> On 14 December 2018 at 02:12 "C. Andrews Lavarre" <alava...@gmail.com> wrote: > > > Problem: > We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we > upgraded openSUSE to Leap 15.0. > In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer > works and I haven't figured out how to downgrade to the older working > version. > > The key issue seems to be the change to requiring dh.pem and changing s > sl_protocols to ssl_min_protocols. I think I've navigated both > correctly, but it still doesn't work. > The error is > auth: Error: stats: open(old-stats-user) failed: Permission denied > > as a consequence of which we get > imap-login: Error: Failed to initialize SSL server context: > Can't > load SSL certificate: There is no valid PEM certificate. > > We have followed the instructions at https://wiki.dovecot.org/S > SL/DovecotConfiguration > 1. We have created /etc/dovecot/dh.pem (yes it took five > hours) > > 2. We have edited 10-ssl.conf as directed by the Wiki: > ssl = yes > ssl_cert = > /etc/certbot/live/privustech.com/fullchain.pem > ssl_key = > /etc/certbot/live/privustech.com/privkey.pem > ssl_dh = /etc/dovecot /dh.pem #(yes, it took five hours to create...)
Hi! You should use ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem ssl_key =</etc/certbot/live/privustech.com/privkey.pem ssl_dh =</etc/dovecot/dh.pem > ssl_min_protocol = TLSv1 > ssl_cipher_list = > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH > ssl_prefer_server_ciphers = no > You should set ssl_prefer_server_ciphers = yes. > 3. We have checked 10-ssl.conf against the 2.3 default at > > https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf > > 4. We do NOT include the less than (<) symbol before the paths because > then dovecot fails to load complaining it cannot find the files. > Yes, this is probably indication that you are missing the files or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this. > 5. we have checked all the pem keys, certificates, and dh > files with cat, they all exist and are in the expected hash format. > > 6. We have followed the instructions to set their permissions > root:root 0444 and 0400 accordingly. > 7. We have rebooted the host. > This is correct. > Any help or clues would be most appreciated. > > Kind regards, Andy >