Gentoo Forums :: View topic

dovecot

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

javeree
Guru
Guru

Joined: 29 Jan 2006
Posts: 455

Posted: Wed Jan 01, 2025 11:58 pm Post subject: dovecot

Today, I suddenly could not connect to my dovecot server anymore, and see in mail.log the following error:

Quote:

2025-01-02T00:46:39+01:00 Hermes dovecot[9134]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:0A00018F:SSL routines::ee key too small: user=<>, rip=109.138.102.252, lip=81.243.192.28, session=<A+MsqK0q/dltimb8>

I create ssl cerificates for imap.vereecke.xyz using letsencrypt.

dovecot -n -p provides

Quote:

dovecot -n -p
# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# OS: Linux 6.6.9 i686 Gentoo Base System release 2.15 ext4
# Hostname: Hermes.vereecke.xyz
listen = *
mail_location = maildir:/var/spool/mail/%u
passdb {
driver = pam
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
user = root
}
ssl_cert = </etc/ssl/certs/dovecot-cert-20200122.pem
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
local_name imap.vereecke.xyz {
ssl_cert = </etc/letsencrypt/live/imap.vereecke.xyz/fullchain.pem
ssl_key = # hidden, use -P to show it
}

with the contents of /etc/letsencrypt/live/imap.vereecke.xyz/

Quote:

total 4
lrwxrwxrwx 1 root root 42 Jan 1 23:57 cert.pem -> ../../archive/imap.vereecke.xyz/cert30.pem
lrwxrwxrwx 1 root root 43 Jan 1 23:57 chain.pem -> ../../archive/imap.vereecke.xyz/chain30.pem
lrwxrwxrwx 1 root root 47 Jan 1 23:57 fullchain.pem -> ../../archive/imap.vereecke.xyz/fullchain30.pem
lrwxrwxrwx 1 root root 45 Jan 1 23:58 privkey.pem -> ../../archive/imap.vereecke.xyz/privkey30.pem
-rw-r--r-- 1 root root 692 Jan 27 2020 README

and certbot certificates says:

Quote:

Certificate Name: imap.vereecke.xyz
Serial Number: 3e2b9fa4a12889b0212dad176327e06db0c
Key Type: ECDSA
Domains: imap.vereecke.xyz
Expiry Date: 2025-01-28 04:19:45+00:00 (VALID: 26 days)
Certificate Path: /etc/letsencrypt/live/imap.vereecke.xyz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/imap.vereecke.xyz/privkey.pem

the error message "SSL routines::ee key too small:" suggests to me that I should somehow generate a larger key, but don't know what key that should be and how to let letsencrypt do that.

alamahant
Advocate

Joined: 23 Mar 2019
Posts: 3935

Posted: Thu Jan 02, 2025 3:59 am Post subject:

What does this

Code:

ssl_key = # hidden, use -P to show it

mean?
There should be a path instead.
_________________

Ralphred
l33t
l33t

Joined: 31 Dec 2013
Posts: 673

Posted: Thu Jan 02, 2025 2:10 pm Post subject: Re: dovecot

javeree wrote:

Code:

}
ssl_cert = </etc/ssl/certs/dovecot-cert-20200122.pem
ssl_key = # hidden, use -P to show it
userdb {

How big are these two and why are they in the config?
A few people got caught out by their /etc/dovecot/dh.pem being "too small" recently (the minimum requirement went from 2048 to 4096), but that produces a different error code.

javeree
Guru
Guru

Joined: 29 Jan 2006
Posts: 455

Posted: Thu Jan 02, 2025 3:45 pm Post subject:

I had a look at

/etc/ssl/certs/dovecot-cert-20200122.pem, and it says it is a self signed certificate. That is definitely wrong. So I removed the reference to these tow in my config, and now I only have

Quote:

# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# OS: Linux 6.6.9 i686 Gentoo Base System release 2.17 ext4
# Hostname: Hermes.vereecke.xyz
listen = *
mail_location = maildir:/var/spool/mail/%u
passdb {
driver = pam
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
user = root
}
userdb {
driver = passwd
}
local_name imap.vereecke.xyz {
ssl_cert = </etc/letsencrypt/live/imap.vereecke.xyz/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.vereecke.xyz/privkey.pem
}

The error now changed. It now says:

Quote:

dovecot[28160]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): The certificate is empty: user=<>, rip=141.135.8.97, lip=81.243.192.28, session=<TFL0+roqT+iNhwhh>

fullchain.pem looks like this:

Quote:

while privkey looks similar to this (I changed some characters to '*' keep the real privkey private)

Quote:

How does dh.pem come into play in this story, as it is not mentioned anywhere

gentoo_ram
Guru
Guru

Joined: 25 Oct 2007
Posts: 505
Location: San Diego, California USA

Posted: Thu Jan 02, 2025 7:02 pm Post subject:

One difference between your dovecot config and mine is that in mine the ssl_key and ssl_cert options appear at the top level. In yours, they appear underneath a local_name block. Maybe that's a problem. Otherwise, I'm using letsencrypt as well to get my CERT for dovecot.

alamahant
Advocate

Joined: 23 Mar 2019
Posts: 3935

Posted: Thu Jan 02, 2025 7:21 pm Post subject:

Code:

/etc/dovecot/conf.d/10-ssl.conf

play with the allowed ciphers:

Code:

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
#ssl_dh = </etc/dovecot/dh.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

And even better remove your cert definitions from dovecot.conf and put them in 10-ssl.conf.
_________________

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy