Re: Unable to connect/authenticate after Debian SSL update

Tue, 01 Oct 2019 17:16:12 -0700

And as usually happens, right after posting this I found the problem by looking in the right place!:
Oct 01 17:06:58 Error: pop3-login: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=199.73.114.98, lip=10.0.0.81, session=<s/ZZP+KTVszHSXJi> 

fixed with:

root@relay: /etc/dovecot # openssl dhparam 4096 > dh.pem

sorry for the noise.

On 2019-10-01 17:05, paul via dovecot wrote:

Just applied Debian SSL updates, due to vulnerabilities reported:

"Package        : openssl
CVE ID         : CVE-2019-1547 CVE-2019-1549 CVE-2019-1563


Three security issues were discovered in OpenSSL: A timing attack 
against
ECDSA, a padding oracle in PKCS7_dataDecode() and 
CMS_decrypt_set1_pkey()
and it was discovered that a feature of the random number generator 
(RNG)

intended to protect against shared RNG state between parent and child
processes in the event of a fork() syscall was not used by default.


For the oldstable distribution (stretch), these problems have been 
fixed

in version 1.1.0l-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1.1.1d-0+deb10u1."

I am running Buster. Upon installing these updates, Dovecot
immediately stopped allowing authentication:

Oct  1 16:47:11 relay monit[539]: 'dovecot' failed protocol test
[IMAP] at [localhost]:993 [TCP/IP TLS] -- SSL connection error:
error:00000000:lib(0):func(0):reason(0)
Oct  1 16:50:22 relay monit[539]: 'dovecot' failed protocol test
[IMAP] at [localhost]:993 [TCP/IP TLS] -- SSL connection error:
error:00000000:lib(0):func(0):reason(0)

and

Oct 01 16:51:18 imap-login: Info: Disconnected: TLS initialization
failed. (no auth attempts in 0 secs): user=<>, rip=71.198.57.170,
lip=10.0.0.81, session=<0EdTB+KT+/NHxjmq>

Each time this occurs, dovecot restarts:
Oct 01 16:50:23 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
for pop3, imap (core dumps disabled)
Oct 01 16:50:42 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
for pop3, imap (core dumps disabled)
Oct 01 16:51:10 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
for pop3, imap (core dumps disabled)
Oct 01 16:53:35 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
for pop3, imap (core dumps disabled)
Oct 01 16:56:46 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
for pop3, imap (core dumps disabled)
Oct 01 16:59:57 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
for pop3, imap (core dumps disabled)
Oct 01 17:03:08 master: Info: Dovecot v2.3.7.2 (3c910f64b) starting up
for pop3, imap (core dumps disabled)

I am at a loss. Dovecot had been working fine for ages. It's not clear
to me why a routine SSL update would completely break it. I'm unclear
how to proceed. This is a small personal server, but nevertheless I
have a number of people using it who rely on it.

Here is my local.conf ( I added the ssl_protocols and ssl_min_protocol
entries just a few minutes ago while attempting to resolve)

auth_cache_size = 100 k
auth_cache_ttl = 12 hours
auth_cache_negative_ttl = 12 hours
auth_cache_verify_password_with_worker=yes
auth_verbose = yes
auth_failure_delay = 7 secs
default_client_limit = 500
default_process_limit = 50
default_vsz_limit = 100 M
verbose_proctitle = yes
protocols = pop3 imap
pop3_uidl_format = %08Xu%08Xv
imap_idle_notify_interval = 244 secs
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot-error.log
maildir_very_dirty_syncs=yes
mail_location = maildir:~/Maildir
mailbox_idle_check_interval = 244 secs
mailbox_list_index = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}

passdb {
  driver = passwd-file
  args = /etc/dovecot/deny
  deny = yes
}

passdb {
  driver = pam
}
userdb {
  driver = passwd
}

service auth {
  unix_listener auth-client {
    mode = 0660
    user = Debian-exim
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

protocol imap {
  mail_max_userip_connections = 20
}

service imap {
  unix_listener imap-master {
    user = dovecot
  }
}
imap_hibernate_timeout = 1 mins
service imap {
  extra_groups = dovenull
}
service imap-hibernate {
  unix_listener imap-hibernate {
    mode = 0660
    group = dovenull
  }
}
ssl = required
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
ssl_min_protocol=TLSv1
ssl_dh=</etc/dovecot/dh.pem
ssl_cert = </etc/letsencrypt/live/relay.anastrophe.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/relay.anastrophe.com/privkey.pem






















					Reply via email to