You are not logged in.
- Topics: Active | Unanswered
#1 2017-04-25 17:56:57
- Nocturne
- Member
- From: Nebraska, USA
- Registered: 2012-04-23
- Posts: 16
[Solved] - Dovecot: Invalid ssl_protocols setting: Unknown protocol
After a recent system upgrade(04/24 to be specific), in which openssl was upgraded(to version 1.1.0.e-1), dovecot 2.2.28-2 started throwing these errors in the systemd logs and remote imaps(imap secure) logins failed:
systemd[1]: Starting Dovecot IMAP/POP3 email server...
dovecot[27133]: master: Dovecot v2.2.28 (bed8434) starting up for imap, lmtp, sieve
systemd[1]: Started Dovecot IMAP/POP3 email server.
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 2 secs
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 4 secs
dovecot[27135]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
dovecot[27133]: master: Error: service(imap-login): command startup failed, throttling for 8 secsAfter editing the ssl_protocols in /etc/dovecot/conf.d/10-ssl.conf from:
ssl_protocols = !SSLv2 !SSLv3to this:
ssl_protocols = !SSLv3It then works. However, according to the Arch wiki on dovecot(https://wiki.archlinux.org/index.php/Do … ertificate) this is not the correct way to respond safely to POODLE and FREAK/Logjam attacks.
I would like to know what I need to do to be able to disable SSLv2 again in my dovecot configuration as it was before the updates.
One thing I noticed is that dovecot is actually flagged as out of date here. And looking at the dovecot website, I see that it is indeed a bit outdated as they list v2.2.29.1 as current. After a quick perusal of the changelog for 2.2.29 and 2.2.29.1, nothing immediately jumped out at me mentioning this specific issue being fixed.
I will be searching (and possibly posting) shortly on the dovecot mailing list to see if anyone else there is seeing something similar or if this is an Arch specific issue.
Please chime in here if you are seeing something similar on your own setup!
Last edited by Nocturne (2017-04-25 20:00:43)
"Ubuntu" - an African word meaning "Arch is too hard for me".
Offline
#2 2017-04-25 19:03:34
- ghen
- Member
- From: Belgium
- Registered: 2010-08-31
- Posts: 121
Re: [Solved] - Dovecot: Invalid ssl_protocols setting: Unknown protocol
SSLv2 support was removed completetly in OpenSSL 1.1.
Offline
#3 2017-04-25 19:59:08
- Nocturne
- Member
- From: Nebraska, USA
- Registered: 2012-04-23
- Posts: 16
Re: [Solved] - Dovecot: Invalid ssl_protocols setting: Unknown protocol
Thanks ghen!
That is good information. It stands to reason if SSLv2 support has been removed, there is no need to disable it with the "ssl_protocols" line.
Perhaps someone can edit the above-mentioned wiki to make the change.
From https://www.openssl.org/news/changelog.html#x6:
SSLv2 support has been removed. It still supports receiving a SSLv2 compatible client hello.Marking "Solved".
"Ubuntu" - an African word meaning "Arch is too hard for me".
Offline