You are not logged in.
I was following the virtual user mail system tutorial on arch wiki. At some point, I decided to test my mail and authorize the user (via thunderbird). Apparently, something is wrong with imap setup - i keep getting this error in my logs
imap-login: Error: Failed to initialize SSL server context: Couldn't parse DH parameters: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>,
The config params are mainly from the arch wiki, with some exceptions from this post.
My postfix/main.cf
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/bin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydomain = xx.xx
myhostname = xx.xx
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
relay_domains = $mydestination
sample_directory = /etc/postfix
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/vmail.crt
smtpd_tls_key_file = /etc/ssl/private/vmail.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000My dovecot/dovecot.conf
protocols = imap pop3
auth_mechanisms = plain login
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
# Postfix default user and group
group = postfix
user = postfix
}
}
mail_home = /home/vmail/%d/%n
mail_location = maildir:~
ssl_prefer_server_ciphers = yes
ssl_cert = </etc/ssl/private/vmail.crt
ssl_key = </etc/ssl/private/vmail.keyMy dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
ssl_dh = </etc/dovecot/dh.pemI bet there is something wrong with ssl certificates. Also, I do notice that ssl_cert and ssl_key differ in main.cf and 10-ssl.conf. And what about smtpd_tls_cert_file and smtpd_tls_key_file?
Has anyone experienced a similar problem? Any ideas what went wrong?
Last edited by sitilge (2018-01-11 10:37:38)
Offline
Hello i have the same problem did you find the solution ?
i downgraded to this version and it works now : pigeonhole 0.4.20-1 - postfix 3.2.2-1 - dovecot 2.2.32-1
but no with : dovecot 2.3.0-2 - postfix 3.2.4-3
i think the solution is :
With v2.3 you are required to provide ssl_dh=</path/to/dh.pem yourself.
You can generate suitable parameters with openssl gendh 2048 (or 4096).
Make sure you run it on something that has plenty of entropy available,
it will take some time.
https://dovecot.org/pipermail/dovecot/2 … 10280.html
Last edited by freaks (2018-01-18 22:05:11)
Offline
In case of Dovecot, you need to concatenate the key and the certificate into a pem file and add these lines into your dovecot configuration file :
# blablabla
ssl = required
ssl_key = </home/mail/ssl/dovecot.pem # Key
ssl_cert = </home/mail/ssl/dovecot.pem # Certificate
ssl_ca = </home/mail/ssl/ca-bundle.pem # Server Certificate Bundle with CRLs
# blablablaSee http://wiki.dovecot.org/SSL/DovecotConfiguration for more information. The ca-bundle.pem comes from StartSSL
To use Thunderbird with OpenSMTPD, you must select STARTTLS for authentication to your smtp server, else you'll have this error when you're trying to connect :
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: New session 8b475ba3c3415a4d from host 37-161-XX-XX.coucou-networks.fr [37.161.XX.XX]
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: Bad input on session 8b475ba3c3415a4d: 500 5.5.1 Invalid command: Pipelining not supported
Aug 26 22:06:47 asterix smtpd[5866]: smtp-in: Closing session 8b475ba3c3415a4d
listen on eth0 port 25 hostname <hostname> tls pki <hostname>
listen on eth0 port 587 hostname <hostname> tls-require pki <hostname> auth mask-source
PS : Key and Cert are in different files for OpenSMTPD, not in a .pem like Dovecot
Offline