Submitted by chiareu on Sun, 10/18/2015 - 05:48
Hi, on a fresh box with Virtualmin GPL & Debian 8, seams that default configuration are wrong in Dovecot. Impossible to connect to server via POP or IMAP (any connection type, secured or not)
In logs we got: dovecot: pop3-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY dovecot: master: Error: service(pop3-login): command startup failed, throttling for 32 secs
Seams that the /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem are missing anyway. No default certificate was created.
Any advice how to get things to work?
Status:
Closed (fixed)
Comments
Submitted by chiareu on Sun, 10/18/2015 - 07:20 Comment #1
As the dovecot's mkcert.sh are giving errors at run, the only solution I found it's to make default domain, SSL enabled and send the cert/key to the Dovecot/Postfix etc.
Submitted by andreychek on Sun, 10/18/2015 - 09:03 Comment #2
Howdy -- I unfortunately wasn't able to reproduce that issue on a test system here. Are you by chance using a VPS? I'm wondering if you're experiencing an issue with that particular VPS image.
I was about to suggest copying in the SSL certificate from one of your Virtual Servers, but it looks like you already came to that conclusion :-)
I'm glad to hear you got it working!
And we'll continue to see if we can trigger that problem, and we'll watch out for other folks experiencing it.
Submitted by chiareu on Sun, 10/18/2015 - 12:27 Comment #3
Hi, it's a dedicated machine. Fresh Debian 8 x64 install, with SSH only. Virtualmin installed with install.sh The particularity is that the server it's behind a Router with ports forwarded. So It has an local IP.
Seams that on the install procedure, Dovecot did not created the default dovecot.pem files and the manual script failed to execute.
The trick with domain cert run perfectly.
Next week I'll run some tests on other machine to see if the issue will appear again.
Submitted by JamieCameron on Sun, 10/18/2015 - 22:26 Comment #4
Can you attach your Dovecot config file(s) to this bug? I'd like to see what paths are used for the SSL cert and key files.
Submitted by chiareu on Mon, 10/19/2015 - 02:06 Comment #5
Hi... i'm on phone now and can't put the file but as I told in first post. The paths are /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem. one file for both cert and key.
Submitted by JamieCameron on Tue, 10/20/2015 - 00:24 Comment #6
What I was interested in seeing was the context of those lines in the overall config file.
Submitted by chiareu on Tue, 10/20/2015 - 02:41 Comment #7
/10-ssl.conf
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/dovecot/dovecot.pem
ssl_cert = </etc/dovecot/dovecot.cert.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/dovecot.key.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
#ssl_dh_parameters_length = 1024
# SSL protocols to use
#ssl_protocols = !SSLv2
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
Submitted by chiareu on Tue, 10/20/2015 - 02:42 Comment #8
And the /dovecot.conf
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
Submitted by JamieCameron on Tue, 10/20/2015 - 23:41 Comment #9
Ok, that config file looks fine.
Did you ever use the function in Virtualmin (on the Manage SSL Certificate page) to copy a domain's cert to Dovecot? If not, the cert and key should be whatever is created when Dovecot is installed - which I would expect the Debian package to set to something reasonable.
Submitted by chiareu on Sat, 11/14/2015 - 11:24 Comment #10
Exactly that's the solution I used ;)