ISPConfig3 + Bettercrypto - Dovecot problem

Discussion in 'Installation/Configuration' started by Rabenkind, Jan 12, 2018.

  1. Rabenkind

    Rabenkind New Member

    Hi, this may be mentioned earlier but I have not been able to find it yet so please point me in the right direction if this is already solved...

    I have a Multiserver Setup with a dedicated Mailserver (Mostly following the perfect server setup: [1]) It is a Debian 9 with postfix/dovecot. Mail is working! Even with Let's Encrypt Certificate.

    I have tried to do some "better crypto" ( more specific I tried to disable TLSv1 and TLSv1.1 and prefer_server_settings. This should be done in /etc/dovecot/conf.d/10-ssl.conf
    Sadly 10-ssl.conf is completley ignored.

    When you follow the perfect server guide - right up to installing ISPConfig there is a line in the /etc/dovecot/dovecot.conf "!include conf.d/*.conf" which includes config files in conf.d/ like 10-ssl.conf. Is there a reason why ISPConfig-setup removes this line?

    It seemes the only solution for getting permanent better crypto for dovecot is this thread: [2]
    Since it is from 2014 is it still up to date?

    Thanks in advance.

    ### LINKS ###
    Apparently I am not allowed to post links. Sorry you have to look them up yourselves.
    [1] Howtoforge tutorial: perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1
    [2] Old Thread (2014) custom-dovecot-settings.65438

    ### DISCLAIMER ###
    If you use the bettercrypto-guide with an up-to date openssl and Debian9 like I did: Don't disable SSLv2 by editing the /etc/dovecot/dovecot.conf with "ssl_protocols = !SSLv3 !SSLv2" this will cause dovecot to fail (have a look at the syslog) because SSLv2 is removed in Openssl and dovecot Versions >2 do not ignore unknown configuration parameters. (For me the only symptom was my client not logging in anymore)
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the wrong file. You have to add this in dovecot.conf. And to make your changes update safe, copy the dovecot conf master template from install/tpl/ folder of the folder /usr/local/ispconfig/server/conf-custom/install/ and implement it there too.
  3. Rabenkind

    Rabenkind New Member

    Hi, thank you for the quick response. I will try that and respond back.

    Will adding the line: "!include conf.d/10-ssl.conf" break anything of ISPConfig's implementation? I could simply post all the things i need to /etc/dovecot/dovecot.conf but that sounds like the same thing to me (exept with the updates) - I wonder why this line got removed in the fist place.

    I will also add my voice to the feature request form 2014 (in the other thread)
    unfortunately /etc/dovecot/conf.d/10-ssl.conf seemes to be the most important file for SSL according to the dovecot documentation.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Because ISPConfig would have to delete and replace all these files on installation and update then to ensure that the setup remains consistent or in other words: if we would use such third party includes without cleaning them, a lot of installs will fail.

    The file /etc/dovecot/conf.d/10-ssl.conf does not matter as ISPConfig does not use a split config and ssl settings do not care about the name of the file they are added to. If you want to define settings beside the ones that are already in the devoceot.conf on a ISPConfig server, then use the approach I explained in the post above.
  5. Rabenkind

    Rabenkind New Member

    Understood. I agree it is easier to manage one config file instead of hundreds. but your template is mostly a concatination of some old config files (wich are now split in conf.d/*.conf) and the old files wich you are not using are still there - so maybe one could remove them in a cleaning process?

    I only disagree on the point that future security updates will probably happen in those files you are not using (Standard on most Linux/unix systems) so you need to update the template nontheless. (You also could integrate the proper way to make changes in the /etc/dovecot/dovecot.conf) ... yes I know ... feature request ... ;)
  6. Rabenkind

    Rabenkind New Member

    so, Reporting back:

    I took the file from the install/tpl/ with the version 3.1.10 (debian_dovecot.conf.master) sadly it does not match the current /etc/dovecot/dovecot.conf file (even without my changes)

    So I took the /etc/dovecot/dovecot.conf file and made my changes there then I copied it to /usr/local/ispconfig/server/conf-custom/install/dovecot.conf. This folder also contains an empty.dir (File for ISPConfig). I suppose I should delete that? (I will update to 3.1.11 soon so I would like to know that beforehand.)

    I am halfway done writing a script to concatenate the template and the 10-ssl.conf but since the template looks differently than my dovecot.conf I gave up. I could continue and give it back here - provided someone explains to me which file to trust...

Share This Page