On Sun, 9 May 2021 at 08:30, Giles Orr <gilesorr@gmail.com> wrote:
On Fri, 7 May 2021 at 22:43, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
Only one of us uses IMAP / POP3. She stopped being able to pick up mail. The message was obscure: Thunderbird reported getting resets from the server.
Detective work (leaving out the blind alleys):
Look for funny messages in the server log. The right command is arcane: $ journalctl -b _SYSTEMD_UNIT=dovecot.service
- -b means "since last boot". Very handy because the log can go back a long time.
- _SYSTEMD_UNIT=dovecot.service: only messages about dovecot. Such an intuitive form. It won't work without the .service. It turns out that there is a shortform, -u or --unit=.
May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem May 04 14:07:12 redhop-mimosa-com dovecot[977]: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem May 04 14:07:12 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to initialize SSL server context: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<jkGQ8oTBnIDAi0Zf> May 04 15:30:28 redhop-mimosa-com dovecot[977]: pop3-login: Error: Failed to initialize SSL server context: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=192.139.70.95, lip=192.139.70.82, session=<SWRMHIbBmILAi0Zf>
The first two messages were almost impossible to read because the were in yellow.
It turns out that the first means that you have to edit /etc/dovecot/conf.d/10-ssl.conf and change #ssl_dh = </etc/dovecot/dh.pem to ssl_dh = </etc/dovecot/dh.pem
/etc/dovecot/dh.pem was already there.
OPTIONAL:
/etc/dovecot/dh.pem specified a really weak Diffie-Hellman group. Your should probably strengthen it. I chose ffdhe2048, a weak one (2048 bits) that is still "OK". See: <https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups>
You need it in PEM format. First save the old one. Then grab a new one: curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/dovecot/dh.pem
Then adjust ownership and permissions.
This sent me on a bit of a chase. Nginx uses a DH parameters file that's used in the same way. And it's considered a bad idea to use a widely known DH parameter (like the one that ships with the software, or that sits on a Mozilla server). This is a semi-useful read: https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-p.... I say "semi-useful" because honestly some of it was over my head. And that leads to reading about Logjam ( https://weakdh.org/ ).
With Ansible I've automated the generation of a new DH parameter file on each new server:
openssl dhparam -out <filename> <size>
Generating this file takes a significant amount of time (minutes) if "size" is reasonably large (2096, although I would recommend 4192) even on a modern machine. But it's a one-off for any given machine, so it's a small imposition that I'd recommend. If this breaks the mail setup, you can obviously return to the known value from Mozilla.
"2096" "4192" ... <facepalm> They're just numbers, but I did mean to say "2048" and "4096" as regular power-of-2 numbers ... -- Giles https://www.gilesorr.com/ gilesorr@gmail.com