Re: "no shared cypher", no matter what I try
On Sat, 2018-12-08 at 11:03 +0100, Marco Fioretti wrote: > Greetings, > I have had to reinstall my email server on another Linux (centos 7.6) > VPS, with a newer version of dovecot, other software and a brand new > letsencrypt certificate just for email withpostfix and dovecot (that > certificate works fine with postfix). Output of dovecot --version and > dovecot -n on the new server is below. Here is my 10-ssl.conf on my CentOS box. I am using the TLS config from https://weakdh.org/sysadmin.html --- ssl = yes ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes #regenerates every week ssl_dh_parameters_length = 2048 ssl_cert = signature.asc Description: This is a digitally signed message part
Re: "no shared cypher", no matter what I try
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David
Re: "no shared cypher", no matter what I try
I ran into that error message with a different application and it turned out that the server certificate was expired. -- Doug > On 8 December 2018, at 12:22, David Gardner wrote: > > Have you tried connecting with openssl c_client, with a cypher list of all? > > My suspicion is that one of the pair of programs is only > using old, weak cyphers [due to age and the other only strong ones. > > > David
Re: "no shared cypher", no matter what I try
Have you tried connecting with openssl c_client, with a cypher list of all? My suspicion is that one of the pair of programs is only using old, weak cyphers [due to age and the other only strong ones. David
doveadm batch crash
Hi I'm having an issue with doveadm batch - the following command always crashes: doveadm batch : mailbox status all inbox Whereas the following work as expected: doveadm mailbox status all inbox doveadm batch : mailbox list Any assistance gratefully received. Debug output from the crash: Debug: Loading modules from directory: /usr/lib64/dovecot Debug: Module loaded: /usr/lib64/dovecot/lib01_acl_plugin.so Debug: Module loaded: /usr/lib64/dovecot/lib10_mail_crypt_plugin.so Debug: Module loaded: /usr/lib64/dovecot/lib90_stats_plugin.so Debug: Loading modules from directory: /usr/lib64/dovecot/doveadm Debug: Module loaded: /usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so: undefined symbol: quota_user_module (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message) Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_user_get_language_list (this is usually intentional, so just ignore this message) Debug: Module loaded: /usr/lib64/dovecot/doveadm/libdoveadm_mail_crypt_plugin.so doveadm(jc): Debug: Effective uid=1001, gid=100, home=/home/jc doveadm(jc): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled doveadm(jc): Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled doveadm(jc): Debug: Namespace inbox: type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox:ALT=~/Archive/tape/mdbox doveadm(jc): Debug: fs: root=/home/jc/mdbox, index=, indexpvt=, control=, inbox=, alt=/home/jc/Archive/tape/mdbox doveadm(jc): Debug: acl: initializing backend with data: vfile doveadm(jc): Debug: acl: acl username = jc doveadm(jc): Debug: acl: owner = 1 doveadm(jc): Debug: acl vfile: Global ACLs disabled doveadm(jc): Panic: file mail-storage.c: line 875 (mailbox_set_reason): assertion failed: (reason != NULL) doveadm(jc): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xa0e9e) [0x7fc993023e9e] -> /usr/lib64/dovecot/libdovecot.so.0(default_fatal_handler+0x2a) [0x7fc993023f0a] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7fc992fb3c97] -> /usr/lib64/dovecot/libdovecot-storage.so.0(+0x49856) [0x7fc993301856] -> /usr/bin/doveadm(+0x348e2) [0x5631dbb5f8e2] -> /usr/bin/doveadm(+0x2e1ad) [0x5631dbb591ad] -> /usr/bin/doveadm(+0x2bd2c) [0x5631dbb56d2c] -> /usr/bin/doveadm(+0x2c92a) [0x5631dbb5792a] -> /usr/bin/doveadm(doveadm_mail_try_run+0x215) [0x5631dbb58285] -> /usr/bin/doveadm(main+0x46a) [0x5631dbb473fa] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7fc992bd83d5] -> /usr/bin/doveadm(+0x1c565) [0x5631dbb47565] Aborted (core dumped) And doveconf -n output: # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) # Hostname: ### redacted ### first_valid_gid = 100 first_valid_uid = 1000 last_valid_gid = 100 last_valid_uid = 1999 listen = * login_greeting = IMAP ready login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e session=<%{session}> %k mail_attribute_dict = file:%h/mdbox/dovecot-attributes mail_location = mdbox:~/mdbox:ALT=~/Archive/tape/mdbox mail_plugins = acl stats mail_crypt mailbox_list_index = yes mdbox_rotate_size = 16 M namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { driver = pam } plugin { acl = vfile mail_crypt_global_private_key = <### redacted ### mail_crypt_global_public_key = <### redacted ### mail_crypt_save_version = 2 stats_memory_limit = 16 M stats_refresh = 30 secs stats_track_cmds = yes } postmaster_address = ### redacted ### protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { process_limit = 200 process_min_avail = 4 service_count = 1 } service stats { fifo_listener stats-mail { group = users mode = 01224 } } ssl = required ssl_cert = <### redacted ### ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3
Mail aliases plugin not honouring namespace?
I have namespace { disabled = no hidden = no ignore_on_failure = no inbox = yes list = yes location = prefix = separator = / subscriptions = yes type = private } namespace Archive { disabled = no hidden = no ignore_on_failure = no inbox = no list = yes location = mbox:/home/mail-archive/%u/ prefix = Archive/ separator = / subscriptions = yes type = private } Without aliases, folders are created at /home/mail-archive/%u/ which is expected When I am adding these mailbox aliases mailbox_alias_old = Archive mailbox_alias_new = Archives These folders are created in the default namespace .Archive .Archives.2018 .Archives Is this as expected? I am at least not expecting it.
Re: Plugins/MailboxAlias configuration not working when not successive
This is not a bug but working as intended. Gaps in numbering are not supported. Aki On 08 December 2018 at 18:08 Marc Roos < m.r...@f1-outsourcing.eu> wrote: This is not working because the numbering is not successive. This whole configuration implementation is of course nothing to be proud of. plugin { #setting_name = value # archive folder mailbox_alias_old = Archive mailbox_alias_new = Archief mailbox_alias_old2 = Archive mailbox_alias_new2 = Archief mappen mailbox_alias_old3 = Archive mailbox_alias_new3 = Archived messages mailbox_alias_old4 = Archive mailbox_alias_new4 = Archived mail mailbox_alias_old5 = Archive mailbox_alias_new5 = Archives # spam folder mailbox_alias_old10 = Spam mailbox_alias_new10 = Junk mailbox_alias_old11 = Spam mailbox_alias_new11 = Junk E-mail mailbox_alias_old12 = Spam mailbox_alias_new12 = Ongewenste e-mail # drafst folder mailbox_alias_old20 = Drafts mailbox_alias_new20 = Concepten } https://wiki2.dovecot.org/Plugins/MailboxAlias --- Aki Tuomi
Re: Solr
After some testsing, I managed to get proper functionning - The schema.xml is attached below (quite different from the one provided on teh wiki) (in bold the core differences) (NGramFilterFactory is the class that replace the fts_squat "partial=3 full=15", everything else is just a big hammer to smash a tiny fly) - One need to remove the "managed-schema" file in the {prefix}/server/solr/dovecot/conf. - One need to remove everything under {prefix}/server/solr/dovecot/data/ - The {prefix}/server/solr/dovecot/conf/solrconfig.xml is as below (see diff) - Restart Solr - my dovecot.conf is : fts = solr fts_autoindex = yes fts_enforced = yes fts_decoder = decode2text fts_solr = url=http://(SOLR SERVER):8983/solr/dovecot/ --- schema.xml id -- diff solrconfig --- /data/backup/solr/solrconfig.xml.joan 2018-12-08 14:31:47.716344505 + +++ solrconfig.xml 2018-12-08 15:36:28.948267225 + @@ -1128,6 +1128,7 @@ See http://wiki.apache.org/solr/GuessingFieldTypes --> + @@ -1158,43 +1159,8 @@ -MM-dd - - - java.lang.String - text_general - - *_str - 256 - - - true - - - java.lang.Boolean - booleans - - - java.util.Date - pdates - - - java.lang.Long - java.lang.Integer - plongs - - - java.lang.Number - pdoubles - - - - - - - - text/plain; charset=UTF-8 - +
Re: Solr
After some testsing, I managed to get proper functionning - The schema.xml is attached below (quite different from the one provided on teh wiki) (in bold the core differences) (NGramFilterFactory is the class that replace the fts_squat "partial=3 full=15", everything else is just a big hammer to smash a tiny fly) - One need to remove the "managed-schema" file in the {prefix}/server/solr/dovecot/conf. - One need to remove everything under {prefix}/server/solr/dovecot/data/ - The {prefix}/server/solr/dovecot/conf/solrconfig.xml is as below (see diff) - my dovecot.conf is : fts = solr fts_autoindex = yes fts_enforced = yes fts_decoder = decode2text fts_solr = url=http://(SOLR SERVER):8983/solr/dovecot/ --- schema.xml id -- diff solrconfig --- /data/backup/solr/solrconfig.xml.joan 2018-12-08 14:31:47.716344505 + +++ solrconfig.xml 2018-12-08 15:36:28.948267225 + @@ -1128,6 +1128,7 @@ See http://wiki.apache.org/solr/GuessingFieldTypes --> + @@ -1158,43 +1159,8 @@ -MM-dd - - - java.lang.String - text_general - - *_str - 256 - - - true - - - java.lang.Boolean - booleans - - - java.util.Date - pdates - - - java.lang.Long - java.lang.Integer - plongs - - - java.lang.Number - pdoubles - - - - - - - - text/plain; charset=UTF-8 - +
Plugins/MailboxAlias configuration not working when not successive
This is not working because the numbering is not successive. This whole configuration implementation is of course nothing to be proud of. plugin { #setting_name = value # archive folder mailbox_alias_old = Archive mailbox_alias_new = Archief mailbox_alias_old2 = Archive mailbox_alias_new2 = Archief mappen mailbox_alias_old3 = Archive mailbox_alias_new3 = Archived messages mailbox_alias_old4 = Archive mailbox_alias_new4 = Archived mail mailbox_alias_old5 = Archive mailbox_alias_new5 = Archives # spam folder mailbox_alias_old10 = Spam mailbox_alias_new10 = Junk mailbox_alias_old11 = Spam mailbox_alias_new11 = Junk E-mail mailbox_alias_old12 = Spam mailbox_alias_new12 = Ongewenste e-mail # drafst folder mailbox_alias_old20 = Drafts mailbox_alias_new20 = Concepten } https://wiki2.dovecot.org/Plugins/MailboxAlias
support
Is there some 'ace' here that is willing to offer support via skype or so related namespaces, locations and alias plugin? Won't be needing much time. Thanks, Marc
Re: doveadm move and create folders for the archive
* Michael Wagner: > Can't open mailbox 'Archiv/debian-user/2018': Mailbox doesn't exist: > Archiv/debian-user/2018 As the manpage for doveadm copy/move states: "The destination mailbox must exist, otherwise this command will fail." -Ralph
doveadm move and create folders for the archive
Hello guys, I'm on a few mailinglists, which I want to archive at the end of the year. I know the command to do this, but must I create the folders for the archive by myself or is there a switch for doveadm? I tested this, but it exits with an error about the missing mailbox. doveadm -D copy -u michael Archiv/debian-user/2018 mailbox debian-user since 365d error message: doveadm(michael): Debug: Effective uid=1000, gid=1000, home=/home/michael doveadm(michael): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir:LAYOUT=fs doveadm(michael): Debug: fs: root=/home/michael/Maildir, index=, indexpvt=, control=, inbox=/home/michael/Maildir, alt= doveadm(michael): Error: Can't open mailbox 'Archiv/debian-user/2018': Mailbox doesn't exist: Archiv/debian-user/2018 Sorry for the long lines. Tia Michael -- Psychoceramics: The study of crackpots.
Re: "no shared cypher", no matter what I try
Marco Fioretti skrev den 2018-12-08 11:03: I have had to reinstall my email server on another Linux (centos 7.6) reinstalls often helps make the same problems with precompiled distros :=) is openssl installed or what ssl api is in use ? did you create a bug report to centos mantainers ? its not a postfix/dovecot problem that ssl is not working lets encrypt is irrelevant
Re: "no shared cypher", no matter what I try
> On 08 December 2018 at 12:03 Marco Fioretti wrote: > > > Greetings, > I have had to reinstall my email server on another Linux (centos 7.6) > VPS, with a newer version of dovecot, other software and a brand new > letsencrypt certificate just for email withpostfix and dovecot (that > certificate works fine with postfix). Output of dovecot --version and > dovecot -n on the new server is below. > > Now, messages ARE delivered in the right IMAP mailboxes, but when I > try to connect with Mutt from my home computer, mutt says, before > prompting for a password: > > gnutls_handshake: A TLS fatal alert has been received.(Handshake failed) > > the corresponding output of dovecot in /var/log/maillog is below. The > gist of it **seems** to me to be the "no shared cipher" part, but I > may be wrong. In any case, I have already tried to search online for > that string, and other relevant parts of the log, without success. All > I have found is suggestions to change the values of ssl_protocols > and/or ssl_cipher_list to some non-default value, but I have tried all > those tips without success. Current values of those variables are > these: > > grep -v ^# /etc/dovecot/conf.d/10-ssl.conf > > ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = ALL:!ADH:!LOW:!EXP:!aNULL:+HIGH:+MEDIU > > any pointer to what to check or change next is VERY welcome. > > Thanks in advance, > Marco > > # > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x10, ret=1: before/accept initialization [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Warning: SSL alert: > where=0x4008, ret=552: fatal handshake failure [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL: > where=0x2002, ret=-1: error [47.53.159.60] > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Debug: SSL error: > SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello:no shared cipher > Dec 8 10:53:43 MYSERVERNAME dovecot: imap-login: Disconnected > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept() > failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher, session= > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token > secret from /var/run/dovecot/auth-token-secret.dat > Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file > /etc/imap.v_users: Read 1 users in 0 secs > > # > dovecot --version > 2.2.36 (1f10bfa63) > > > # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf > # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release > 7.6.1810 (Core) ext4 > # Hostname: MYSERVERNAME > auth_debug = yes > auth_mechanisms = plain login > auth_verbose = yes > mail_location = maildir:/var/mail//base/ > passdb { > args = /etc/imap.v_users > driver = passwd-file > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > } > } > ssl = required > userdb { > args = /etc/imap.v_users > driver = passwd-file > } > verbose_ssl = yes Can you comment out ssl_cipher_list and ssl_protocols? Is your certificate ECC certificate? Aki
"no shared cypher", no matter what I try
Greetings, I have had to reinstall my email server on another Linux (centos 7.6) VPS, with a newer version of dovecot, other software and a brand new letsencrypt certificate just for email withpostfix and dovecot (that certificate works fine with postfix). Output of dovecot --version and dovecot -n on the new server is below. Now, messages ARE delivered in the right IMAP mailboxes, but when I try to connect with Mutt from my home computer, mutt says, before prompting for a password: gnutls_handshake: A TLS fatal alert has been received.(Handshake failed) the corresponding output of dovecot in /var/log/maillog is below. The gist of it **seems** to me to be the "no shared cipher" part, but I may be wrong. In any case, I have already tried to search online for that string, and other relevant parts of the log, without success. All I have found is suggestions to change the values of ssl_protocols and/or ssl_cipher_list to some non-default value, but I have tried all those tips without success. Current values of those variables are these: grep -v ^# /etc/dovecot/conf.d/10-ssl.conf ssl_cert = , rip=47.53.159.60, lip=116.202.20.216, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session= Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Dec 8 10:53:43 MYSERVERNAME dovecot: auth: Debug: passwd-file /etc/imap.v_users: Read 1 users in 0 secs # dovecot --version 2.2.36 (1f10bfa63) # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core) ext4 # Hostname: MYSERVERNAME auth_debug = yes auth_mechanisms = plain login auth_verbose = yes mail_location = maildir:/var/mail//base/ passdb { args = /etc/imap.v_users driver = passwd-file } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } } ssl = required userdb { args = /etc/imap.v_users driver = passwd-file } verbose_ssl = yes