[GTALUG] War Story: Fedora 33 update silently broke Dovecot (IMAP / POP3 server)
D. Hugh Redelmeier
hugh at mimosa.com
Tue May 4 18:26:40 EDT 2021
Only one of us uses IMAP / POP3. She stopped being able to pick up mail.
The message was obscure: Thunderbird reported getting resets from the
server.
Detective work (leaving out the blind alleys):
Look for funny messages in the server log. The right command is arcane:
$ journalctl -b _SYSTEMD_UNIT=dovecot.service
- -b means "since last boot". Very handy because the log can go back a
long time.
- _SYSTEMD_UNIT=dovecot.service: only messages about dovecot.
Such an intuitive form. It won't work without the .service.
It turns out that there is a shortform, -u or --unit=.
May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
May 04 14:07:12 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to initialize SSL server context: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<jkGQ8oTBnIDAi0Zf>
May 04 15:30:28 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to initialize SSL server context: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<SWRMHIbBmILAi0Zf>
The first two messages were almost impossible to read because the were in yellow.
It turns out that the first means that you have to edit /etc/dovecot/conf.d/10-ssl.conf
and change
#ssl_dh = </etc/dovecot/dh.pem
to
ssl_dh = </etc/dovecot/dh.pem
/etc/dovecot/dh.pem was already there.
OPTIONAL:
/etc/dovecot/dh.pem specified a really weak Diffie-Hellman group.
Your should probably strengthen it. I chose ffdhe2048, a weak one (2048 bits) that is still "OK".
See:
<https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups>
You need it in PEM format. First save the old one. Then grab a new one:
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/dovecot/dh.pem
Then adjust ownership and permissions.
More information about the talk
mailing list