Problem:
We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we
upgraded openSUSE to Leap 15.0.
In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer
works and I haven't figured out how to downgrade to the older working
version.
The key issue seems to be the change to requiring dh.pem and changing s
sl_protocols to ssl_min_protocols. I think I've navigated both
correctly, but it still doesn't work.
The error is
auth: Error: stats: open(old-stats-user) failed: Permission denied
as a consequence of which we get
imap-login: Error: Failed to initialize SSL server context:
Can't
load SSL certificate: There is no valid PEM certificate.
We have followed the instructions at https://wiki.dovecot.org/S
SL/DovecotConfiguration
1. We have created /etc/dovecot/dh.pem (yes it took five
hours)
2. We have edited 10-ssl.conf as directed by the Wiki:
ssl = yes
ssl_cert =
/etc/certbot/live/privustech.com/fullchain.pem
ssl_key =
/etc/certbot/live/privustech.com/privkey.pem
ssl_dh = /etc/dovecot/dh.pem
#(yes, it took five hours to create...)
ssl_min_protocol = TLSv1
ssl_cipher_list =
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = no
3. We have checked 10-ssl.conf against the 2.3 default at
https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf
4. We do NOT include the less than (<) symbol before the paths because
then dovecot fails to load complaining it cannot find the files.
5. we have checked all the pem keys, certificates, and dh
files with cat, they all exist and are in the expected hash format.
6. We have followed the instructions to set their permissions
root:root 0444 and 0400 accordingly.
7. We have rebooted the host.
Any help or clues would be most appreciated.
Kind regards, Andy
