dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Reuben Farrelly-7
Hi,

On 30/10/2017 7:22 PM, [hidden email] wrote:

> Message: 6
> Date: Mon, 30 Oct 2017 10:22:42 +0200
> From: Teemu Huovila <[hidden email]>
> To: [hidden email]
> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8
>
>
>
> On 30.10.2017 09:10, Aki Tuomi wrote:
>>
>>
>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>> Hi Aki,
>>>
>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>> <[hidden email]> wrote:
>>>>>
>>>>>
>>>>> Hi again,
>>>>>
>>>>> Chasing down one last problem which seems to have been missed from my
>>>>> last email:
>>>>>
>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>
>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly <[hidden email]>
>>>>>>>> wrote:
>>>>> This problem below is still present in 2.3 -git, as of version
>>>>> 2.3.devel
>>>>> (6fc40674e)
>>>>>
>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf:
>>>>>>>>
>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>
>>>>>>>> Yet the file is there:
>>>>>>>>
>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>>>>>>>
>>>>>>>> And the config is there as well:
>>>>>>>>
>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>> thunderstorm dovecot #
>>>>>>>>
>>>>>>>> It appears that this warning is being triggered by the presence of
>>>>>>>> the ssl-parameters.dat file because when I remove it the warning
>>>>>>>> goes away. Perhaps the warning could be made a bit more specific
>>>>>>>> about this file being removed if it is not required because at the
>>>>>>>> moment the warning message is not related to the trigger.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Reuben
>>>>> Thanks,
>>>>> Reuben
>>>> It is triggered when there is ssl-parameters.dat file *AND* there is
>>>> no ssl_dh=< explicitly set in config file.
>>>>
>>>> Aki
>>>
>>> I have this already in my 10-ssl.conf file:
>>>
>>> lightning dovecot # /etc/init.d/dovecot reload
>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>> doveconf: Warning: You can generate it with: dd
>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>> -inform der > /etc/dovecot/dh.pem
>>> ?* Reloading dovecot configs and restarting auth/login processes
>>> ...????? [ ok ]
>>> lightning dovecot #
>>>
>>> However:
>>>
>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>> # gives on startup when ssl_dh is unset.
>>> ssl_dh=</etc/dovecot/dh.pem
>>> lightning dovecot #
>>>
>>> and the file is there:
>>>
>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>> lightning dovecot #
>>>
>>> So it is actually configured and yet the warning still is present.
>>>
>>> Reuben
>>
>> Hi!
>>
>> I gave this a try, and I was not able to repeat this issue. Perhaps you
>> are still missing ssl_dh somewhere?
>>
>> Aki
>>
> Hello
>
> Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present.
>
> br,
> Teemu

I still can't see anything amiss.  Here's the output from doveconf -n:

# 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.devel (f4659224)
# OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release 2.4.1
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_username_format = %Ln
doveadm_password =  # hidden, use -P to show it
first_valid_uid = 1000
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
last_valid_uid = 1100
login_log_format_elements = user=<%u> auth-method=%m remote=%r local=%l %k
login_trusted_networks = 192.168.0.0/16
mail_location = maildir:~/Maildir
mail_plugins = stats notify replication fts fts_lucene
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
}
passdb {
   args = failure_show_msg=yes %s
   driver = pam
}
plugin {
   fts = lucene
   fts_autoindex = yes
   fts_languages = en
   fts_lucene = whitespace_chars=@.
   mail_replica = tcps:inside-mail.reub.net:4813
   replication_full_sync_interval = 4 hours
   sieve = file:~/sieve;active=~/.dovecot.sieve
   stats_refresh = 30 secs
   stats_track_cmds = yes
}
protocols = imap lmtp sieve
recipient_delimiter = -
service aggregator {
   fifo_listener replication-notify-fifo {
     mode = 0666
     user = root
   }
   unix_listener replication-notify {
     mode = 0666
     user = root
   }
}
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0666
     user = postfix
   }
   unix_listener auth-userdb {
     mode = 0777
   }
}
service doveadm {
   inet_listener {
     address = 2400:8901:e001:3a::20
     port = 4813
     ssl = yes
   }
   user = root
}
service imap {
   executable = imap postlogin
}
service lmtp {
   inet_listener lmtp {
     address = ::1
     port = 24
   }
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
     mode = 0660
     user = postfix
   }
}
service postlogin {
   executable = script-login -d rawlog
}
service replicator {
   process_min_avail = 1
   unix_listener replicator-doveadm {
     mode = 0666
   }
}
service stats {
   fifo_listener stats-mail {
     mode = 0666
   }
}
ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
ssl_client_ca_dir = /etc/ssl/certs
ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
ssl_dh =  # hidden, use -P to show it
ssl_key =  # hidden, use -P to show it
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
userdb {
   driver = passwd
}
protocol lmtp {
   mail_plugins = stats notify replication fts fts_lucene sieve
   ssl_dh =  # hidden, use -P to show it
}
protocol !indexer-worker {
   ssl_dh =  # hidden, use -P to show it
}
protocol lda {
   mail_plugins = stats notify replication fts fts_lucene sieve
   ssl_dh =  # hidden, use -P to show it
}
protocol imap {
   mail_plugins = stats notify replication fts fts_lucene imap_stats
   ssl_dh =  # hidden, use -P to show it
}
protocol sieve {
   ssl_dh =  # hidden, use -P to show it
}
protocol pop3 {
   ssl_dh =  # hidden, use -P to show it
}

And showing with -P as an example:

protocol pop3 {
   ssl_dh = -----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
...
AAAAAAAAAAAAAAAAAAAAAAAAAAA=
-----END DH PARAMETERS-----

There is a single set of valid DH parameters for every protocol as
listed above.

It seems odd that ssl_dh is defined all of these protocols specifically
too.  This specific per-protocol definition of ssl_dh isn't specified in
any config file.

Reuben
Reply | Threaded
Open this post in threaded view
|

Re: dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Aki Tuomi-2


On 31.10.2017 15:00, Reuben Farrelly wrote:

> Hi,
>
> On 30/10/2017 7:22 PM, [hidden email] wrote:
>> Message: 6
>> Date: Mon, 30 Oct 2017 10:22:42 +0200
>> From: Teemu Huovila <[hidden email]>
>> To: [hidden email]
>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
>> Message-ID: <[hidden email]>
>> Content-Type: text/plain; charset=utf-8
>>
>>
>>
>> On 30.10.2017 09:10, Aki Tuomi wrote:
>>>
>>>
>>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>>> Hi Aki,
>>>>
>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>>> <[hidden email]> wrote:
>>>>>>
>>>>>>
>>>>>> Hi again,
>>>>>>
>>>>>> Chasing down one last problem which seems to have been missed
>>>>>> from my
>>>>>> last email:
>>>>>>
>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>>
>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly
>>>>>>>>> <[hidden email]>
>>>>>>>>> wrote:
>>>>>> This problem below is still present in 2.3 -git, as of version
>>>>>> 2.3.devel
>>>>>> (6fc40674e)
>>>>>>
>>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf:
>>>>>>>>>
>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>
>>>>>>>>> Yet the file is there:
>>>>>>>>>
>>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>>>>>>>>
>>>>>>>>> And the config is there as well:
>>>>>>>>>
>>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>> thunderstorm dovecot #
>>>>>>>>>
>>>>>>>>> It appears that this warning is being triggered by the
>>>>>>>>> presence of
>>>>>>>>> the ssl-parameters.dat file because when I remove it the warning
>>>>>>>>> goes away. Perhaps the warning could be made a bit more specific
>>>>>>>>> about this file being removed if it is not required because at
>>>>>>>>> the
>>>>>>>>> moment the warning message is not related to the trigger.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Reuben
>>>>>> Thanks,
>>>>>> Reuben
>>>>> It is triggered when there is ssl-parameters.dat file *AND* there is
>>>>> no ssl_dh=< explicitly set in config file.
>>>>>
>>>>> Aki
>>>>
>>>> I have this already in my 10-ssl.conf file:
>>>>
>>>> lightning dovecot # /etc/init.d/dovecot reload
>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>> doveconf: Warning: You can generate it with: dd
>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>> -inform der > /etc/dovecot/dh.pem
>>>> ?* Reloading dovecot configs and restarting auth/login processes
>>>> ...????? [ ok ]
>>>> lightning dovecot #
>>>>
>>>> However:
>>>>
>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>>> # gives on startup when ssl_dh is unset.
>>>> ssl_dh=</etc/dovecot/dh.pem
>>>> lightning dovecot #
>>>>
>>>> and the file is there:
>>>>
>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>>> lightning dovecot #
>>>>
>>>> So it is actually configured and yet the warning still is present.
>>>>
>>>> Reuben
>>>
>>> Hi!
>>>
>>> I gave this a try, and I was not able to repeat this issue. Perhaps you
>>> are still missing ssl_dh somewhere?
>>>
>>> Aki
>>>
>> Hello
>>
>> Just a guess, but at this point I would recommend reviewing the
>> output of "doveconf -n" to make sure the appropriate settings are
>> present.
>>
>> br,
>> Teemu
>
> I still can't see anything amiss.  Here's the output from doveconf -n:
>
> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.devel (f4659224)
> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release
> 2.4.1
> auth_mechanisms = plain login
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_username_format = %Ln
> doveadm_password =  # hidden, use -P to show it
> first_valid_uid = 1000
> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
> last_valid_uid = 1100
> login_log_format_elements = user=<%u> auth-method=%m remote=%r
> local=%l %k
> login_trusted_networks = 192.168.0.0/16
> mail_location = maildir:~/Maildir
> mail_plugins = stats notify replication fts fts_lucene
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = failure_show_msg=yes %s
>   driver = pam
> }
> plugin {
>   fts = lucene
>   fts_autoindex = yes
>   fts_languages = en
>   fts_lucene = whitespace_chars=@.
>   mail_replica = tcps:inside-mail.reub.net:4813
>   replication_full_sync_interval = 4 hours
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   stats_refresh = 30 secs
>   stats_track_cmds = yes
> }
> protocols = imap lmtp sieve
> recipient_delimiter = -
> service aggregator {
>   fifo_listener replication-notify-fifo {
>     mode = 0666
>     user = root
>   }
>   unix_listener replication-notify {
>     mode = 0666
>     user = root
>   }
> }
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0666
>     user = postfix
>   }
>   unix_listener auth-userdb {
>     mode = 0777
>   }
> }
> service doveadm {
>   inet_listener {
>     address = 2400:8901:e001:3a::20
>     port = 4813
>     ssl = yes
>   }
>   user = root
> }
> service imap {
>   executable = imap postlogin
> }
> service lmtp {
>   inet_listener lmtp {
>     address = ::1
>     port = 24
>   }
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
> }
> service postlogin {
>   executable = script-login -d rawlog
> }
> service replicator {
>   process_min_avail = 1
>   unix_listener replicator-doveadm {
>     mode = 0666
>   }
> }
> service stats {
>   fifo_listener stats-mail {
>     mode = 0666
>   }
> }
> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
> ssl_client_ca_dir = /etc/ssl/certs
> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
> ssl_dh =  # hidden, use -P to show it
> ssl_key =  # hidden, use -P to show it
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
> userdb {
>   driver = passwd
> }
> protocol lmtp {
>   mail_plugins = stats notify replication fts fts_lucene sieve
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol !indexer-worker {
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol lda {
>   mail_plugins = stats notify replication fts fts_lucene sieve
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol imap {
>   mail_plugins = stats notify replication fts fts_lucene imap_stats
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol sieve {
>   ssl_dh =  # hidden, use -P to show it
> }
> protocol pop3 {
>   ssl_dh =  # hidden, use -P to show it
> }
>
> And showing with -P as an example:
>
> protocol pop3 {
>   ssl_dh = -----BEGIN DH PARAMETERS-----
> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
> ...
> AAAAAAAAAAAAAAAAAAAAAAAAAAA=
> -----END DH PARAMETERS-----
>
> There is a single set of valid DH parameters for every protocol as
> listed above.
>
> It seems odd that ssl_dh is defined all of these protocols
> specifically too.  This specific per-protocol definition of ssl_dh
> isn't specified in any config file.
>
> Reuben

Can you try with doveconf -nP  and ensure all those ssl_dh lines are of
form ssl_dh =</file?

Aki
Reply | Threaded
Open this post in threaded view
|

Re: dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Reuben Farrelly-7
Hi again,


On 1/11/2017 12:01 AM, Aki Tuomi wrote:

>
> On 31.10.2017 15:00, Reuben Farrelly wrote:
>> Hi,
>>
>> On 30/10/2017 7:22 PM, [hidden email] wrote:
>>> Message: 6
>>> Date: Mon, 30 Oct 2017 10:22:42 +0200
>>> From: Teemu Huovila <[hidden email]>
>>> To: [hidden email]
>>> Subject: Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
>>> Message-ID: <[hidden email]>
>>> Content-Type: text/plain; charset=utf-8
>>>
>>>
>>>
>>> On 30.10.2017 09:10, Aki Tuomi wrote:
>>>>
>>>> On 30.10.2017 00:23, Reuben Farrelly wrote:
>>>>> Hi Aki,
>>>>>
>>>>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>>>>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>>>>> <[hidden email]> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hi again,
>>>>>>>
>>>>>>> Chasing down one last problem which seems to have been missed
>>>>>>> from my
>>>>>>> last email:
>>>>>>>
>>>>>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>>>>>>>> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>>>>>>>>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>>>>>>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly
>>>>>>>>>> <[hidden email]>
>>>>>>>>>> wrote:
>>>>>>> This problem below is still present in 2.3 -git, as of version
>>>>>>> 2.3.devel
>>>>>>> (6fc40674e)
>>>>>>>
>>>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf:
>>>>>>>>>>
>>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>>
>>>>>>>>>> Yet the file is there:
>>>>>>>>>>
>>>>>>>>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>>>>>>>>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>>>>>>>>>
>>>>>>>>>> And the config is there as well:
>>>>>>>>>>
>>>>>>>>>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>>>>>>>>>> ssl_dh = </etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>>>>>>> doveconf: Warning: You can generate it with: dd
>>>>>>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>>>>>>> -inform der > /etc/dovecot/dh.pem
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> ?? ssl_dh = -----BEGIN DH PARAMETERS-----
>>>>>>>>>> thunderstorm dovecot #
>>>>>>>>>>
>>>>>>>>>> It appears that this warning is being triggered by the
>>>>>>>>>> presence of
>>>>>>>>>> the ssl-parameters.dat file because when I remove it the warning
>>>>>>>>>> goes away. Perhaps the warning could be made a bit more specific
>>>>>>>>>> about this file being removed if it is not required because at
>>>>>>>>>> the
>>>>>>>>>> moment the warning message is not related to the trigger.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Reuben
>>>>>>> Thanks,
>>>>>>> Reuben
>>>>>> It is triggered when there is ssl-parameters.dat file *AND* there is
>>>>>> no ssl_dh=< explicitly set in config file.
>>>>>>
>>>>>> Aki
>>>>> I have this already in my 10-ssl.conf file:
>>>>>
>>>>> lightning dovecot # /etc/init.d/dovecot reload
>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
>>>>> doveconf: Warning: You can generate it with: dd
>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>>>> -inform der > /etc/dovecot/dh.pem
>>>>> ?* Reloading dovecot configs and restarting auth/login processes
>>>>> ...????? [ ok ]
>>>>> lightning dovecot #
>>>>>
>>>>> However:
>>>>>
>>>>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>>>>> # gives on startup when ssl_dh is unset.
>>>>> ssl_dh=</etc/dovecot/dh.pem
>>>>> lightning dovecot #
>>>>>
>>>>> and the file is there:
>>>>>
>>>>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>>>>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>>>>> lightning dovecot #
>>>>>
>>>>> So it is actually configured and yet the warning still is present.
>>>>>
>>>>> Reuben
>>>> Hi!
>>>>
>>>> I gave this a try, and I was not able to repeat this issue. Perhaps you
>>>> are still missing ssl_dh somewhere?
>>>>
>>>> Aki
>>>>
>>> Hello
>>>
>>> Just a guess, but at this point I would recommend reviewing the
>>> output of "doveconf -n" to make sure the appropriate settings are
>>> present.
>>>
>>> br,
>>> Teemu
>> I still can't see anything amiss.  Here's the output from doveconf -n:
>>
>> # 2.3.devel (65ef8330e): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.5.devel (f4659224)
>> # OS: Linux 4.9.56-x86_64-linode87 x86_64 Gentoo Base System release
>> 2.4.1
>> auth_mechanisms = plain login
>> auth_socket_path = /var/run/dovecot/auth-userdb
>> auth_username_format = %Ln
>> doveadm_password =  # hidden, use -P to show it
>> first_valid_uid = 1000
>> imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
>> last_valid_uid = 1100
>> login_log_format_elements = user=<%u> auth-method=%m remote=%r
>> local=%l %k
>> login_trusted_networks = 192.168.0.0/16
>> mail_location = maildir:~/Maildir
>> mail_plugins = stats notify replication fts fts_lucene
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date index ihave duplicate mime foreverypart
>> extracttext
>> namespace inbox {
>>    inbox = yes
>>    location =
>>    mailbox Drafts {
>>      special_use = \Drafts
>>    }
>>    mailbox Junk {
>>      special_use = \Junk
>>    }
>>    mailbox Sent {
>>      special_use = \Sent
>>    }
>>    mailbox "Sent Messages" {
>>      special_use = \Sent
>>    }
>>    mailbox Trash {
>>      special_use = \Trash
>>    }
>>    prefix =
>> }
>> passdb {
>>    args = failure_show_msg=yes %s
>>    driver = pam
>> }
>> plugin {
>>    fts = lucene
>>    fts_autoindex = yes
>>    fts_languages = en
>>    fts_lucene = whitespace_chars=@.
>>    mail_replica = tcps:inside-mail.reub.net:4813
>>    replication_full_sync_interval = 4 hours
>>    sieve = file:~/sieve;active=~/.dovecot.sieve
>>    stats_refresh = 30 secs
>>    stats_track_cmds = yes
>> }
>> protocols = imap lmtp sieve
>> recipient_delimiter = -
>> service aggregator {
>>    fifo_listener replication-notify-fifo {
>>      mode = 0666
>>      user = root
>>    }
>>    unix_listener replication-notify {
>>      mode = 0666
>>      user = root
>>    }
>> }
>> service auth {
>>    unix_listener /var/spool/postfix/private/auth {
>>      group = postfix
>>      mode = 0666
>>      user = postfix
>>    }
>>    unix_listener auth-userdb {
>>      mode = 0777
>>    }
>> }
>> service doveadm {
>>    inet_listener {
>>      address = 2400:8901:e001:3a::20
>>      port = 4813
>>      ssl = yes
>>    }
>>    user = root
>> }
>> service imap {
>>    executable = imap postlogin
>> }
>> service lmtp {
>>    inet_listener lmtp {
>>      address = ::1
>>      port = 24
>>    }
>>    unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>      group = postfix
>>      mode = 0660
>>      user = postfix
>>    }
>> }
>> service postlogin {
>>    executable = script-login -d rawlog
>> }
>> service replicator {
>>    process_min_avail = 1
>>    unix_listener replicator-doveadm {
>>      mode = 0666
>>    }
>> }
>> service stats {
>>    fifo_listener stats-mail {
>>      mode = 0666
>>    }
>> }
>> ssl_ca = </etc/ssl/misc/alphassl_intermediate_ca.crt
>> ssl_cert = </etc/ssl/dovecot/*.reub.net.crt
>> ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
>> ssl_client_ca_dir = /etc/ssl/certs
>> ssl_client_ca_file = /etc/ssl/misc/alphassl_intermediate_ca.crt
>> ssl_dh =  # hidden, use -P to show it
>> ssl_key =  # hidden, use -P to show it
>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
>> userdb {
>>    driver = passwd
>> }
>> protocol lmtp {
>>    mail_plugins = stats notify replication fts fts_lucene sieve
>>    ssl_dh =  # hidden, use -P to show it
>> }
>> protocol !indexer-worker {
>>    ssl_dh =  # hidden, use -P to show it
>> }
>> protocol lda {
>>    mail_plugins = stats notify replication fts fts_lucene sieve
>>    ssl_dh =  # hidden, use -P to show it
>> }
>> protocol imap {
>>    mail_plugins = stats notify replication fts fts_lucene imap_stats
>>    ssl_dh =  # hidden, use -P to show it
>> }
>> protocol sieve {
>>    ssl_dh =  # hidden, use -P to show it
>> }
>> protocol pop3 {
>>    ssl_dh =  # hidden, use -P to show it
>> }
>>
>> And showing with -P as an example:
>>
>> protocol pop3 {
>>    ssl_dh = -----BEGIN DH PARAMETERS-----
>> MIIBCAKCAQEAo4NpFI4fpUe65FVv1hotVS9pTUbCKs1ypGRZcFMXzpsXPqHU+M4s
>> ...
>> AAAAAAAAAAAAAAAAAAAAAAAAAAA=
>> -----END DH PARAMETERS-----
>>
>> There is a single set of valid DH parameters for every protocol as
>> listed above.
>>
>> It seems odd that ssl_dh is defined all of these protocols
>> specifically too.  This specific per-protocol definition of ssl_dh
>> isn't specified in any config file.
>>
>> Reuben
> Can you try with doveconf -nP  and ensure all those ssl_dh lines are of
> form ssl_dh =</file?
>
> Aki

That's the thing.  Those extra ssl_dh lines aren't actually specified in
my conf files, they have been inherited from somewhere - so I can't
change them to be of any particular form because they aren't defined as
being that way in my configuration files.

There is only one place where ssl_dh is defined and that's in the global
10-ssl.conf file.  See here:

lightning dovecot # grep ssl_dh *
grep: conf.d: Is a directory
lightning dovecot # grep ssl_dh */*
conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
lightning dovecot #

The rest of them must be being inherited from that statement above.

But back to the original question, if I *remove* the ssl-parameters.dat
file from /var/lib/dovecot/ then without any other configuration changes
the error goes away on reload and from doveconf  output.  Not only that,
but if the ssl-parameters.dat file is removed then those ssl_dh lines
per-protocol in doveconf -n also disappear too.

To me that indicates that the mere presence of the ssl-parameters.dat
file is doing something odd with the way the ssl_dh configuration
statements are being handled.  Something buggy with backwards
compatibility perhaps?

[Also tested with latest 2.3 -git as of today - same result]

Reuben
Reply | Threaded
Open this post in threaded view
|

Re: dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Timo Sirainen
On 1 Nov 2017, at 13.51, Reuben Farrelly <[hidden email]> wrote:

>
>
> That's the thing.  Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files.
>
> There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file.  See here:
>
> lightning dovecot # grep ssl_dh *
> grep: conf.d: Is a directory
> lightning dovecot # grep ssl_dh */*
> conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
> conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
> lightning dovecot #
>
> The rest of them must be being inherited from that statement above.
>
> But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf  output.  Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too.
>
> To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled.  Something buggy with backwards compatibility perhaps?
>
> [Also tested with latest 2.3 -git as of today - same result]

Looks like this is pretty easily reproducible:

a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo

b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo
doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem
Reply | Threaded
Open this post in threaded view
|

Re: dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

Aki Tuomi-2


On 02.11.2017 02:01, Timo Sirainen wrote:

> On 1 Nov 2017, at 13.51, Reuben Farrelly <[hidden email]> wrote:
>>
>> That's the thing.  Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files.
>>
>> There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file.  See here:
>>
>> lightning dovecot # grep ssl_dh *
>> grep: conf.d: Is a directory
>> lightning dovecot # grep ssl_dh */*
>> conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
>> conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
>> lightning dovecot #
>>
>> The rest of them must be being inherited from that statement above.
>>
>> But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf  output.  Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too.
>>
>> To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled.  Something buggy with backwards compatibility perhaps?
>>
>> [Also tested with latest 2.3 -git as of today - same result]
> Looks like this is pretty easily reproducible:
>
> a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo
>
> b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo
> doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem
Hi!

This has been fixed, see
https://github.com/dovecot/core/commit/a70d867d1fe3584149811c65eb6213deb72be824.patch

Aki