> On 14 December 2018 at 02:12 "C. Andrews Lavarre" <alava...@gmail.com> wrote:
> 
> 
> Problem:
> We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we
> upgraded openSUSE to Leap 15.0.
> In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer
> works and I haven't figured out how to downgrade to the older working
> version.
> 
> The key issue seems to be the change to requiring dh.pem and changing s
> sl_protocols to ssl_min_protocols. I think I've navigated both
> correctly, but it still doesn't work.
> The error is
>            auth: Error: stats: open(old-stats-user) failed: Permission denied
> 
>       as a consequence of which we get
>                   imap-login: Error: Failed to initialize SSL server context: 
> Can't
>     load SSL certificate: There is no valid PEM certificate.
> 
> We have followed the instructions at  https://wiki.dovecot.org/S
> SL/DovecotConfiguration
>       1. We have created /etc/dovecot/dh.pem (yes it took five
> hours) 
> 
>       2. We have edited 10-ssl.conf as directed by the Wiki:
>                                   ssl = yes
>                                   ssl_cert =
>     /etc/certbot/live/privustech.com/fullchain.pem
>                                   ssl_key = 
> /etc/certbot/live/privustech.com/privkey.pem
>                                   ssl_dh = /etc/dovecot
/dh.pem             #(yes, it took five hours to create...)


Hi! You should use

ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem  
ssl_key =</etc/certbot/live/privustech.com/privkey.pem
ssl_dh =</etc/dovecot/dh.pem

>                                   ssl_min_protocol = TLSv1
>                                   ssl_cipher_list = 
> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
>                                   ssl_prefer_server_ciphers = no
> 

You should set ssl_prefer_server_ciphers = yes. 

>       3. We have checked 10-ssl.conf against the 2.3 default at
>               
> https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf
> 
>       4. We do NOT include the less than (<) symbol before the paths because 
> then dovecot fails to load complaining it cannot find the files.
> 

Yes, this is probably indication that you are missing the files or are 
chrooting dovecot in unsupported way. Not including the < symbol will not help 
with this.

>       5. we have checked all the pem keys, certificates, and  dh
> files with cat, they all exist and are in the expected hash format.
> 
>       6. We have followed the instructions to set their permissions
> root:root 0444 and 0400 accordingly.
>       7. We have rebooted the host.
>

This is correct.
 
> Any help or clues would be most appreciated.
> 
> Kind regards, Andy
>

Reply via email to