elmussol

Tue, 13 Aug 2019 06:31:38 -0400

elmussol

elmussol@elsmussols.net

The upgrade from Stretch to Buster for the most part went well. I did however break something on email. Thunderbird tells me:

Thunderbird wrote:

The IMAP server mail.elsmussols.net does not support the selected authentication method.

My T'Bird settings pre-upgrade (which worked):

Connecttion security: STARTTLS
Authentication method: Normal password
Port: 143

Stretch to Buster involved moving from dovecot 2.2 to 2.3 and I got the following emails from apt:

dovecot (1:2.3.2-1) unstable; urgency=medium

  Upgrading to the 2.3 series may require manual configuration changes.
  Some settings have been removed, while others have had their defaults
  changed. Please see

    /usr/share/doc/dovecot-core/wiki/Upgrading.2.3.txt.gz

  or the online version at

    https://wiki2.dovecot.org/Upgrading/2.3

  for more information and review your configuration accordingly.

 -- Apollon Oikonomopoulos <apoikos@debian.org>  Sat, 24 Mar 2018 00:34:07 +0200

dovecot (1:2.2.31-1) unstable; urgency=medium

  TLS is now enabled by default, using the ssl-cert-snakeoil certificate
  provided by the ssl-cert package. Upgrades from older versions will be
  prompted to accept the new configuration and enable TLS. If you have already
  configured TLS yourself, you'll most probably want to keep your settings
  intact.

  See /usr/share/doc/dovecot-core/README.Debian for more information on the
  certificate's default location and how to install your own certificates.

 -- Apollon Oikonomopoulos <apoikos@debian.org>  Sun, 25 Jun 2017 01:09:28 +0300

On the server I am getting the following errors in /var/log/mail.err:

Aug 13 12:21:20 pendle dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=XX, lip=XX

So I am lost. I know that this means I have to adjust some DH config to make a bigger key but I am have mangled my head on how to untangle all the various settings in all the various dovecot config files.

Comments please. I can do this but just need a few weeds clearing out of the way first. I have said this before "Email makes my head hurt".

dovecot

show all 5 comments

Tue, 13 Aug 2019 06:50:19 -0400

elmussol

elmussol@elsmussols.net

Additional useful info:

root@pendle:/etc/dovecot/conf.d# grep -r ssl_
10-auth.conf:#auth_ssl_require_client_cert = no
10-auth.conf:#auth_ssl_username_from_cert = no
10-ssl.conf:ssl_cert = </etc/dovecot/private/dovecot.pem
10-ssl.conf:ssl_key = </etc/dovecot/private/dovecot.key
10-ssl.conf:# root owned 0600 file by using ssl_key_password = <path.
10-ssl.conf:#ssl_key_password =
10-ssl.conf:# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
10-ssl.conf:# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
10-ssl.conf:#ssl_ca = 
10-ssl.conf:#ssl_require_crl = yes
10-ssl.conf:ssl_client_ca_dir = /etc/ssl/certs
10-ssl.conf:#ssl_client_ca_file =
10-ssl.conf:# auth_ssl_require_client_cert=yes in auth section.
10-ssl.conf:#ssl_verify_client_cert = no
10-ssl.conf:# auth_ssl_username_from_cert=yes.
10-ssl.conf:#ssl_cert_username_field = commonName
10-ssl.conf:# gives on startup when ssl_dh is unset.
10-ssl.conf:ssl_dh = </usr/share/dovecot/dh.pem
10-ssl.conf:#ssl_min_protocol = TLSv1
10-ssl.conf:#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
10-ssl.conf:#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
10-ssl.conf:#ssl_curve_list =
10-ssl.conf:#ssl_prefer_server_ciphers = no
10-ssl.conf:#ssl_crypto_device =
10-ssl.conf:#ssl_options =

Tue, 13 Aug 2019 06:56:53 -0400 last edited: Tue, 13 Aug 2019 07:12:31 -0400

elmussol

elmussol@elsmussols.net

From #^Upgrading Dovecot v2.2 to v2.3:

ssl_protocols setting was replaced by ssl_min_protocol. Now you only specify the minimum ssl protocol version Dovecot accepts, defaulting to TLSv1.

ssl_parameters was replaced with ssl_dh. See Diffie-Hellman Parameters for SSL.

SSLv2 is no longer supported in ssl_protocols.

Tue, 13 Aug 2019 07:57:48 -0400

elmussol

elmussol@elsmussols.net

After further reading I have run openssl dhparam -out /etc/dovecot/dh.pem 4096 and this file exists:

root@pendle:~# ls -al /etc/dovecot/ | grep dh
-rw-r--r--   1 root root     769 Aug 13 13:34 dh.pem

Then: service dovecot stop && service dovecot start with no errors. Still no cigar and the same errors in mail.err.

Tue, 13 Aug 2019 10:00:06 -0400

IMH and stupid O, Debian in the last times changed: stable became testing - testing became unstable--unstable became hell.

Wed, 14 Aug 2019 10:01:36 -0400

elmussol

elmussol@elsmussols.net

Fixed at last, with massive help from @boneidol. Seems that the config snippets in /etc/dovecot/conf.d/ weren't respected if different settings existed within /etc/dovecot/dovecot.conf. I had done all the right things in /etc/dovecot/conf.d/ but not /etc/dovecot/dovecot.conf.