> >>> Hi! >>> >>> I gave this a try, and I was not able to repeat this issue. Perhaps you >>> are still missing ssl_dh somewhere? >>> >>> Aki >>> >> Hello >> >> Just a guess, but at this point I would recommend reviewing the >> output of "doveconf -n" to make sure the appropriate settings are >> present. >> >> br, >> Teemu > > I still can't see anything amiss. Here's the output from doveconf -n: > > # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.devel (f4659224) > # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release > 2.4.1 > auth_mechanisms = plain login > auth_socket_path = /var/run/dovecot/auth-userdb > auth_username_format = %Ln > doveadm_password = # hidden, use -P to show it > first_valid_uid = 1000 > imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep > last_valid_uid = 1100 > login_log_format_elements = user=<%u> auth-method=%m remote=%r > local=%l %k > login_trusted_networks = 192.168.0.0/16 > mail_location = maildir:~/Maildir > mail_plugins = stats notify replication fts fts_lucene > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > args = failure_show_msg=yes %s > driver = pam > } > plugin { > fts = lucene > fts_autoindex = yes > fts_languages = en > fts_lucene = whitespace_chars=@. > mail_replica = tcps:inside-mail.reub.net:4813 > replication_full_sync_interval = 4 hours > sieve = file:~/sieve;active=~/.dovecot.sieve > stats_refresh = 30 secs > stats_track_cmds = yes > } > protocols = imap lmtp sieve > recipient_delimiter = - > service aggregator { > fifo_listener replication-notify-fifo { > mode = 0666 > user = root > } > unix_listener replication-notify { > mode = 0666 > user = root > } > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0666 > user = postfix > } > unix_listener auth-userdb { > mode = 0777 > } > } > service doveadm { > inet_listener { > address = 2400:8901:e001:3a::20 > port = 4813 > ssl = yes > } > user = root > } > service imap { > executable = imap postlogin > } > service lmtp { > inet_listener lmtp { > address = ::1 > port = 24 > } > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0660 > user = postfix > } > } > service postlogin { > executable = script-login -d rawlog > } > service replicator { > process_min_avail = 1 > unix_listener replicator-doveadm { > mode = 0666 > } > } > service stats { > fifo_listener stats-mail { > mode = 0666 > } > } > ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt > ssl_cert = </etc/ssl/dovecot/*.reub.net.crt > ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5 > ssl_client_ca_dir = /etc/ssl/certs > ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt > ssl_dh = # hidden, use -P to show it > ssl_key = # hidden, use -P to show it > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 > userdb { > driver = passwd > } > protocol lmtp { > mail_plugins = stats notify replication fts fts_lucene sieve > ssl_dh = # hidden, use -P to show it > } > protocol !indexer-worker { > ssl_dh = # hidden, use -P to show it > } > protocol lda { > mail_plugins = stats notify replication fts fts_lucene sieve > ssl_dh = # hidden, use -P to show it > } > protocol imap { > mail_plugins = stats notify replication fts fts_lucene imap_stats > ssl_dh = # hidden, use -P to show it > } > protocol sieve { > ssl_dh = # hidden, use -P to show it > } > protocol pop3 { > ssl_dh = # hidden, use -P to show it > } > > And showing with -P as an example: > > protocol pop3 { > ssl_dh = -----BEGIN DH PARAMETERS----- > MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s > ... > AAAAAAAAAAAAAAAAAAAAAAAAAAA= > -----END DH PARAMETERS----- > > There is a single set of valid DH parameters for every protocol as > listed above. > > It seems odd that ssl_dh is defined all of these protocols > specifically too. This specific per-protocol definition of ssl_dh > isn't specified in any config file. > > Reuben
Can you try with doveconf -nP and ensure all those ssl_dh lines are of form ssl_dh =</file? Aki
