TLS Error and not working lmtp

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS Error and not working lmtp

Jakob Schürz
Hi!

I have some troubles with the virtual plugin. I run a self-compiled
dovecot 2.2.33.2 from debian testing. I patched this version with the
QRESYNC-Patch from a few weeks ago.
But i always get an errormessage, when i try to open an email from a
virtual mailbox.

So i cloned the actual git-Repo and compiled dovecot and pigonehole-sieve.

The problem with the virtual plugin seems gone away. But there are some
other problems.
I use ssl=required and with dovecot from debian TLS/SSL and STARTTLS
works fine.
With the selfcompiled from git, i get this error:

dovecot[1284]: imap-login: Error: Failed to initialize SSL server
context: Couldn't parse DH parameters: error:0906D06C:PEM
routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>,
rip=127.0.0.1, lip=127.0.0.1, secured, session=<D6bC4Rlg8ut/AAAB>

The key and crt are exactly the same files as before.

The second problem is, lmtp is not working. I use exactly the same
config for the debians dovecot and dovecot from git. But in the
gitversion the error in exim is:

Failed to connect to socket /var/run/dovecot/lmtp for dovecot_lmtp
transport: Connection refused

My config is:

# dovecot -n
# 2.3.devel (b1aac3a1d): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.devel (624e1769)
# OS: Linux 4.13.0-trunk-amd64 x86_64 Debian 9.3 btrfs
auth_debug = yes
auth_mechanisms = plain login cram-md5 digest-md5
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
first_valid_uid = 1000
imap_capability = +XDOVECOT
imap_client_workarounds = tb-extra-mailbox-sep
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = *, ::1
login_trusted_networks = 127.0.0.1/8 192.168.0.0/24 192.168.1.0/24
172.17.0.0/24 172.18.0.0/24
mail_debug = yes
mail_gid = vmail
mail_home =  /var/mail/%u
mail_location =
maildir:/var/mail/%u/Maildir:LAYOUT=fs:INDEX=/var/lib/dovecot/db/indexes/Maildir/%u:INDEXPVT=/var/lib/dovecot/db/indexes/Maildir/%u:CONTROL=/var/lib/dovecot/db/control/Maildir/%u
mail_plugins = zlib quota acl listescape mail_log notify virtual
mail_privileged_group = vmail
mail_server_admin = mailto:[hidden email]
mail_shared_explicit_inbox = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
mmap_disable = yes
namespace {
  hidden = no
  inbox = no
  list = children
  location =
maildir:/var/mail/mailarchiv/%u/:LAYOUT=fs:INDEX=/var/lib/dovecot/db/indexes/mailarchiv/%u:INDEXPVT=/var/lib/dovecot/db/indexes/mailarchiv/%u
  mailbox incoming {
    auto = create
  }
  mailbox outgoing {
    auto = create
  }
  prefix = Mailarchiv/
  separator = /
  subscriptions = no
  type = private
}
namespace {
  list = children
  location =
maildir:/var/mail/public/:LAYOUT=fs:INDEX=/var/lib/dovecot/db/indexes/public/%u:INDEXPVT=/var/lib/dovecot/db/indexes/public/%u
  prefix = Roseggergasse/
  separator = /
  subscriptions = no
  type = public
}
namespace Geteilt {
  hidden = no
  inbox = no
  list = children
  location =
maildir:/var/mail/%%u/Maildir:LAYOUT=fs:INDEXPVT=/var/lib/dovecot/db/indexes/shared/%u/%%u:INDEX=/var/lib/dovecot/db/indexes/shared/%u/%%u
  prefix = Geteilt/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace Real {
  hidden = yes
  list = no
  location =
virtual:/var/mail/real:INDEX=/var/lib/dovecot/db/indexes/real/%u
  prefix = Real/
  separator = /
  subscriptions = no
}
namespace Synoptic {
  hidden = no
  list = children
  location =
virtual:/var/mail/virtual:INDEX=/var/lib/dovecot/db/indexes/virtual/%u
  mailbox INBOX/Archives {
    auto = no
    special_use = \Archive
  }
  mailbox INBOX/Drafts {
    auto = no
    special_use = \Drafts
  }
  mailbox INBOX/Entwürfe {
    auto = no
    special_use = \Drafts
  }
  mailbox INBOX/Junk {
    auto = no
    special_use = \Junk
  }
  mailbox INBOX/Sent {
    auto = no
    special_use = \Sent
  }
  mailbox INBOX/Spam {
    auto = no
    special_use = \Junk
  }
  prefix = Synoptic/
  separator = /
  subscriptions = no
}
namespace inbox {
  hidden = no
  inbox = yes
  location =
  mailbox Archiv {
    auto = no
    special_use = \Archive
  }
  mailbox Archive {
    auto = no
    special_use = \Archive
  }
  mailbox Archives {
    auto = no
    special_use = \Archive
  }
  mailbox "Deleted Messages" {
    auto = no
    special_use = \Trash
  }
  mailbox Drafts {
    auto = no
    special_use = \Drafts
  }
  mailbox Entwürfe {
    auto = no
    special_use = \Drafts
  }
  mailbox "Gelöschte Elemente" {
    auto = no
    special_use = \Trash
  }
  mailbox "Gelöschte Objekte" {
    auto = no
    special_use = \Trash
  }
  mailbox Gesendet {
    auto = no
    special_use = \Sent
  }
  mailbox "Gesendete Elemente" {
    auto = no
    special_use = \Sent
  }
  mailbox "Gesendete Objekte" {
    auto = no
    special_use = \Sent
  }
  mailbox Important {
    auto = no
  }
  mailbox Junk {
    auto = subscribe
    autoexpunge = 30 days
    special_use = \Junk
  }
  mailbox Mistkübel {
    auto = no
    special_use = \Trash
  }
  mailbox Papierkorb {
    auto = no
    special_use = \Trash
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Spam {
    auto = no
    special_use = \Junk
  }
  mailbox Synoptic/Alle {
    auto = no
    comment = All my messages
    special_use = \All
  }
  mailbox Trash {
    auto = no
    special_use = \Trash
  }
  mailbox Wichtig {
    auto = create
  }
  prefix = INBOX/
  separator = /
  subscriptions = no
  type = private
}
namespace subscriptions {
  hidden = yes
  list = no
  location =
  prefix =
  subscriptions = yes
}
passdb {
  args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot/users
  driver = passwd-file
}
plugin {
  acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
  mail_home =  /var/mail/%u
  setting_name = sieve, managedsieve
  sieve = file:/var/mail/%u/sieve/;active=/var/mail/%u/sieve/%u.sieve
}
postmaster_address = postmaster@localhost
protocols = imap pop3 lmtp imap lmtp sieve pop3 sieve
service anvil {
  unix_listener anvil-auth-penalty {
    mode = 00
  }
}
service auth {
  unix_listener auth-client {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0666
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 1
  service_count = 1
}
service imap {
  executable = imap postlogin
  process_limit = 1024
  vsz_limit = 400 M
}
service lmtp {
  executable = lmtp -L
  user = vmail
  vsz_limit = 400 M
}
service postlogin {
  executable = script-login -d rawlog
}
ssl = required
ssl_cert = </usr/local/etc/dovecot/dovecot.crt
ssl_key =  # hidden, use -P to show it
userdb {
  args = username_format=%u /usr/local/etc/dovecot/users
  default_fields = home=/var/mail/%u
  driver = passwd-file
}
verbose_proctitle = yes
verbose_ssl = yes
protocol lmtp {
  auth_username_format = %n
  mail_plugins = zlib quota acl listescape mail_log notify virtual quota
sieve acl
}
protocol lda {
  mail_plugins = zlib quota acl listescape mail_log notify virtual quota
sieve acl
}
protocol imap {
  mail_max_userip_connections = 10
  mail_plugins = zlib quota acl listescape mail_log notify virtual
imap_quota imap_acl
}

Any ideas

jakob


signature.asc (915 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error and not working lmtp

Aki Tuomi-2


On 12.12.2017 02:59, Jakob Schürz wrote:

> Hi!
>
> I have some troubles with the virtual plugin. I run a self-compiled
> dovecot 2.2.33.2 from debian testing. I patched this version with the
> QRESYNC-Patch from a few weeks ago.
> But i always get an errormessage, when i try to open an email from a
> virtual mailbox.
>
> So i cloned the actual git-Repo and compiled dovecot and pigonehole-sieve.
>
> The problem with the virtual plugin seems gone away. But there are some
> other problems.
> I use ssl=required and with dovecot from debian TLS/SSL and STARTTLS
> works fine.
> With the selfcompiled from git, i get this error:
>
> dovecot[1284]: imap-login: Error: Failed to initialize SSL server
> context: Couldn't parse DH parameters: error:0906D06C:PEM
> routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>,
> rip=127.0.0.1, lip=127.0.0.1, secured, session=<D6bC4Rlg8ut/AAAB>
>
> The key and crt are exactly the same files as before.
>
> The second problem is, lmtp is not working. I use exactly the same
> config for the debians dovecot and dovecot from git. But in the
> gitversion the error in exim is:
>
> Failed to connect to socket /var/run/dovecot/lmtp for dovecot_lmtp
> transport: Connection refused
>
> My config is:
>
> # dovecot -n
> # 2.3.devel (b1aac3a1d): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.devel (624e1769)
> # OS: Linux 4.13.0-trunk-amd64 x86_64 Debian 9.3 btrfs
> auth_debug = yes
> auth_mechanisms = plain login cram-md5 digest-md5
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_verbose = yes
> first_valid_uid = 1000
> imap_capability = +XDOVECOT
> imap_client_workarounds = tb-extra-mailbox-sep
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> listen = *, ::1
> login_trusted_networks = 127.0.0.1/8 192.168.0.0/24 192.168.1.0/24
> 172.17.0.0/24 172.18.0.0/24
> mail_debug = yes
> mail_gid = vmail
> mail_home =  /var/mail/%u
> mail_location =
> maildir:/var/mail/%u/Maildir:LAYOUT=fs:INDEX=/var/lib/dovecot/db/indexes/Maildir/%u:INDEXPVT=/var/lib/dovecot/db/indexes/Maildir/%u:CONTROL=/var/lib/dovecot/db/control/Maildir/%u
> mail_plugins = zlib quota acl listescape mail_log notify virtual
> mail_privileged_group = vmail
> mail_server_admin = mailto:[hidden email]
> mail_shared_explicit_inbox = yes
> mail_uid = vmail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart extracttext
> mmap_disable = yes
> namespace {
>   hidden = no
>   inbox = no
>   list = children
>   location =
> maildir:/var/mail/mailarchiv/%u/:LAYOUT=fs:INDEX=/var/lib/dovecot/db/indexes/mailarchiv/%u:INDEXPVT=/var/lib/dovecot/db/indexes/mailarchiv/%u
>   mailbox incoming {
>     auto = create
>   }
>   mailbox outgoing {
>     auto = create
>   }
>   prefix = Mailarchiv/
>   separator = /
>   subscriptions = no
>   type = private
> }
> namespace {
>   list = children
>   location =
> maildir:/var/mail/public/:LAYOUT=fs:INDEX=/var/lib/dovecot/db/indexes/public/%u:INDEXPVT=/var/lib/dovecot/db/indexes/public/%u
>   prefix = Roseggergasse/
>   separator = /
>   subscriptions = no
>   type = public
> }
> namespace Geteilt {
>   hidden = no
>   inbox = no
>   list = children
>   location =
> maildir:/var/mail/%%u/Maildir:LAYOUT=fs:INDEXPVT=/var/lib/dovecot/db/indexes/shared/%u/%%u:INDEX=/var/lib/dovecot/db/indexes/shared/%u/%%u
>   prefix = Geteilt/%%n/
>   separator = /
>   subscriptions = no
>   type = shared
> }
> namespace Real {
>   hidden = yes
>   list = no
>   location =
> virtual:/var/mail/real:INDEX=/var/lib/dovecot/db/indexes/real/%u
>   prefix = Real/
>   separator = /
>   subscriptions = no
> }
> namespace Synoptic {
>   hidden = no
>   list = children
>   location =
> virtual:/var/mail/virtual:INDEX=/var/lib/dovecot/db/indexes/virtual/%u
>   mailbox INBOX/Archives {
>     auto = no
>     special_use = \Archive
>   }
>   mailbox INBOX/Drafts {
>     auto = no
>     special_use = \Drafts
>   }
>   mailbox INBOX/Entwürfe {
>     auto = no
>     special_use = \Drafts
>   }
>   mailbox INBOX/Junk {
>     auto = no
>     special_use = \Junk
>   }
>   mailbox INBOX/Sent {
>     auto = no
>     special_use = \Sent
>   }
>   mailbox INBOX/Spam {
>     auto = no
>     special_use = \Junk
>   }
>   prefix = Synoptic/
>   separator = /
>   subscriptions = no
> }
> namespace inbox {
>   hidden = no
>   inbox = yes
>   location =
>   mailbox Archiv {
>     auto = no
>     special_use = \Archive
>   }
>   mailbox Archive {
>     auto = no
>     special_use = \Archive
>   }
>   mailbox Archives {
>     auto = no
>     special_use = \Archive
>   }
>   mailbox "Deleted Messages" {
>     auto = no
>     special_use = \Trash
>   }
>   mailbox Drafts {
>     auto = no
>     special_use = \Drafts
>   }
>   mailbox Entwürfe {
>     auto = no
>     special_use = \Drafts
>   }
>   mailbox "Gelöschte Elemente" {
>     auto = no
>     special_use = \Trash
>   }
>   mailbox "Gelöschte Objekte" {
>     auto = no
>     special_use = \Trash
>   }
>   mailbox Gesendet {
>     auto = no
>     special_use = \Sent
>   }
>   mailbox "Gesendete Elemente" {
>     auto = no
>     special_use = \Sent
>   }
>   mailbox "Gesendete Objekte" {
>     auto = no
>     special_use = \Sent
>   }
>   mailbox Important {
>     auto = no
>   }
>   mailbox Junk {
>     auto = subscribe
>     autoexpunge = 30 days
>     special_use = \Junk
>   }
>   mailbox Mistkübel {
>     auto = no
>     special_use = \Trash
>   }
>   mailbox Papierkorb {
>     auto = no
>     special_use = \Trash
>   }
>   mailbox Sent {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     auto = no
>     special_use = \Sent
>   }
>   mailbox Spam {
>     auto = no
>     special_use = \Junk
>   }
>   mailbox Synoptic/Alle {
>     auto = no
>     comment = All my messages
>     special_use = \All
>   }
>   mailbox Trash {
>     auto = no
>     special_use = \Trash
>   }
>   mailbox Wichtig {
>     auto = create
>   }
>   prefix = INBOX/
>   separator = /
>   subscriptions = no
>   type = private
> }
> namespace subscriptions {
>   hidden = yes
>   list = no
>   location =
>   prefix =
>   subscriptions = yes
> }
> passdb {
>   args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot/users
>   driver = passwd-file
> }
> plugin {
>   acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300
>   acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
>   mail_home =  /var/mail/%u
>   setting_name = sieve, managedsieve
>   sieve = file:/var/mail/%u/sieve/;active=/var/mail/%u/sieve/%u.sieve
> }
> postmaster_address = postmaster@localhost
> protocols = imap pop3 lmtp imap lmtp sieve pop3 sieve
> service anvil {
>   unix_listener anvil-auth-penalty {
>     mode = 00
>   }
> }
> service auth {
>   unix_listener auth-client {
>     group = vmail
>     mode = 0666
>     user = vmail
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0666
>     user = vmail
>   }
> }
> service imap-login {
>   inet_listener imap {
>     port = 143
>   }
>   inet_listener imaps {
>     port = 993
>     ssl = yes
>   }
>   process_min_avail = 1
>   service_count = 1
> }
> service imap {
>   executable = imap postlogin
>   process_limit = 1024
>   vsz_limit = 400 M
> }
> service lmtp {
>   executable = lmtp -L
>   user = vmail
>   vsz_limit = 400 M
> }
> service postlogin {
>   executable = script-login -d rawlog
> }
> ssl = required
> ssl_cert = </usr/local/etc/dovecot/dovecot.crt
> ssl_key =  # hidden, use -P to show it
> userdb {
>   args = username_format=%u /usr/local/etc/dovecot/users
>   default_fields = home=/var/mail/%u
>   driver = passwd-file
> }
> verbose_proctitle = yes
> verbose_ssl = yes
> protocol lmtp {
>   auth_username_format = %n
>   mail_plugins = zlib quota acl listescape mail_log notify virtual quota
> sieve acl
> }
> protocol lda {
>   mail_plugins = zlib quota acl listescape mail_log notify virtual quota
> sieve acl
> }
> protocol imap {
>   mail_max_userip_connections = 10
>   mail_plugins = zlib quota acl listescape mail_log notify virtual
> imap_quota imap_acl
> }
>
> Any ideas
>
> jakob
>

With v2.3 you are required to provide ssl_dh=</path/to/dh.pem yourself.

You can generate suitable parameters with openssl gendh 2048 (or 4096).
Make sure you run it on something that has plenty of entropy available,
it will take some time.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error and not working lmtp

Jakob Schürz
Am 2017-12-12 um 09:56 schrieb Aki Tuomi:
>
>
> On 12.12.2017 02:59, Jakob Schürz wrote:
>> Hi!
[...]
>
> With v2.3 you are required to provide ssl_dh=</path/to/dh.pem yourself.
>
> You can generate suitable parameters with openssl gendh 2048 (or 4096).
> Make sure you run it on something that has plenty of entropy available,
> it will take some time.

Thanks for the Info. This was a challange for me...
Is this correct to put this option additionally to ssl_key and ssl_cert
in the config?
And it must be the parameter-File, not a cert or key?


At least i had to change some paths to the new installation-path
/usr/local/... in exim and dovecot conf. /var/run/dovecot is in
/usr/local/var/run/dovecot, if i compile it from git and install it with
make install.


But now, it is working. Thanks for the info

Jakob


signature.asc (915 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS Error and not working lmtp

Aki Tuomi-2


On 13.12.2017 02:59, Jakob Schürz wrote:

> Am 2017-12-12 um 09:56 schrieb Aki Tuomi:
>>
>> On 12.12.2017 02:59, Jakob Schürz wrote:
>>> Hi!
> [...]
>> With v2.3 you are required to provide ssl_dh=</path/to/dh.pem yourself.
>>
>> You can generate suitable parameters with openssl gendh 2048 (or 4096).
>> Make sure you run it on something that has plenty of entropy available,
>> it will take some time.
> Thanks for the Info. This was a challange for me...
> Is this correct to put this option additionally to ssl_key and ssl_cert
> in the config?
> And it must be the parameter-File, not a cert or key?
>
>
> At least i had to change some paths to the new installation-path
> /usr/local/... in exim and dovecot conf. /var/run/dovecot is in
> /usr/local/var/run/dovecot, if i compile it from git and install it with
> make install.
>
>
> But now, it is working. Thanks for the info
>
> Jakob
>

It must be a separate file, yes.

Also you can probably omit the paths from your config, as they usually
come from defaults.

Aki