ISPConfig3 + Bettercrypto - Dovecot problem

Hi, this may be mentioned earlier but I have not been able to find it yet so please point me in the right direction if this is already solved...

I have a Multiserver Setup with a dedicated Mailserver (Mostly following the perfect server setup: [1]) It is a Debian 9 with postfix/dovecot. Mail is working! Even with Let's Encrypt Certificate.

I have tried to do some "better crypto" (bettercrypto.org) more specific I tried to disable TLSv1 and TLSv1.1 and prefer_server_settings. This should be done in /etc/dovecot/conf.d/10-ssl.conf
Sadly 10-ssl.conf is completley ignored.

When you follow the perfect server guide - right up to installing ISPConfig there is a line in the /etc/dovecot/dovecot.conf "!include conf.d/*.conf" which includes config files in conf.d/ like 10-ssl.conf. Is there a reason why ISPConfig-setup removes this line?

It seemes the only solution for getting permanent better crypto for dovecot is this thread: [2]
Since it is from 2014 is it still up to date?

Thanks in advance.

### LINKS ###
Apparently I am not allowed to post links. Sorry you have to look them up yourselves.
[1] Howtoforge tutorial: perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1
[2] Old Thread (2014) custom-dovecot-settings.65438

### DISCLAIMER ###
If you use the bettercrypto-guide with an up-to date openssl and Debian9 like I did: Don't disable SSLv2 by editing the /etc/dovecot/dovecot.conf with "ssl_protocols = !SSLv3 !SSLv2" this will cause dovecot to fail (have a look at the syslog) because SSLv2 is removed in Openssl and dovecot Versions >2 do not ignore unknown configuration parameters. (For me the only symptom was my client not logging in anymore)

 

Hi, thank you for the quick response. I will try that and respond back.

Will adding the line: "!include conf.d/10-ssl.conf" break anything of ISPConfig's implementation? I could simply post all the things i need to /etc/dovecot/dovecot.conf but that sounds like the same thing to me (exept with the updates) - I wonder why this line got removed in the fist place.

I will also add my voice to the feature request form 2014 (in the other thread)
unfortunately /etc/dovecot/conf.d/10-ssl.conf seemes to be the most important file for SSL according to the dovecot documentation.

 

Understood. I agree it is easier to manage one config file instead of hundreds. but your template is mostly a concatination of some old config files (wich are now split in conf.d/*.conf) and the old files wich you are not using are still there - so maybe one could remove them in a cleaning process?

I only disagree on the point that future security updates will probably happen in those files you are not using (Standard on most Linux/unix systems) so you need to update the template nontheless. (You also could integrate the proper way to make changes in the /etc/dovecot/dovecot.conf) ... yes I know ... feature request ...

 

so, Reporting back:

I took the file from the install/tpl/ with the version 3.1.10 (debian_dovecot.conf.master) sadly it does not match the current /etc/dovecot/dovecot.conf file (even without my changes)

So I took the /etc/dovecot/dovecot.conf file and made my changes there then I copied it to /usr/local/ispconfig/server/conf-custom/install/dovecot.conf. This folder also contains an empty.dir (File for ISPConfig). I suppose I should delete that? (I will update to 3.1.11 soon so I would like to know that beforehand.)

I am halfway done writing a script to concatenate the template and the 10-ssl.conf but since the template looks differently than my dovecot.conf I gave up. I could continue and give it back here - provided someone explains to me which file to trust...

 

Problem with Updateing:

my custom files wich I have created in /usr/local/ispconfig/server/conf-custom/install/ get ignored.
The empty.dir gets restored on update. I wonder how ispconfig would know where to put those files because they belong in different folders. Maybe someone can explain it to me here?

My problem in detail:

I changed 3 files in order to get my mailserver working with better crypto (I did not find any better way to do it). Those are
/etc/dovecot/dovecot.conf
/etc/postfix/main.cf
/etc/postfix/master.cf
Also I deleted the file in /var/lib/dovecot/ssl-parameters.dat and restarted dovecot to re-generate the file. (Actually I restarted dovecot and postfix for the changes to work)

I did a backup of those files and those exact files are also in the folder /usr/local/ispconfig/server/conf-custom/install/. Here are md5sums of them before the update.

2b70b4d0f62e0adf8c1dacf6e876aaf6 dovecot.conf
110e89d3c9163022563dccbee4565d4d main.cf
680339a870e54c2f8f97cafef4876384 master.cf

After the update some of the files on their destination changed. And they do not contain the updates I made.

58d5088321ca86dada0326528ce8a9a1 /etc/dovecot/dovecot.conf
9a2ca26436ac428067e24cf5867dfd94 /etc/postfix/main.cf
680339a870e54c2f8f97cafef4876384 /etc/postfix/master.cf

only the master.cf remains untouched. But that could be coincidence. (I did the update from 3.1.10 to 3.1.11)

Solution:

I wrote a script that replaces the updated files to the files I backuped. (This may not be the best solution but the only one I found working) You may notice I also backupped the /var/lib/dovecot/ssl-parameters.dat because I did not want to wait untill it is re-created.

---
#!/bin/bash

# script to fix postfix and dovecot after ispconfig update
# when you have to implement custom config

# re-copy dovecot.conf
cp /path/to/backup/dovecot.conf /etc/dovecot/dovecot.conf

# re-copy main.cf and master.cf
# okay master.cf is just a precaution....
cp /path/to/backup/main.cf /etc/postfix/main.cf
cp /path/to/backup/master.cf /etc/postfix/master.cf

# remove file for re-creating DHE parameters
# also just a precaution ... don't know if ISPconfig changes anything here.
#rm /var/lib/dovecot/ssl-parameters.dat
#rm /var/lib/dovecot/ssl-parameters.dat.tmp
# OR
# replace file for re-creating DH parameters with existing one
# to have less downtime when updating
cp /path/to/backup/ssl-parameters.dat /var/lib/dovecot/
# also restarting dovecot on ISPConfig update may have created a ssl-parameters.dat.tmp
rm /var/lib/dovecot/ssl-parameters.dat.tmp

# restart postfix and dovecot
service postfix restart
service dovecot restart

echo Done. Do check services please.
---

 

The master files in install/tpl/ differ strongly from the actual files written by the update! Where do those changes come from?

the debian_dovecot2.conf.master contains the following lines the running configuration does not:

< postmaster_address = [email protected]
< postmaster_address = webmaster@localhost
< postmaster_address = webmaster@localhost
< mail_plugins = $mail_plugins quota

in the /etc/dovecot/dovecot.conf the following lines are different from the debian_dovecot2.conf.master
(in addition to my changes.)

> postmaster_address = [email protected]
> postmaster_address = [email protected]

the debian_postfix.conf.master differs from /etc/postfix/main.cf even more!

So what you actually mean is I should change my files in usr/local/ispconfig/server/conf-custom/install/ to be named

debian_dovecot2.conf.master - instead of dovecot.conf
debian_postfix.conf.master - instead of main.cf

yes?

 

Dear Till,

I did some debugging using the recommended files from install/tpl/ copied to /usr/local/ispconfig/server/conf-custom/install/ and changed them according to my needs.

while updating the following happens:

at /etc/postfix/main.cf only the parameters previously defined get replaced
at /etc/dovecot/dovecot.conf the parameters previously defined get replaced and the parameters previously not defined get flushed.

I suppose this behavior is because of the tpl_ini.inc.php where it says:
'UNKNOWNS' => 'ignore',

although my line in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master reads as this:

ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

it is changed to

ssl_protocols = !SSLv3

in /etc/dovecot/dovecot.conf. I am not really sure why. In the installer_base.lib.php it says

// Dovecot > 2.2 does not recognize !SSLv2 anymore on Debian 9
replaceLine($config_dir.'/'.$configfile, 'ssl_protocols = !SSLv2 !SSLv3', 'ssl_protocols = !SSLv3', 1, 0);

so I am pretty sure it should not even touch this line...

on the upside: the postmaster address get set here too ...

also when I change other things in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master like mail_max_userip_connections = 500 it reads after update in /etc/dovecot/dovecot.conf mail_max_userip_connections = 100

also other defined functions are not there after update like:

ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 4096
ssl_options = no_compression

those lines simply get purged. I cannot find the according functions in your scripts beside the ones already mentioned. Maybe I missed something? Maybe it is a bug?

additional lines in the postfix-configuration remain there even after the update. But I did not look into this farther...

I also tried the installer_base.lib.php to write some debugging output, but it simply didn't. Adding something undefined to the php brought the update to crash so I am pretty sure I got the right file - and that the file get's called at some point.

So far only the workaround I posted earlier seems to be working.

### EDIT ###
The files need to be named debian_dovecot2.conf.master and debian_postfix.conf.master in the /usr/local/ispconfig/server/conf-custom/install/ and not differently.

 

re-tested. no difference.

re-downloaded the Update: (md5sum)
a13608c0c8c51e4e464b099765edf0d2 ISPConfig-3.1.11.tar.gz

unpacked it into /tmp
copied "fresh" /tmp/ispconfig3_install/install/tpl/debian_dovecot2.conf.master to /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master

changed the following lines in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master

ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
mail_max_userip_connections = 500

forced the update with /tmp/ispconfig3_install/install# php -q update.php

and then looked into the /etc/dovecot/dovecot.conf

ssl_protocols = !SSLv3
mail_max_userip_connections = 100

so - no difference

also - just for testing - copied the newly changed /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master to /tmp/ispconfig3_install/install/tpl/

and then did /tmp/ispconfig3_install/install# php -q update.php

but still /etc/dovecot/dovecot.conf looks like

ssl_protocols = !SSLv3
mail_max_userip_connections = 100

any ideas?
am I doing something wrong?

 

How wold someone apply changes in the main.cf permanently in ISPConfig?

 

If I put "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" in the master template it gets replaced anyways. I guess I will stay with my replacement-script for a while.

I am just configuring two additional mailservers in this multiserver setup - if the changes in the master template work there i will redo this machine.

concering the workflow I am sticking to the perfect server guide and the ISPConfig manual (although the manual is for an old version)

 

Dear Till,
I did a fresh installation of Debian on another server and a fresh installation of ISPConfig 3.1.11.
I copied the master file to the location, I can alter whatever I want but dovecot still defaults back to your settings.

 

any news on this topic?

 

@till, just to be sure, I installed the latest stable on a debian 9 server, and this is now the output of # doveconf -n -P

Code:

# 2.2.34 (874deae): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.22 (22940fb7)
# OS: Linux 4.9.0-6-amd64 x86_64 Debian 9.3
# Hostname: somedomain.tld
auth_mechanisms = plain login
disable_plaintext_auth = no
listen = *,[::]
log_timestamp = "%Y-%m-%d %H:%M:%S "
*** mail_max_userip_connections = 100 ***
mail_privileged_group = vmail
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  quota = dict:user::file:/var/vmail/%d/%n/.quotausage
  sieve = /var/vmail/%d/%n/.sieve
  sieve_max_redirects = 25
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
  user = root
}
service imap-login {
  client_limit = 1000
  process_limit = 512
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocol imap {
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
  pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
  mail_plugins = sieve quota
  postmaster_address = [email protected]
}
protocol lmtp {
  mail_plugins = quota sieve
  postmaster_address = [email protected]
}

and I would like to override it, persistent after ispconfig updates, to:

Code:

auth_cache_size = 24 M
auth_cache_ttl = 18 hours
auth_mechanisms = plain login
disable_plaintext_auth = no
listen = *,[::]
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = mydomainname ready.
mail_fsync = never
mail_max_userip_connections = 500
mail_plugins = " fts fts_lucene"
mail_privileged_group = vmail
mail_temp_dir = /ramdsk/dovecot
mailbox_idle_check_interval = 59 secs
mailbox_list_index = yes
maildir_very_dirty_syncs = yes
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  fts = lucene
  fts_autoindex = yes
  fts_autoindex_max_recent_msgs = 60
  fts_index_timeout = 60
  fts_lucene = whitespace_chars=@. normalize no_snowball
  sieve = /var/vmail/%d/%n/.sieve
  sieve_max_redirects = 25
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
  user = root
}
service imap-login {
  client_limit = 1000
  process_limit = 512
  process_min_avail = 6
  service_count = 64
  vsz_limit = 256 M
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
  mail_fsync = optimized
  mail_plugins = sieve
  postmaster_address = [email protected]
}
protocol lmtp {
  mail_fsync = optimized
  mail_plugins = sieve
  postmaster_address = [email protected]
}

How do I best do this? Since I don't see a template for dovecot.conf anywhere.
My conf includes support for CLucene plugin, which is -still- the fastest FTS search option for dovecot, despite them claiming otherwise. Lucene delivers the fastest search performance on my servers anyway..