ISPconfig no TLS after upgrade to 3.2

Discussion in 'Installation/Configuration' started by Dark Magician, Feb 24, 2021.

  1. Dark Magician

    Dark Magician New Member

    **FIXED IT**

    After the upgraded to ISPconfig 3.2 all outlook clients and iOS mail stopped working.
    When I check the log I see:
    dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=<REMOVED>, lip=<REMOVED>, session=<REMOVED>
    dovecot: lmtp(15708): Error: SSL context initialization failed, disabling SSL: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small 
    I tried to run
    rm dh.pem
    openssl dhparm -out /etc/dovecot/dh.pem 2048
    And since that didnt work
    rm dh.pem
    openssl dhparm -out /etc/dovecot/dh.pem 4096
    Also tried to modify /etc/dovecot/conf.d/10-ssl.conf and add the line:
    ssl_dh = </etc/dovecot/dh.pem
    Normal connections (non ssl) work fine.
    SFTP/HTTPS on ISPConfig portal, roundube, all work fine as well.
    It's just outlook and ios connections over SSL that broke.

    was able to fix this by editing /etc/dovecot/dovecot.conf
    - Comment out: ssl_protocols = !SSLv3
    - Add: ssl_min_protocol = TLSv1.2
    - Add: ssl_dh =</usr/share/dovecot/dh.pem
    - Run: doveconf -Pn > dovecot-new-2.3.conf
    After that I had to restart dovecot: service dovecot restart
    Last edited: Feb 24, 2021
    electronico_nc and ahrasis like this.
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    These settings are already in the distributed dovecot config, you either have a local conf-custom template which needs updated or you aren't running a current version of ISPConfig. Or maybe you upgraded and didn't reconfigure services? (Though lots of things should be broken in that case.)

Share This Page