[GTALUG] War Story: Fedora 33 update silently broke Dovecot (IMAP / POP3 server)

D. Hugh Redelmeier hugh at mimosa.com
Tue May 4 18:26:40 EDT 2021 

Only one of us uses IMAP / POP3.  She stopped being able to pick up mail.  
The message was obscure: Thunderbird reported getting resets from the 
server.

Detective work (leaving out the blind alleys):

Look for funny messages in the server log.  The right command is arcane:
	$ journalctl -b _SYSTEMD_UNIT=dovecot.service

- -b means "since last boot".  Very handy because the log can go back a 
  long time.

- _SYSTEMD_UNIT=dovecot.service: only messages about dovecot.
  Such an intuitive form.  It won't work without the .service.
  It turns out that there is a shortform, -u or --unit=.


May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
May 04 14:07:12 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to initialize SSL server context: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<jkGQ8oTBnIDAi0Zf>
May 04 15:30:28 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to initialize SSL server context: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<SWRMHIbBmILAi0Zf>

The first two messages were almost impossible to read because the were in yellow.

It turns out that the first means that you have to edit /etc/dovecot/conf.d/10-ssl.conf
and change
	#ssl_dh = </etc/dovecot/dh.pem
to
	ssl_dh = </etc/dovecot/dh.pem

/etc/dovecot/dh.pem was already there.

OPTIONAL:

/etc/dovecot/dh.pem specified a really weak Diffie-Hellman group.
Your should probably strengthen it.  I chose ffdhe2048, a weak one (2048 bits) that is still "OK".
See:
<https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups>

You need it in PEM format.  First save the old one.  Then grab a new one:
	curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/dovecot/dh.pem

Then adjust ownership and permissions.

More information about the talk mailing list