Acknowledgement sent
to Martin Schwenke <[email protected]>:
New Bug report received and forwarded. Copy sent to Dovecot Maintainers <[email protected]>.
(Mon, 08 Jul 2019 07:45:05 GMT) (full text, mbox, link).
Subject: /usr/sbin/dovecot: Logged fix for SSL configuration issue is
potentially useless
Date: Mon, 8 Jul 2019 17:32:35 +1000
Package: dovecot-core
Version: 1:2.3.4.1-5
Severity: important
File: /usr/sbin/dovecot
Dear Maintainer,
During upgrade from stretch to buster the following was logged:
Jul 6 22:06:27 digby dovecot: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
Jul 6 22:06:27 digby dovecot: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
I did a variation of this (using /etc/dovecot/private/dh.pem instead).
After this, when attempting to connect to imaps, I got:
Jul 6 22:06:27 digby dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=192.168.20.32, lip=192.168.20.5, session=<zFlpCgKNwufAqBQg>
It was very difficult to find any information about the "dh key too small"
message. :-(
I ended up looking here:
https://wiki.dovecot.org/SSL/DovecotConfiguration
and this recommended using:
openssl dhparam 4096 > dh.pem
After I did this the "dh key too small" messages stopped and I was able
to connect.
The recommended command that was logged was not useful. The
ssl-parameters.dat file was last updated some time in 2015 and is
probably out of date. So, I guess that either the ssl-parameters.dat
file needs to be somehow updated or the log message should provide
a more foolproof hint, perhaps a pointer to the wiki.
Thanks...
peace & happiness,
martin
-- Package-specific info:
dovecot configuration
---------------------
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-5-amd64 x86_64 Debian 10.0
# Hostname: digby.PRIVATE-DOMAIN-ELIDED
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
inbox = yes
___location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/users
driver = passwd-file
}
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap"
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
protocol lda {
mail_plugins = " sieve"
}
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages dovecot-core depends on:
ii adduser 3.118
ii libapparmor1 2.13.2-10
ii libbz2-1.0 1.0.6-9.1
ii libc6 2.28-10
ii libexttextcat-2.0-0 3.4.5-1
ii libicu63 63.1-6
ii liblua5.3-0 5.3.3-1.1
ii liblz4-1 1.8.3-1
ii liblzma5 5.2.4-1
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libsodium23 1.0.17-1
ii libssl1.1 1.1.1c-1
ii libstemmer0d 0+svn585-1+b2
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii openssl 1.1.1c-1
ii ssl-cert 1.0.39
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
dovecot-core recommends no packages.
Versions of packages dovecot-core suggests:
pn dovecot-gssapi <none>
ii dovecot-imapd 1:2.3.4.1-5
pn dovecot-ldap <none>
pn dovecot-lmtpd <none>
pn dovecot-lucene <none>
pn dovecot-managesieved <none>
pn dovecot-mysql <none>
pn dovecot-pgsql <none>
pn dovecot-pop3d <none>
ii dovecot-sieve 1:2.3.4.1-5
pn dovecot-solr <none>
pn dovecot-sqlite <none>
pn dovecot-submissiond <none>
ii ntp 1:4.2.8p12+dfsg-4
Versions of packages dovecot-core is related to:
ii dovecot-core [dovecot-common] 1:2.3.4.1-5
pn dovecot-dev <none>
pn dovecot-gssapi <none>
ii dovecot-imapd 1:2.3.4.1-5
pn dovecot-ldap <none>
pn dovecot-lmtpd <none>
pn dovecot-managesieved <none>
pn dovecot-mysql <none>
pn dovecot-pgsql <none>
pn dovecot-pop3d <none>
ii dovecot-sieve 1:2.3.4.1-5
pn dovecot-sqlite <none>
-- no debconf information
peace & happiness,
martin
Acknowledgement sent
to John Moyer <[email protected]>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <[email protected]>.
(Thu, 11 Jul 2019 03:21:02 GMT) (full text, mbox, link).
Thanks.
openssl dhparam 4096 > dh.pem
Fixed it for me too.
--
------------------------------------------------------------------------
John Moyer
https://www.rsok.com/~jrm/
Acknowledgement sent
to Mechtilde Stehmann <[email protected]>:
Extra info received and forwarded to list. Copy sent to Dovecot Maintainers <[email protected]>.
(Sun, 14 Jul 2019 06:54:03 GMT) (full text, mbox, link).
Hello,
On Wed, 10 Jul 2019 21:54:19 -0500 John Moyer <[email protected]> wrote:
> Thanks.
>
> openssl dhparam 4096 > dh.pem
This was one part of the soulition. the other one was
https://b4d.sablun.org/blog/2019-02-25-dovecot_2.3_upgrade_on_debian/
The changes should be done in /etc/dovecot/conf.d/10-ssl.conf
Regards
--
Mechtilde Stehmann
## Debian Developer
## PGP encryption welcome
## F0E3 7F3D C87A 4998 2899 39E7 F287 7BBA 141A AD7F
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.