On Sun, 9 May 2021 at 08:30, Giles Orr <[email protected]> wrote: > > On Fri, 7 May 2021 at 22:43, D. Hugh Redelmeier via talk > <[email protected]> wrote: > > > > Only one of us uses IMAP / POP3. She stopped being able to pick up mail. > > The message was obscure: Thunderbird reported getting resets from the > > server. > > > > Detective work (leaving out the blind alleys): > > > > Look for funny messages in the server log. The right command is arcane: > > $ journalctl -b _SYSTEMD_UNIT=dovecot.service > > > > - -b means "since last boot". Very handy because the log can go back a > > long time. > > > > - _SYSTEMD_UNIT=dovecot.service: only messages about dovecot. > > Such an intuitive form. It won't work without the .service. > > It turns out that there is a shortform, -u or --unit=. > > > > > > May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: please set > > ssl_dh=</etc/dovecot/dh.pem > > May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: You can > > generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | > > openssl dhparam -inform der > /etc/dovecot/dh.pem > > May 04 14:07:12 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed > > to initialize SSL server context: Can't load DH parameters (ssl_dh > > setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: > > user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<jkGQ8oTBnIDAi0Zf> > > May 04 15:30:28 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed > > to initialize SSL server context: Can't load DH parameters (ssl_dh > > setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: > > user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<SWRMHIbBmILAi0Zf> > > > > The first two messages were almost impossible to read because the were in > > yellow. > > > > It turns out that the first means that you have to edit > > /etc/dovecot/conf.d/10-ssl.conf > > and change > > #ssl_dh = </etc/dovecot/dh.pem > > to > > ssl_dh = </etc/dovecot/dh.pem > > > > /etc/dovecot/dh.pem was already there. > > > > OPTIONAL: > > > > /etc/dovecot/dh.pem specified a really weak Diffie-Hellman group. > > Your should probably strengthen it. I chose ffdhe2048, a weak one (2048 > > bits) that is still "OK". > > See: > > <https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups> > > > > You need it in PEM format. First save the old one. Then grab a new one: > > curl https://ssl-config.mozilla.org/ffdhe2048.txt > > > /etc/dovecot/dh.pem > > > > Then adjust ownership and permissions. > > This sent me on a bit of a chase. Nginx uses a DH parameters file > that's used in the same way. And it's considered a bad idea to use a > widely known DH parameter (like the one that ships with the software, > or that sits on a Mozilla server). This is a semi-useful read: > https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters. > I say "semi-useful" because honestly some of it was over my head. And > that leads to reading about Logjam ( https://weakdh.org/ ). > > With Ansible I've automated the generation of a new DH parameter file > on each new server: > > openssl dhparam -out <filename> <size> > > Generating this file takes a significant amount of time (minutes) if > "size" is reasonably large (2096, although I would recommend 4192) > even on a modern machine. But it's a one-off for any given machine, > so it's a small imposition that I'd recommend. If this breaks the > mail setup, you can obviously return to the known value from Mozilla.
"2096" "4192" ... <facepalm> They're just numbers, but I did mean to say "2048" and "4096" as regular power-of-2 numbers ... -- Giles https://www.gilesorr.com/ [email protected] --- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
