Issue:
Unable to login and receive mail from Desktop clients and iOS clients with IMAP connection. Roundcube webmail still receiving mail okay.
Troubleshooting:
Found following error lines in mail.error log, and in /var/log/syslog.
dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>,
Dovecot was upgraded in last round of apt-get-upgrade updates.
Found that Dovecot SSL set-up was no longer complete, and the previous customizations were lost. Preformed re-setup with Postfix.
Resolution:
1. Confirmed main.cf and master.cf postfix files okay.
2. Noticed SSL configuration in 10-ssl.conf no longer correct. Verified the bolded lines below, and fixed ones not correct (just top two):
$ sudo vi /etc/dovecot/conf.d/10-ssl.conf
...
#ssl_cert = </etc/dovecot/private/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.key
ssl_key = </usr/local/ispconfig/interface/ssl/ispserver.key
ssl_cert = </usr/local/ispconfig/interface/ssl/ispserver.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
#ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =
ssl_client_ca_dir = /usr/local/ispconfig/interface/ssl/
...
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
(save with)
<esc>:wq
3. Restart services
$ sudo systemctl restart dovecot
$ Sudo systemctl restart postfix
4. Fix files.
$ tail /var/log/syslog
...
Aug 7 17:30:12 gideon dovecot: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
...
How is dovecot using /etc/dovecot/dh.pem when config specifies /usr/share? Rather than go down that rabbit hole, we decided to do a ln -s. However, we found that the /usr/share/dovecot/dh.pem was also empty.
Recreated with:
$ sudo mv /usr/share/dovecot/dh.pem /usr/share/dovecot/dh-old.pem
$ openssl dhparam -out /usr/share/dovecot/dh.pem 4096 -days 3650
<wait and wait, and wait, and wait - about 10 to 15 minutes>
Finally... to get back to creating the link:
$ sudo mv /etc/dovecot/dh.pem /etc/dovecot/dh-old.pem
$ ln -s /usr/share/dovecot/dh.pem /etc/dovecot/dh.pem
5. Restart services
$ sudo systemctl restart dovecot
$ sudo systemctl restart postfix
6. Verify:
While testing checking mail w/an iOS device, we monitored the syslog.
$ sudo tail /var/log/syslog
...
user=<testuser@mindwatering.net>, method=PLAIN, rip=::1, lip=::1, mpid=8961, secured, session=<321AdhSDv/IoOQAAAAAAAAAAAA12345678A>
Aug 7 17:44:26 gideon dovecot: imap(testuser@mindwatering.net)<8961><321AdhSDv/IoOQAAAAAAAAAAAA12345678A>: Logged out in=373 out=35564 deleted=0 expunged=0 trashed=0 hdr_count=50 hdr_bytes=15652 body_count=0 body_bytes=0
...
iOS device was again able to receive and send mail.
previous page
|