> On 16/10/2020 07:18 Brian Martin <[email protected]> wrote: > > > I've spent days scouring the Internet and trying various solutions on a > problem with my Dovecot installation, so I thought I'd share what I > learned in hopes of saving other people a lot of time. The dedicated > Dovecot hands will know all of the following already. This is for those > of us that have to cover a lot of bases. > > I upgraded my mail server from Ubuntu 18.04.1 to Ubuntu 20.04.1, and > found that older Mac-books and iPads (and probably other devices) could > no longer establish IMAP connections to Dovecot. Dovecot logged: > > SSL routines:tls_early_post_process_client_hello:unsupported protocol > > and TCP/IP traces showed that it dropped the connection after the > client's initial HELLO. I tested what kinds of connections Dovecot > would accept with (for example): > > openssl s_client -tls1_1 -connect localhost:993 # Test whether > TLSv1.1 is accepted - received "unsupported protocol" message. > > Searching showed that Dovecot has a parameter "ssl_min_protocol", which > is documented as defaulting to TLSv1. Nevertheless I explicitly set it > to TLSv1 with no effect. This was a red herring. I spent a long time > looking to see if Dovecot had a bug in handling this newish parameter, etc. > > Eventually I came across one posting regarding a web server, that told > me the OpenSSL libraries that Dovecot and lots of other packages use has > a single configuration file for the entire system. In Ubuntu 20.04 it > defaults to requiring TLSv1.2 or above. Changing the configuration for > OpenSSL affects everything on the system using the library. I changed > the file, restarted Dovecot, and it immediately accepted TLSv1 connections. > > Obviously I'd prefer to maintain the improved security of TLSv1.2, but > in my case it was better to continue providing mail service at a lower > security level than to deny service to some users until they upgraded > their personal devices. You'll need to make your on decision on that score. > > The file to change is (on Ubuntu, at least) /usr/lib/ssl/openssl.cnf. > The change consists of adding a line of code in the initial section that > invokes several new sections later: > > In the initial section I added: > > openssl_conf = default_conf > > Then at the bottom of the file I added: > > [default_conf] > ssl_conf = ssl_sect > > [ssl_sect] > system_default = system_default_sect > > [system_default_sect] > MinProtocol = TLSv1 > CipherString = DEFAULT@SECLEVEL=1 > > There is an alternative approach that I have read of but not tested. > Basically you can create a new file elsewhere with the customized > content, and then set an environmental variable (OPENSSL_CONF) just > before launching Dovecot that points to your new file. This way, only > Dovecot is using downgraded security. Since my mail server is a > dedicated system and I didn't want to muck with the Dovecot start-up > environment, I didn't feel the need to go that route. > > So all my digging into why Dovecot wouldn't accept TLSv1 connections and > how to change it were completely on the wrong path. It would be nice if > Dovecot could log a message when its ssl_min_protocol is set lower than > what OpenSSL will accept, but Dovecot may not be able to tell what > OpenSSL is doing. In any case, those are the symptoms, the real > problem, and how to fix it. Good luck, and thanks to Matt Caswell for > posting the answer that I eventually found. > > Ref: > https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
Yeah. This is a known issue, and we have a ticket about allowing configuring the minimum accepted level on dovecot. It has not been done yet, though. Thank you for the workaround. Aki
