Bug 53075 – Cleanup dovecot SSL config to prevent warnings

Bug 53075 - Cleanup dovecot SSL config to prevent warnings


Summary:	Cleanup dovecot SSL config to prevent warnings

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Mail
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-0-errata
Assigned To:	Mail maintainers
QA Contact:	Mail maintainers

URL:
Keywords:

Duplicates:	53110 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-04-14 09:32 CEST by Sönke Schwardt-Krummrich
Modified:	2021-04-28 10:45 CEST (History)
CC List:	1 user (show)

See Also:	53110
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.017
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Cleanup
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2021-04-14 09:32:29 CEST

Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf
Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:59: ssl_dh_parameters_length is no longer needed
Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:65: ssl_parameters_regenerate is no longer needed
Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:69: ssl_protocols has been replaced by ssl_min_protocol

Comment 1 Sönke Schwardt-Krummrich

2021-04-15 17:50:19 CEST

*** Bug 53110 has been marked as a duplicate of this bug. ***

Comment 2 Sönke Schwardt-Krummrich

2021-04-15 17:52:04 CEST

Apr 15 08:07:35 backup51 dovecot: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
Apr 15 08:07:35 backup51 dovecot: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem


See https://wiki2.dovecot.org/Upgrading/2.3#dhparams:

Diffie-Hellman Parameters for SSL

* ssl-parameters.dat file is now obsolete. You should use ssl_dh setting instead: ssl_dh=</etc/dovecot/dh.pem

*You can convert an existing ssl-parameters.dat to dh.pem:

  dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem

* ssl-params process has also been removed, as it is no longer used to generate these parameters.
* You are encouraged to create at least 2048 bit parameters. 4096 is industry recommendation.
* Note that it will take LONG TIME to generate the parameters, and it should be done with a machine that has GOOD SOURCE OF ENTROPY. Running it on a virtual machine is not recommended, unless there is some entropy helper/driver installed. Running this on your production proxy can starve connections due to lack of entropy.

* Since v2.3.3+ DH parameter usage is optional and can be omitted. You are invited to amend ciphers to disallow non-ECC based DH algorithms, but if you don't and someone does try to use them, error will be emitted.

Example: ssl_cipher_list=ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW:!DH@STRENGTH