You are not logged in.

#1 2017-04-25 17:56:57

Nocturne
Member
From: Nebraska, USA
Registered: 2012-04-23
Posts: 15

[Solved] - Dovecot: Invalid ssl_protocols setting: Unknown protocol

After a recent system upgrade(04/24 to be specific), in which openssl was upgraded(to version 1.1.0.e-1), dovecot 2.2.28-2 started throwing these errors in the systemd logs and remote imaps(imap secure) logins failed:

systemd[1]: Starting Dovecot IMAP/POP3 email server...
dovecot[27133]: master: Dovecot v2.2.28 (bed8434) starting up for imap, lmtp, sieve
systemd[1]: Started Dovecot IMAP/POP3 email server.
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 2 secs
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 4 secs
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 8 secs

After editing the ssl_protocols in /etc/dovecot/conf.d/10-ssl.conf from:

ssl_protocols = !SSLv2 !SSLv3

to this:

ssl_protocols = !SSLv3

It then works.  However, according to the Arch wiki on dovecot(https://wiki.archlinux.org/index.php/Do … ertificate) this is not the correct way to respond safely to POODLE and FREAK/Logjam attacks.

I would like to know what I need to do to be able to disable SSLv2 again in my dovecot configuration as it was before the updates.

One thing I noticed is that dovecot is actually flagged as out of date here.  And looking at the dovecot website, I see that it is indeed a bit outdated as they list v2.2.29.1 as current.  After a quick perusal of the changelog for 2.2.29 and 2.2.29.1, nothing immediately jumped out at me mentioning this specific issue being fixed.

I will be searching (and possibly posting) shortly on the dovecot mailing list to see if anyone else there is seeing something similar or if this is an Arch specific issue.

Please chime in here if you are seeing something similar on your own setup!

Last edited by Nocturne (2017-04-25 20:00:43)


"Ubuntu" - an African word meaning "Arch is too hard for me".

Offline

#2 2017-04-25 19:03:34

ghen
Member
From: Belgium
Registered: 2010-08-31
Posts: 97
Website

Re: [Solved] - Dovecot: Invalid ssl_protocols setting: Unknown protocol

SSLv2 support was removed completetly in OpenSSL 1.1.

Offline

#3 2017-04-25 19:59:08

Nocturne
Member
From: Nebraska, USA
Registered: 2012-04-23
Posts: 15

Re: [Solved] - Dovecot: Invalid ssl_protocols setting: Unknown protocol

Thanks ghen! 

That is good information.  It stands to reason if SSLv2 support has been removed, there is no need to disable it with the "ssl_protocols" line.

Perhaps someone can edit the above-mentioned wiki to make the change.

From https://www.openssl.org/news/changelog.html#x6:

SSLv2 support has been removed.  It still supports receiving a SSLv2 compatible client hello.

Marking "Solved".


"Ubuntu" - an African word meaning "Arch is too hard for me".

Offline

Board footer

Powered by FluxBB