Control: reassign -1 dovecot-core Control: severity -1 important Control: merge -1 850538 Control: retitle -1 dovecot: 10-ssl.conf not migrated to new settings
(Merging relevant bugs) Hi, On 17:28 Thu 22 Jun , Hideki Yamane wrote: > Not updating /etc/dovecot/conf.d/10-ssl.conf sometimes causes > problem. > > > dovecot-core provides /etc/dovecot/conf.d/10-ssl.conf. In Jessie, > it says "#ssl_protocols = !SSLv2". And upgrading from Jessie to > Stretch, its file doesn't change. If user removed comment out and > use it in Jessie and upgraded to Stretch, then it causes problem > with negotiating with clients as below. > > >> pop3-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2' > > (Just wild guess, because libssl1.1.0 dropped SSLv2 support). > > > In debian/dovecot-core.postinst says > > # Special handling for 10-ssl.conf. > # Copy the file if it does not exist, do nothing otherwise. > if [ "$conffile" = 'conf.d/10-ssl.conf' ]; then > if [ ! -f /etc/dovecot/$conffile ]; then > cp /usr/share/dovecot/$conffile /etc/dovecot/$conffile > chmod 0644 /etc/dovecot/$conffile > fi > # Unregister 10-ssl.conf from ucf if it's there. > ucfr --purge dovecot-core /etc/dovecot/$conffile > continue > fi > > It was introduced in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773237 Yes, we do need to figure out a way to better handle SSL configuration. The problem with SSL is that its configuration is completely site-specific, making it virtually impossible to provide meaningful defaults. The truth is that unlike web servers where (at least until everyone upgrades to HTTP/2) we can still pretend things can run unencrypted, mail is more sensitive and is (hopefully) always encrypted. Thus we should really get SSL up and running by default and the only feasible solution is to use ssl-cert-snakeoil.pem or generate the crypto material on our own (see the long discussion in #376146) To make things easier and avoid unnecessary conffile prompts, the certificates should be used indirectly via symlinks, something like: ---- /etc/dovecot/conf.d/10-ssl.conf ---- ssl_cert = </etc/dovecot/ssl/dovecot.pem ssl_key = </etc/dovecot/ssl/dovecot.key ----------------------------------------- /etc/dovecot/ssl/dovecot.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/dovecot/ssl/dovecot.key -> /etc/ssl/private/ssl-cert-snakeoil.key Then we also need to depend on ssl-cert and make sure ssl-cert-snakeoil exists. After all of that, we can handle ssl.conf as a regular conffile and not pretend we know nothing about it :) I'll see if I can get this sorted out in one of the next uploads. Regards, Apollon
