Univention Bugzilla – Bug 53994
Bad Dovecot SSL configuration
Last modified: 2021-11-03 17:01:38 CET
In UCS 5.0-0 the OX app cannot connect to the Dovecot Sieve server: == /var/log/open-xchange/open-xchange.log.0 == com.openexchange.exception.OXException: MAIL_FILTER-0014 Categories=ERROR Message='Error in low level connection to sieve server ucs-6159.open-xchange.intranet at port 4190' exceptionID=877345375-73 com.openexchange.exception.locale: de_DE at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:154) at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:144) at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:117) at com.openexchange.mailfilter.exceptions.MailFilterExceptionCode.create(MailFilterExceptionCode.java:297) at com.openexchange.mailfilter.internal.MailFilterServiceImpl.closeSieveHandler(MailFilterServiceImpl.java:329) at com.openexchange.mailfilter.internal.MailFilterServiceImpl.getCapabilities(MailFilterServiceImpl.java:784) at com.openexchange.mail.filter.json.v2.actions.ConfigMailFilterAction.perform(ConfigMailFilterAction.java:81) at com.openexchange.ajax.requesthandler.DefaultDispatcher.doCallAction(DefaultDispatcher.java:634) at com.openexchange.ajax.requesthandler.DefaultDispatcher.callAction(DefaultDispatcher.java:610) at com.openexchange.ajax.requesthandler.DefaultDispatcher.doPerform(DefaultDispatcher.java:578) at com.openexchange.ajax.requesthandler.DefaultDispatcher.perform(DefaultDispatcher.java:247) at com.openexchange.ajax.requesthandler.DispatcherServlet.handle(DispatcherServlet.java:454) at com.openexchange.ajax.requesthandler.DispatcherServlet.doGet(DispatcherServlet.java:347) at javax.servlet.http.HttpServlet.service(HttpServlet.java:686) at com.openexchange.ajax.AJAXServlet.doService(AJAXServlet.java:549) at com.openexchange.ajax.SessionServlet.doService(SessionServlet.java:153) at com.openexchange.ajax.requesthandler.DispatcherServlet.service(DispatcherServlet.java:245) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:124) at com.openexchange.http.grizzly.servletfilter.RequestReportingFilter.doFilter(RequestReportingFilter.java:109) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:114) at com.openexchange.http.grizzly.servletfilter.WrappingFilter.doFilter(WrappingFilter.java:195) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:114) at com.openexchange.http.grizzly.service.http.OSGiAuthFilter.doFilter(OSGiAuthFilter.java:111) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:114) at org.glassfish.grizzly.servlet.FilterChainImpl.invokeFilterChain(FilterChainImpl.java:83) at org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:202) at org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:154) at com.openexchange.http.grizzly.service.http.OSGiMainHandler.service(OSGiMainHandler.java:274) at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$MDCProvidingRunnable.run(CustomThreadPoolExecutor.java:2593) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.runTask(CustomThreadPoolExecutor.java:806) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.run(CustomThreadPoolExecutor.java:833) at java.lang.Thread.run(Thread.java:748) Caused by: java.net.SocketException: Connection or outbound has closed at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:967) at com.openexchange.tools.ssl.DelegatingSSLSocket$LoggingOutputStream.write(DelegatingSSLSocket.java:517) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.openexchange.jsieve.export.SieveHandler.close(SieveHandler.java:1201) at com.openexchange.mailfilter.internal.MailFilterServiceImpl.closeSieveHandler(MailFilterServiceImpl.java:325) ... 29 common frames omitted == /var/log/dovecot.log == Okt 26 14:20:18 ucs-6159 dovecot[1001]: managesieve-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem Okt 26 14:20:18 ucs-6159 dovecot[1001]: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=172.16.45.6, lip=172.16.45.6, TLS handshaking: SSL_accept() failed: error:141EC044:SSL
Turns out, that during the update to UCS 5.0 the UCRV templates for Dovecot have not been updated to those from upstream. Two now invalid configuration keys (ssl_dh_parameters_length, ssl_parameters_regenerate) have been removed, and their associated UCRVs. The DH parameters are now stored in a different way. The postinst can now perform both a migration from existing data and create a fresh DH parameter file. The fix has been commited to git branch dtroeder/53994_dovecot_dh: [d8b37801f0] Bug #53994: fix UCR template and DH parameter generation Please reopen when the changes should be merged to 5.0 and the package build. A separate bug was created to update all templates for the Dovecot integration → Bug 53996.
Made the DH generation code in the postinst also run for updates. Merged and build in 5.0-0 (errata): [5.0-0 7577842620] Bug #53994: fix UCR template and DH parameter generation univention-mail-dovecot (6.0.3-4)
QA: all ok -> verify OK as discussed, the code is already merged & build OK code review OK functionality: filter settings works OK changelog OK yaml
<https://errata.software-univention.de/#/?erratum=5.0x146>