13

Upgraded my server to 20.04. Now I can't get IMAP working through dovecot. I get:

Aug  1 23:25:53 defaria dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small: user=<>, rip=184.182.63.133, lip=208.113.131.137, session=<iKgXGN+rCIC4tj+F>

I found many solutions to this problem but none seem to work. I've generated and re-generated server keys, signing certificates, and the like and configured dovecot to look at them yet all I get is this cryptic error message. I had this all configured nicely before and just updating from 18.04 -> 20.04 broke this.

How can I fix this? Step by step... How to I supposed generate a cert and a key and properly configure them into dovecot so that imap works again?

Funny thing is I can drive a session through telnet to imap and I can log in an access messages. But when I try to do the same with my mail client (thunderbird) I get the above error written to /var/log/mail.log

Zanna
  • 70,465
Andrew DeFaria
  • 379
  • 1
  • 3
  • 13

5 Answers5

15

I needed to add the following to my /etc/dovecot/conf.d/10-ssl.conf file:

ssl_dh = </usr/share/dovecot/dh.pem

The dh.pem file did already exist in my case, but YMMV.

BeastOfCaerbannog
  • 14,585
Chris
  • 151
14

None of these solutions worked for me, as the /usr/share/dovecot/dh.pem already existed and was the required 4096 bit.

Turns out the solution was as simple as deleting the /var/lib/dovecot/ssl-parameters.dat file, then restarting dovecot using:

sudo systemctl restart dovecot
BeastOfCaerbannog
  • 14,585
Ron Morfitt
  • 141
  • 4
    The manual also states to delete ssl-parameters.dat since it is a leftover from previous version ssl_dh is not needed anymore in newer versions https://doc.dovecot.org/configuration_manual/quick_configuration/#ssl-and-plaintext-authentication – Eddi Jan 07 '22 at 21:18
  • Thanks for pointing this out! Also for the link to the docs Eddi! – Sander Steffann Mar 30 '22 at 16:52
  • This was also the solution on a Debian Raspberry-Pi, when dovecot stopped working (while upgrading from Buster to Bullseye) with the OP "dovecot: imap-login..." message. – braoult Aug 27 '22 at 11:32
  • The manual is contracted by specific instructions in the dovecot log when this problem happens: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem These "helpful" instructions turned out to be misleading and a waste of time. Someone should open a ticket to get them removed. Deleting ssl-parameters.dat as per the documentation fixes the error indeed. – Rolf Mar 11 '23 at 00:32
4

The answer to this is that your dh.pem file does not have enough bits.

Ubuntu provides one in /etc/dovecot and /usr/share/dovecot. The later of the two directories has one of enough bits (4096).

I think (not tested for now) that you can also generate your own dh.pem file with the following command:

openssl dhparam -out dh.pem 4096

Then simply add the line:

ssl_dh=</your/dir/here/dh.pem

To /etc/dovecot/conf.d/10-ssl.conf (including the < character before the /)

Zanna
  • 70,465
Martijn Potman
  • 41
  • 1
0

Your issue is similar (but not identical) to these:

I am not currently running dovecot so I can't test this solution but you should be able to adjust the cipher settings just for dovecot (not system wide) by editing your local dovecot configuration.

Try adding the following line to /etc/dovecot/conf.d/10-ssl.conf

ssl_cipher_list = HIGH:!DH:!aNULL

You can instead try increasing your Diffie-Hellman key length in the SSL settings. Read the dovecot documentation for further info: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/

Zanna
  • 70,465
moo
  • 878
  • None of that seems to work. The first one seems to be about sending mail using python. That's not what I'm doing. The second one doesn't change the error message. I set ssl_cipher_list as you instructed, same error. Note in 10-ssl.conf they set ssl_key to </etc/dovecot/private/dovecot.key. That file doesn't exist. There is an /etc/ssl/private/dovecot.key but that doesn't change the error.

    Note I can use telnet to talk to and log into my IMAP server. No problems. I can fetch email in my INBOX. And I can locally deliver myself email. But when I get new email with TB it errs.

     – Andrew DeFaria Aug 02 '20 at 20:50
  • https://stackoverflow.com/questions/14959461/how-to-talk-to-imap-server-in-shell-via-openssl worth running through this to give you a better idea of error messages to ascertain what exactly is going wrong – moo Aug 03 '20 at 12:18
  • But nothing is going wrong when I connect to my IMAP server using either telnet or openssl from the terminal. From thunderbird, however, I do not get any new messages and I see that error message in both mail.err and mail.log. I think my problem may be more about https://doc.dovecot.org/admin_manual/submission_server/ – Andrew DeFaria Aug 03 '20 at 17:11
0

This can also be caused, not just by an ancient ssl_dh, but also an ancient ssl_cert or ssl_key. In my case these were

ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem

which were both from 2014. Changing to letsencrypt certs fixed this for me:

ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem

Where you have those certs installed for your example.com site.

joseph_morris
  • 211