Hi again,
On 1/11/2017 12:01 AM, Aki Tuomi wrote:
On 31.10.2017 15:00, Reuben Farrelly wrote:
Hi,
On 30/10/2017 7:22 PM, dovecot-requ...@dovecot.org wrote:
Message: 6
Date: Mon, 30 Oct 2017 10:22:42 +0200
From: Teemu Huovila <teemu.huov...@dovecot.fi>
To: dovecot@dovecot.org
Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
Message-ID: <7d2c0b5b-019a-067c-c6be-f36571ed9...@dovecot.fi>
Content-Type: text/plain; charset=utf-8
On 30.10.2017 09:10, Aki Tuomi wrote:
On 30.10.2017 00:23, Reuben Farrelly wrote:
Hi Aki,
On 30/10/2017 12:43 AM, Aki Tuomi wrote:
On October 29, 2017 at 1:55 PM Reuben Farrelly
<reuben-dove...@reub.net> wrote:
Hi again,
Chasing down one last problem which seems to have been missed
from my
last email:
On 20/10/2017 9:22 PM, Stephan Bosch wrote:
Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
On 18/10/2017 11:40 PM, Timo Sirainen wrote:
On 18 Oct 2017, at 6.34, Reuben Farrelly
<reuben-dove...@reub.net>
wrote:
This problem below is still present in 2.3 -git, as of version
2.3.devel
(6fc40674e)
Secondly, this ssl_dh messages is always printed from doveconf:
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
-inform der > /etc/dovecot/dh.pem
Yet the file is there:
thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
-rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
And the config is there as well:
thunderstorm dovecot # doveconf -P | grep ssl_dh
ssl_dh = </etc/dovecot/dh.pem
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
-inform der > /etc/dovecot/dh.pem
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
?? ssl_dh = -----BEGIN DH PARAMETERS-----
thunderstorm dovecot #
It appears that this warning is being triggered by the
presence of
the ssl-parameters.dat file because when I remove it the warning
goes away. Perhaps the warning could be made a bit more specific
about this file being removed if it is not required because at
the
moment the warning message is not related to the trigger.
Thanks,
Reuben
Thanks,
Reuben
It is triggered when there is ssl-parameters.dat file *AND* there is
no ssl_dh=< explicitly set in config file.
Aki
I have this already in my 10-ssl.conf file:
lightning dovecot # /etc/init.d/dovecot reload
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
-inform der > /etc/dovecot/dh.pem
?* Reloading dovecot configs and restarting auth/login processes
...????? [ ok ]
lightning dovecot #
However:
lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
# gives on startup when ssl_dh is unset.
ssl_dh=</etc/dovecot/dh.pem
lightning dovecot #
and the file is there:
lightning dovecot # ls -la /etc/dovecot/dh.pem
-rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
lightning dovecot #
So it is actually configured and yet the warning still is present.
Reuben
Hi!
I gave this a try, and I was not able to repeat this issue. Perhaps you
are still missing ssl_dh somewhere?
Aki
Hello
Just a guess, but at this point I would recommend reviewing the
output of "doveconf -n" to make sure the appropriate settings are
present.
br,
Teemu
I still can't see anything amiss. Here's the output from doveconf -n:
# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.devel (f4659224)
# OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release
2.4.1
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_username_format = %Ln
doveadm_password = # hidden, use -P to show it
first_valid_uid = 1000
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
last_valid_uid = 1100
login_log_format_elements = user=<%u> auth-method=%m remote=%r
local=%l %k
login_trusted_networks = 192.168.0.0/16
mail_location = maildir:~/Maildir
mail_plugins = stats notify replication fts fts_lucene
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = failure_show_msg=yes %s
driver = pam
}
plugin {
fts = lucene
fts_autoindex = yes
fts_languages = en
fts_lucene = whitespace_chars=@.
mail_replica = tcps:inside-mail.reub.net:4813
replication_full_sync_interval = 4 hours
sieve = file:~/sieve;active=~/.dovecot.sieve
stats_refresh = 30 secs
stats_track_cmds = yes
}
protocols = imap lmtp sieve
recipient_delimiter = -
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
user = root
}
unix_listener replication-notify {
mode = 0666
user = root
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0777
}
}
service doveadm {
inet_listener {
address = 2400:8901:e001:3a::20
port = 4813
ssl = yes
}
user = root
}
service imap {
executable = imap postlogin
}
service lmtp {
inet_listener lmtp {
address = ::1
port = 24
}
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service postlogin {
executable = script-login -d rawlog
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
service stats {
fifo_listener stats-mail {
mode = 0666
}
}
ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
ssl_client_ca_dir = /etc/ssl/certs
ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = stats notify replication fts fts_lucene sieve
ssl_dh = # hidden, use -P to show it
}
protocol !indexer-worker {
ssl_dh = # hidden, use -P to show it
}
protocol lda {
mail_plugins = stats notify replication fts fts_lucene sieve
ssl_dh = # hidden, use -P to show it
}
protocol imap {
mail_plugins = stats notify replication fts fts_lucene imap_stats
ssl_dh = # hidden, use -P to show it
}
protocol sieve {
ssl_dh = # hidden, use -P to show it
}
protocol pop3 {
ssl_dh = # hidden, use -P to show it
}
And showing with -P as an example:
protocol pop3 {
ssl_dh = -----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
...
AAAAAAAAAAAAAAAAAAAAAAAAAAA=
-----END DH PARAMETERS-----
There is a single set of valid DH parameters for every protocol as
listed above.
It seems odd that ssl_dh is defined all of these protocols
specifically too. This specific per-protocol definition of ssl_dh
isn't specified in any config file.
Reuben
Can you try with doveconf -nP and ensure all those ssl_dh lines are of
form ssl_dh =</file?
Aki
That's the thing. Those extra ssl_dh lines aren't actually specified in
my conf files, they have been inherited from somewhere - so I can't
change them to be of any particular form because they aren't defined as
being that way in my configuration files.
There is only one place where ssl_dh is defined and that's in the global
10-ssl.conf file. See here:
lightning dovecot # grep ssl_dh *
grep: conf.d: Is a directory
lightning dovecot # grep ssl_dh */*
conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
lightning dovecot #
The rest of them must be being inherited from that statement above.
But back to the original question, if I *remove* the ssl-parameters.dat
file from /var/lib/dovecot/ then without any other configuration changes
the error goes away on reload and from doveconf output. Not only that,
but if the ssl-parameters.dat file is removed then those ssl_dh lines
per-protocol in doveconf -n also disappear too.
To me that indicates that the mere presence of the ssl-parameters.dat
file is doing something odd with the way the ssl_dh configuration
statements are being handled. Something buggy with backwards
compatibility perhaps?
[Also tested with latest 2.3 -git as of today - same result]
Reuben
