Dovecot: Fix for logjam attack

[neuhaus]

See also: https://weakdh.org/sysadmin.html

[jplock]

Running this, I'm getting:

NOTIFIED: [mailserver | restart dovecot] ************************************** 
failed: [x.x.x.x] => {"failed": true}
msg: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length

root@mail:/etc/dovecot/conf.d# dpkg -l | grep dove
ii  dovecot-antispam                      2.0+20120225-3                amd64        Dovecot plugins for training spam filters
ii  dovecot-core                          1:2.1.7-7+deb7u1              amd64        secure mail server that supports mbox, maildir, dbox and mdbox mailboxes
ii  dovecot-imapd                         1:2.1.7-7+deb7u1              amd64        secure IMAP server that supports mbox, maildir, dbox and mdbox mailboxes
ii  dovecot-lmtpd                         1:2.1.7-7+deb7u1              amd64        secure LMTP server for Dovecot
ii  dovecot-managesieved                  1:2.1.7-7+deb7u1              amd64        secure ManageSieve server for Dovecot
ii  dovecot-pgsql                         1:2.1.7-7+deb7u1              amd64        PostgreSQL support for Dovecot
ii  dovecot-pop3d                         1:2.1.7-7+deb7u1              amd64        secure POP3 server that supports mbox, maildir, dbox and mdbox mailboxes
ii  dovecot-sieve                         1:2.1.7-7+deb7u1              amd64        sieve filters support for Dovecot
ii  dovecot-solr                          1:2.1.7-7+deb7u1              amd64        Solr full text search support for Dovecot

[al3x]

Interesting. Works for me with dovecot-core 1:2.2.13-11.

[jplock]

I'm running wheezy. Is that version from wheezy-backports? https://packages.debian.org/wheezy-backports/dovecot-core

[al3x]

I'm trying out Jessie, so perhaps it's only available in the latest Debian release.

[neuhaus]

Works for me with dovecot-core 2.2.9-1ubuntu2.1.
I suppose Wheezy ships with Dovecot 2.1 that lacks this feature :-(
I'll look into this later this weekend.

Am 21.05.2015 um 20:40 schrieb Justin Plock notifications@github.com:

Running this, I'm getting:

NOTIFIED: [mailserver | restart dovecot] **************************************
failed: [x.x.x.x] => {"failed": true}
msg: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 53: Unknown setting: ssl_dh_parameters_length
root@mail:/etc/dovecot/conf.d# dpkg -l | grep dove
ii dovecot-antispam 2.0+20120225-3 amd64 Dovecot plugins for training spam filters
ii dovecot-core 1:2.1.7-7+deb7u1 amd64 secure mail server that supports mbox, maildir, dbox and mdbox mailboxes
ii dovecot-imapd 1:2.1.7-7+deb7u1 amd64 secure IMAP server that supports mbox, maildir, dbox and mdbox mailboxes
ii dovecot-lmtpd 1:2.1.7-7+deb7u1 amd64 secure LMTP server for Dovecot
ii dovecot-managesieved 1:2.1.7-7+deb7u1 amd64 secure ManageSieve server for Dovecot
ii dovecot-pgsql 1:2.1.7-7+deb7u1 amd64 PostgreSQL support for Dovecot
ii dovecot-pop3d 1:2.1.7-7+deb7u1 amd64 secure POP3 server that supports mbox, maildir, dbox and mdbox mailboxes
ii dovecot-sieve 1:2.1.7-7+deb7u1 amd64 sieve filters support for Dovecot
ii dovecot-solr 1:2.1.7-7+deb7u1 amd64 Solr full text search support for Dovecot
—
Reply to this email directly or view it on GitHub.

[lukecyca]

I got the same errors as @jplock when I upgraded my box to the current master head. I had to upgrade dovecot using wheezy-backports:

echo 'deb http://http.debian.net/debian wheezy-backports main' >> /etc/apt/sources.list
apt-get update
apt-get -t wheezy-backports install

Then I re-ran the playbook.

Not a huge deal if we're moving to Jessie soon, but master is unfortunately broken right now.

[al3x]

Should be fixed by 34448d5

[iboxifoo]

I ran the playbook including @al3x's fix, but now I'm unable to retrieve mail, either through IMAP or Roundcube. mail.err reports fatal: no SASL authentication mechanisms and roundcube/errors reports IMAP Error: Login failed for.... Could not connect to ssl://127.0.0.1:993: Connection refused in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 184 (POST /?_task=login&_action=login)

Any ideas? (I'm still on wheezy) Thanks.

[neuhaus]

@iboxifoo Try removing the line with "ssl_dh_parameters_length = 2048" from your dovecot ssl config file /etc/dovecot/conf.d/10-ssl.conf
Then restart dovecot (run sudo service dovecot restart)
Which version of dovecot is installed on your system now? Check using dpkg -l dovecot-core

[iboxifoo]

@neuhaus That did the trick! Any implications in commenting out line? Thanks

[neuhaus]

@iboxifoo You should eventually put it back in when you upgrade to Dovecot 2.2+ (which comes with Debian Jessie for example).
Without it you are using 1024 bit DH params which are considered weak.
You can read all about it at https://weakdh.org/

[iboxifoo]

got it. thanks so much.

On Jun 9, 2015, at 2:27 AM, Sven Neuhaus notifications@github.com wrote:

@iboxifoo You should eventually put it back in when you upgrade to Dovecot 2.2+ (which comes with Debian Jessie for example).
Without it you are using 1024 bit DH params which are considered weak.
You can read all about it at https://weakdh.org/

—
Reply to this email directly or view it on GitHub.

[jplock]

I was able to upgrade dovecot, but now I'm having issues with dspam:

The following packages have unmet dependencies:
 dovecot-antispam : Depends: dovecot-imapd (< 1:2.1.7.) but 1:2.2.13-11~bpo70+1 is to be installed

Any suggestions?

[neuhaus]

Did you install the dovecot packages manually?
If so, try also installing dovecot-antispam manually from wheezy-backports using
sudo apt-get -t wheezy-backports install dovecot-antispam

[neuhaus]

OK, I hope it's fixed now in commit 8b5ed21.
The dovecot-solr package was also affected.
@jplock Thanks for reporting this.

[neuhaus]

I found and fixed another issue with the wheezy-backports change in commit 570beba. librrd2-dev (required for collectd) also needs to be from wheezy-backports to avoid package conflicts.