Hi, this may be mentioned earlier but I have not been able to find it yet so please point me in the right direction if this is already solved... I have a Multiserver Setup with a dedicated Mailserver (Mostly following the perfect server setup: [1]) It is a Debian 9 with postfix/dovecot. Mail is working! Even with Let's Encrypt Certificate. I have tried to do some "better crypto" (bettercrypto.org) more specific I tried to disable TLSv1 and TLSv1.1 and prefer_server_settings. This should be done in /etc/dovecot/conf.d/10-ssl.conf Sadly 10-ssl.conf is completley ignored. When you follow the perfect server guide - right up to installing ISPConfig there is a line in the /etc/dovecot/dovecot.conf "!include conf.d/*.conf" which includes config files in conf.d/ like 10-ssl.conf. Is there a reason why ISPConfig-setup removes this line? It seemes the only solution for getting permanent better crypto for dovecot is this thread: [2] Since it is from 2014 is it still up to date? Thanks in advance. ### LINKS ### Apparently I am not allowed to post links. Sorry you have to look them up yourselves. [1] Howtoforge tutorial: perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1 [2] Old Thread (2014) custom-dovecot-settings.65438 ### DISCLAIMER ### If you use the bettercrypto-guide with an up-to date openssl and Debian9 like I did: Don't disable SSLv2 by editing the /etc/dovecot/dovecot.conf with "ssl_protocols = !SSLv3 !SSLv2" this will cause dovecot to fail (have a look at the syslog) because SSLv2 is removed in Openssl and dovecot Versions >2 do not ignore unknown configuration parameters. (For me the only symptom was my client not logging in anymore)
That's the wrong file. You have to add this in dovecot.conf. And to make your changes update safe, copy the dovecot conf master template from install/tpl/ folder of the folder /usr/local/ispconfig/server/conf-custom/install/ and implement it there too.
Hi, thank you for the quick response. I will try that and respond back. Will adding the line: "!include conf.d/10-ssl.conf" break anything of ISPConfig's implementation? I could simply post all the things i need to /etc/dovecot/dovecot.conf but that sounds like the same thing to me (exept with the updates) - I wonder why this line got removed in the fist place. I will also add my voice to the feature request form 2014 (in the other thread) unfortunately /etc/dovecot/conf.d/10-ssl.conf seemes to be the most important file for SSL according to the dovecot documentation.
Because ISPConfig would have to delete and replace all these files on installation and update then to ensure that the setup remains consistent or in other words: if we would use such third party includes without cleaning them, a lot of installs will fail. The file /etc/dovecot/conf.d/10-ssl.conf does not matter as ISPConfig does not use a split config and ssl settings do not care about the name of the file they are added to. If you want to define settings beside the ones that are already in the devoceot.conf on a ISPConfig server, then use the approach I explained in the post above.
Understood. I agree it is easier to manage one config file instead of hundreds. but your template is mostly a concatination of some old config files (wich are now split in conf.d/*.conf) and the old files wich you are not using are still there - so maybe one could remove them in a cleaning process? I only disagree on the point that future security updates will probably happen in those files you are not using (Standard on most Linux/unix systems) so you need to update the template nontheless. (You also could integrate the proper way to make changes in the /etc/dovecot/dovecot.conf) ... yes I know ... feature request ...
so, Reporting back: I took the file from the install/tpl/ with the version 3.1.10 (debian_dovecot.conf.master) sadly it does not match the current /etc/dovecot/dovecot.conf file (even without my changes) So I took the /etc/dovecot/dovecot.conf file and made my changes there then I copied it to /usr/local/ispconfig/server/conf-custom/install/dovecot.conf. This folder also contains an empty.dir (File for ISPConfig). I suppose I should delete that? (I will update to 3.1.11 soon so I would like to know that beforehand.) I am halfway done writing a script to concatenate the template and the 10-ssl.conf but since the template looks differently than my dovecot.conf I gave up. I could continue and give it back here - provided someone explains to me which file to trust...
Problem with Updateing: my custom files wich I have created in /usr/local/ispconfig/server/conf-custom/install/ get ignored. The empty.dir gets restored on update. I wonder how ispconfig would know where to put those files because they belong in different folders. Maybe someone can explain it to me here? My problem in detail: I changed 3 files in order to get my mailserver working with better crypto (I did not find any better way to do it). Those are /etc/dovecot/dovecot.conf /etc/postfix/main.cf /etc/postfix/master.cf Also I deleted the file in /var/lib/dovecot/ssl-parameters.dat and restarted dovecot to re-generate the file. (Actually I restarted dovecot and postfix for the changes to work) I did a backup of those files and those exact files are also in the folder /usr/local/ispconfig/server/conf-custom/install/. Here are md5sums of them before the update. 2b70b4d0f62e0adf8c1dacf6e876aaf6 dovecot.conf 110e89d3c9163022563dccbee4565d4d main.cf 680339a870e54c2f8f97cafef4876384 master.cf After the update some of the files on their destination changed. And they do not contain the updates I made. 58d5088321ca86dada0326528ce8a9a1 /etc/dovecot/dovecot.conf 9a2ca26436ac428067e24cf5867dfd94 /etc/postfix/main.cf 680339a870e54c2f8f97cafef4876384 /etc/postfix/master.cf only the master.cf remains untouched. But that could be coincidence. (I did the update from 3.1.10 to 3.1.11) Solution: I wrote a script that replaces the updated files to the files I backuped. (This may not be the best solution but the only one I found working) You may notice I also backupped the /var/lib/dovecot/ssl-parameters.dat because I did not want to wait untill it is re-created. --- #!/bin/bash # script to fix postfix and dovecot after ispconfig update # when you have to implement custom config # re-copy dovecot.conf cp /path/to/backup/dovecot.conf /etc/dovecot/dovecot.conf # re-copy main.cf and master.cf # okay master.cf is just a precaution.... cp /path/to/backup/main.cf /etc/postfix/main.cf cp /path/to/backup/master.cf /etc/postfix/master.cf # remove file for re-creating DHE parameters # also just a precaution ... don't know if ISPconfig changes anything here. #rm /var/lib/dovecot/ssl-parameters.dat #rm /var/lib/dovecot/ssl-parameters.dat.tmp # OR # replace file for re-creating DH parameters with existing one # to have less downtime when updating cp /path/to/backup/ssl-parameters.dat /var/lib/dovecot/ # also restarting dovecot on ISPConfig update may have created a ssl-parameters.dat.tmp rm /var/lib/dovecot/ssl-parameters.dat.tmp # restart postfix and dovecot service postfix restart service dovecot restart echo Done. Do check services please. ---
That's the reason for your problem. You copied your manually changed files there but you should have copied the master files from ispconfig tar.gz install/tpl/ folder there and implement your changes in the master files.
The master files in install/tpl/ differ strongly from the actual files written by the update! Where do those changes come from? the debian_dovecot2.conf.master contains the following lines the running configuration does not: < postmaster_address = [email protected] < postmaster_address = [email protected] < postmaster_address = [email protected] < mail_plugins = $mail_plugins quota in the /etc/dovecot/dovecot.conf the following lines are different from the debian_dovecot2.conf.master (in addition to my changes.) > postmaster_address = [email protected] > postmaster_address = [email protected] the debian_postfix.conf.master differs from /etc/postfix/main.cf even more! So what you actually mean is I should change my files in usr/local/ispconfig/server/conf-custom/install/ to be named debian_dovecot2.conf.master - instead of dovecot.conf debian_postfix.conf.master - instead of main.cf yes?
Dear Till, I did some debugging using the recommended files from install/tpl/ copied to /usr/local/ispconfig/server/conf-custom/install/ and changed them according to my needs. while updating the following happens: at /etc/postfix/main.cf only the parameters previously defined get replaced at /etc/dovecot/dovecot.conf the parameters previously defined get replaced and the parameters previously not defined get flushed. I suppose this behavior is because of the tpl_ini.inc.php where it says: 'UNKNOWNS' => 'ignore', although my line in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master reads as this: ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1 it is changed to ssl_protocols = !SSLv3 in /etc/dovecot/dovecot.conf. I am not really sure why. In the installer_base.lib.php it says // Dovecot > 2.2 does not recognize !SSLv2 anymore on Debian 9 replaceLine($config_dir.'/'.$configfile, 'ssl_protocols = !SSLv2 !SSLv3', 'ssl_protocols = !SSLv3', 1, 0); so I am pretty sure it should not even touch this line... on the upside: the postmaster address get set here too ... also when I change other things in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master like mail_max_userip_connections = 500 it reads after update in /etc/dovecot/dovecot.conf mail_max_userip_connections = 100 also other defined functions are not there after update like: ssl = yes ssl_prefer_server_ciphers = yes ssl_dh_parameters_length = 4096 ssl_options = no_compression those lines simply get purged. I cannot find the according functions in your scripts beside the ones already mentioned. Maybe I missed something? Maybe it is a bug? additional lines in the postfix-configuration remain there even after the update. But I did not look into this farther... I also tried the installer_base.lib.php to write some debugging output, but it simply didn't. Adding something undefined to the php brought the update to crash so I am pretty sure I got the right file - and that the file get's called at some point. So far only the workaround I posted earlier seems to be working. ### EDIT ### The files need to be named debian_dovecot2.conf.master and debian_postfix.conf.master in the /usr/local/ispconfig/server/conf-custom/install/ and not differently.
The dovecot file gets replaced completely, based on the master file. This works fine here and I can alter whatever I want and it is exactly like this in the resulting dovecot.conf file. Just copied the master file to the folder and altered it. The main.cf update works differently, the update is applied with postconf, so only the lines defined in the file get altered.
re-tested. no difference. re-downloaded the Update: (md5sum) a13608c0c8c51e4e464b099765edf0d2 ISPConfig-3.1.11.tar.gz unpacked it into /tmp copied "fresh" /tmp/ispconfig3_install/install/tpl/debian_dovecot2.conf.master to /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master changed the following lines in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1 mail_max_userip_connections = 500 forced the update with /tmp/ispconfig3_install/install# php -q update.php and then looked into the /etc/dovecot/dovecot.conf ssl_protocols = !SSLv3 mail_max_userip_connections = 100 so - no difference also - just for testing - copied the newly changed /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master to /tmp/ispconfig3_install/install/tpl/ and then did /tmp/ispconfig3_install/install# php -q update.php but still /etc/dovecot/dovecot.conf looks like ssl_protocols = !SSLv3 mail_max_userip_connections = 100 any ideas? am I doing something wrong?
In main.cf directly when it's a setting that is not handled by ispconfig, otherwise in the postfix master template.
If I put "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" in the master template it gets replaced anyways. I guess I will stay with my replacement-script for a while. I am just configuring two additional mailservers in this multiserver setup - if the changes in the master template work there i will redo this machine. concering the workflow I am sticking to the perfect server guide and the ISPConfig manual (although the manual is for an old version)
Dear Till, I did a fresh installation of Debian on another server and a fresh installation of ISPConfig 3.1.11. I copied the master file to the location, I can alter whatever I want but dovecot still defaults back to your settings.
There was just an issue with ssl_protocols overriding as we had to modify the line due to a quite bad change of dovecot, instead of ignoring the SSLv2 option in newer versions that don't support that protocol anymore dovecot does a hard fail and as we support a bunch of versions, we had to modify the line automatically during setup. But that has been fixed already, the other things work fine and I was able to override them during update without any issues from the beginning. Example on Debian 9: cd /tmp wget https://ispconfig.org/downloads/ISPConfig-3.1.11.tar.gz tar xfz ISPConfig-3.1.11.tar.gz cp ispconfig3_install/install/tpl/debian6_dovecot2.conf.master /usr/local/ispconfig/server/conf-custom/install/ vi /usr/local/ispconfig/server/conf-custom/install/debian6_dovecot2.conf.master and set: mail_max_userip_connections = 500 [email protected]:/tmp# grep mail_max_userip_connections /usr/local/ispconfig/server/conf-custom/install/debian6_dovecot2.conf.master mail_max_userip_connections = 500 [email protected]:/tmp# grep mail_max_userip_connections /etc/dovecot/dovecot.conf mail_max_userip_connections = 100 ispconfig_update.sh [email protected]:/tmp# grep mail_max_userip_connections /etc/dovecot/dovecot.conf mail_max_userip_connections = 500
@till, just to be sure, I installed the latest stable on a debian 9 server, and this is now the output of # doveconf -n -P Code: # 2.2.34 (874deae): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.22 (22940fb7) # OS: Linux 4.9.0-6-amd64 x86_64 Debian 9.3 # Hostname: somedomain.tld auth_mechanisms = plain login disable_plaintext_auth = no listen = *,[::] log_timestamp = "%Y-%m-%d %H:%M:%S " *** mail_max_userip_connections = 100 *** mail_privileged_group = vmail passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve = /var/vmail/%d/%n/.sieve sieve_max_redirects = 25 } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 512 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol imap { mail_plugins = quota imap_quota } protocol pop3 { mail_plugins = quota pop3_uidl_format = %08Xu%08Xv } protocol lda { mail_plugins = sieve quota postmaster_address = [email protected] } protocol lmtp { mail_plugins = quota sieve postmaster_address = [email protected] } and I would like to override it, persistent after ispconfig updates, to: Code: auth_cache_size = 24 M auth_cache_ttl = 18 hours auth_mechanisms = plain login disable_plaintext_auth = no listen = *,[::] log_path = /var/log/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " login_greeting = mydomainname ready. mail_fsync = never mail_max_userip_connections = 500 mail_plugins = " fts fts_lucene" mail_privileged_group = vmail mail_temp_dir = /ramdsk/dovecot mailbox_idle_check_interval = 59 secs mailbox_list_index = yes maildir_very_dirty_syncs = yes passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { fts = lucene fts_autoindex = yes fts_autoindex_max_recent_msgs = 60 fts_index_timeout = 60 fts_lucene = [email protected] normalize no_snowball sieve = /var/vmail/%d/%n/.sieve sieve_max_redirects = 25 } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 512 process_min_avail = 6 service_count = 64 vsz_limit = 256 M } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol pop3 { pop3_uidl_format = %08Xu%08Xv } protocol lda { mail_fsync = optimized mail_plugins = sieve postmaster_address = [email protected] } protocol lmtp { mail_fsync = optimized mail_plugins = sieve postmaster_address = [email protected] } How do I best do this? Since I don't see a template for dovecot.conf anywhere. My conf includes support for CLucene plugin, which is -still- the fastest FTS search option for dovecot, despite them claiming otherwise. Lucene delivers the fastest search performance on my servers anyway..