On Fri, 7 May 2021 at 22:43, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote: > > Only one of us uses IMAP / POP3. She stopped being able to pick up mail. > The message was obscure: Thunderbird reported getting resets from the > server. > > Detective work (leaving out the blind alleys): > > Look for funny messages in the server log. The right command is arcane: > $ journalctl -b _SYSTEMD_UNIT=dovecot.service > > - -b means "since last boot". Very handy because the log can go back a > long time. > > - _SYSTEMD_UNIT=dovecot.service: only messages about dovecot. > Such an intuitive form. It won't work without the .service. > It turns out that there is a shortform, -u or --unit=. > > > May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: please set > ssl_dh=</etc/dovecot/dh.pem > May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: You can > generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | > openssl dhparam -inform der > /etc/dovecot/dh.pem > May 04 14:07:12 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to > initialize SSL server context: Can't load DH parameters (ssl_dh setting): > error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, > rip=192.139.70.95, lip=192.139.70.82, session=<jkGQ8oTBnIDAi0Zf> > May 04 15:30:28 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to > initialize SSL server context: Can't load DH parameters (ssl_dh setting): > error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, > rip=192.139.70.95, lip=192.139.70.82, session=<SWRMHIbBmILAi0Zf> > > The first two messages were almost impossible to read because the were in > yellow. > > It turns out that the first means that you have to edit > /etc/dovecot/conf.d/10-ssl.conf > and change > #ssl_dh = </etc/dovecot/dh.pem > to > ssl_dh = </etc/dovecot/dh.pem > > /etc/dovecot/dh.pem was already there. > > OPTIONAL: > > /etc/dovecot/dh.pem specified a really weak Diffie-Hellman group. > Your should probably strengthen it. I chose ffdhe2048, a weak one (2048 > bits) that is still "OK". > See: > <https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups> > > You need it in PEM format. First save the old one. Then grab a new one: > curl https://ssl-config.mozilla.org/ffdhe2048.txt > > /etc/dovecot/dh.pem > > Then adjust ownership and permissions.
This sent me on a bit of a chase. Nginx uses a DH parameters file that's used in the same way. And it's considered a bad idea to use a widely known DH parameter (like the one that ships with the software, or that sits on a Mozilla server). This is a semi-useful read: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters. I say "semi-useful" because honestly some of it was over my head. And that leads to reading about Logjam ( https://weakdh.org/ ). With Ansible I've automated the generation of a new DH parameter file on each new server: openssl dhparam -out <filename> <size> Generating this file takes a significant amount of time (minutes) if "size" is reasonably large (2096, although I would recommend 4192) even on a modern machine. But it's a one-off for any given machine, so it's a small imposition that I'd recommend. If this breaks the mail setup, you can obviously return to the known value from Mozilla. -- Giles https://www.gilesorr.com/ giles...@gmail.com --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk