ISPConfig3 + Bettercrypto - Dovecot problem

Discussion in 'Installation/Configuration' started by Rabenkind, Jan 12, 2018.

  1. Rabenkind

    Rabenkind Member

    Hi, this may be mentioned earlier but I have not been able to find it yet so please point me in the right direction if this is already solved...

    I have a Multiserver Setup with a dedicated Mailserver (Mostly following the perfect server setup: [1]) It is a Debian 9 with postfix/dovecot. Mail is working! Even with Let's Encrypt Certificate.

    I have tried to do some "better crypto" (bettercrypto.org) more specific I tried to disable TLSv1 and TLSv1.1 and prefer_server_settings. This should be done in /etc/dovecot/conf.d/10-ssl.conf
    Sadly 10-ssl.conf is completley ignored.

    When you follow the perfect server guide - right up to installing ISPConfig there is a line in the /etc/dovecot/dovecot.conf "!include conf.d/*.conf" which includes config files in conf.d/ like 10-ssl.conf. Is there a reason why ISPConfig-setup removes this line?

    It seemes the only solution for getting permanent better crypto for dovecot is this thread: [2]
    Since it is from 2014 is it still up to date?

    Thanks in advance.

    ### LINKS ###
    Apparently I am not allowed to post links. Sorry you have to look them up yourselves.
    [1] Howtoforge tutorial: perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1
    [2] Old Thread (2014) custom-dovecot-settings.65438

    ### DISCLAIMER ###
    If you use the bettercrypto-guide with an up-to date openssl and Debian9 like I did: Don't disable SSLv2 by editing the /etc/dovecot/dovecot.conf with "ssl_protocols = !SSLv3 !SSLv2" this will cause dovecot to fail (have a look at the syslog) because SSLv2 is removed in Openssl and dovecot Versions >2 do not ignore unknown configuration parameters. (For me the only symptom was my client not logging in anymore)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the wrong file. You have to add this in dovecot.conf. And to make your changes update safe, copy the dovecot conf master template from install/tpl/ folder of the folder /usr/local/ispconfig/server/conf-custom/install/ and implement it there too.
     
  3. Rabenkind

    Rabenkind Member

    Hi, thank you for the quick response. I will try that and respond back.

    Will adding the line: "!include conf.d/10-ssl.conf" break anything of ISPConfig's implementation? I could simply post all the things i need to /etc/dovecot/dovecot.conf but that sounds like the same thing to me (exept with the updates) - I wonder why this line got removed in the fist place.

    I will also add my voice to the feature request form 2014 (in the other thread)
    unfortunately /etc/dovecot/conf.d/10-ssl.conf seemes to be the most important file for SSL according to the dovecot documentation.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Because ISPConfig would have to delete and replace all these files on installation and update then to ensure that the setup remains consistent or in other words: if we would use such third party includes without cleaning them, a lot of installs will fail.

    The file /etc/dovecot/conf.d/10-ssl.conf does not matter as ISPConfig does not use a split config and ssl settings do not care about the name of the file they are added to. If you want to define settings beside the ones that are already in the devoceot.conf on a ISPConfig server, then use the approach I explained in the post above.
     
  5. Rabenkind

    Rabenkind Member

    Understood. I agree it is easier to manage one config file instead of hundreds. but your template is mostly a concatination of some old config files (wich are now split in conf.d/*.conf) and the old files wich you are not using are still there - so maybe one could remove them in a cleaning process?

    I only disagree on the point that future security updates will probably happen in those files you are not using (Standard on most Linux/unix systems) so you need to update the template nontheless. (You also could integrate the proper way to make changes in the /etc/dovecot/dovecot.conf) ... yes I know ... feature request ... ;)
     
  6. Rabenkind

    Rabenkind Member

    so, Reporting back:

    I took the file from the install/tpl/ with the version 3.1.10 (debian_dovecot.conf.master) sadly it does not match the current /etc/dovecot/dovecot.conf file (even without my changes)

    So I took the /etc/dovecot/dovecot.conf file and made my changes there then I copied it to /usr/local/ispconfig/server/conf-custom/install/dovecot.conf. This folder also contains an empty.dir (File for ISPConfig). I suppose I should delete that? (I will update to 3.1.11 soon so I would like to know that beforehand.)

    I am halfway done writing a script to concatenate the template and the 10-ssl.conf but since the template looks differently than my dovecot.conf I gave up. I could continue and give it back here - provided someone explains to me which file to trust...
     
  7. Rabenkind

    Rabenkind Member

    Problem with Updateing:

    my custom files wich I have created in /usr/local/ispconfig/server/conf-custom/install/ get ignored.
    The empty.dir gets restored on update. I wonder how ispconfig would know where to put those files because they belong in different folders. Maybe someone can explain it to me here?

    My problem in detail:

    I changed 3 files in order to get my mailserver working with better crypto (I did not find any better way to do it). Those are
    /etc/dovecot/dovecot.conf
    /etc/postfix/main.cf
    /etc/postfix/master.cf
    Also I deleted the file in /var/lib/dovecot/ssl-parameters.dat and restarted dovecot to re-generate the file. (Actually I restarted dovecot and postfix for the changes to work)

    I did a backup of those files and those exact files are also in the folder /usr/local/ispconfig/server/conf-custom/install/. Here are md5sums of them before the update.

    2b70b4d0f62e0adf8c1dacf6e876aaf6 dovecot.conf
    110e89d3c9163022563dccbee4565d4d main.cf
    680339a870e54c2f8f97cafef4876384 master.cf

    After the update some of the files on their destination changed. And they do not contain the updates I made.

    58d5088321ca86dada0326528ce8a9a1 /etc/dovecot/dovecot.conf
    9a2ca26436ac428067e24cf5867dfd94 /etc/postfix/main.cf
    680339a870e54c2f8f97cafef4876384 /etc/postfix/master.cf

    only the master.cf remains untouched. But that could be coincidence. (I did the update from 3.1.10 to 3.1.11)

    Solution:

    I wrote a script that replaces the updated files to the files I backuped. (This may not be the best solution but the only one I found working) You may notice I also backupped the /var/lib/dovecot/ssl-parameters.dat because I did not want to wait untill it is re-created.

    ---
    #!/bin/bash

    # script to fix postfix and dovecot after ispconfig update
    # when you have to implement custom config

    # re-copy dovecot.conf
    cp /path/to/backup/dovecot.conf /etc/dovecot/dovecot.conf

    # re-copy main.cf and master.cf
    # okay master.cf is just a precaution....
    cp /path/to/backup/main.cf /etc/postfix/main.cf
    cp /path/to/backup/master.cf /etc/postfix/master.cf

    # remove file for re-creating DHE parameters
    # also just a precaution ... don't know if ISPconfig changes anything here.
    #rm /var/lib/dovecot/ssl-parameters.dat
    #rm /var/lib/dovecot/ssl-parameters.dat.tmp
    # OR
    # replace file for re-creating DH parameters with existing one
    # to have less downtime when updating
    cp /path/to/backup/ssl-parameters.dat /var/lib/dovecot/
    # also restarting dovecot on ISPConfig update may have created a ssl-parameters.dat.tmp
    rm /var/lib/dovecot/ssl-parameters.dat.tmp

    # restart postfix and dovecot
    service postfix restart
    service dovecot restart

    echo Done. Do check services please.
    ---
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the reason for your problem. You copied your manually changed files there but you should have copied the master files from ispconfig tar.gz install/tpl/ folder there and implement your changes in the master files.
     
  9. Rabenkind

    Rabenkind Member

    The master files in install/tpl/ differ strongly from the actual files written by the update! Where do those changes come from?

    the debian_dovecot2.conf.master contains the following lines the running configuration does not:

    < postmaster_address = [email protected]
    < postmaster_address = [email protected]
    < postmaster_address = [email protected]
    < mail_plugins = $mail_plugins quota

    in the /etc/dovecot/dovecot.conf the following lines are different from the debian_dovecot2.conf.master
    (in addition to my changes.)

    > postmaster_address = [email protected]
    > postmaster_address = [email protected]

    the debian_postfix.conf.master differs from /etc/postfix/main.cf even more!

    So what you actually mean is I should change my files in usr/local/ispconfig/server/conf-custom/install/ to be named

    debian_dovecot2.conf.master - instead of dovecot.conf
    debian_postfix.conf.master - instead of main.cf

    yes?
     
  10. Rabenkind

    Rabenkind Member

    Dear Till,

    I did some debugging using the recommended files from install/tpl/ copied to /usr/local/ispconfig/server/conf-custom/install/ and changed them according to my needs.

    while updating the following happens:

    at /etc/postfix/main.cf only the parameters previously defined get replaced
    at /etc/dovecot/dovecot.conf the parameters previously defined get replaced and the parameters previously not defined get flushed.

    I suppose this behavior is because of the tpl_ini.inc.php where it says:
    'UNKNOWNS' => 'ignore',

    although my line in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master reads as this:

    ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

    it is changed to

    ssl_protocols = !SSLv3

    in /etc/dovecot/dovecot.conf. I am not really sure why. In the installer_base.lib.php it says

    // Dovecot > 2.2 does not recognize !SSLv2 anymore on Debian 9
    replaceLine($config_dir.'/'.$configfile, 'ssl_protocols = !SSLv2 !SSLv3', 'ssl_protocols = !SSLv3', 1, 0);

    so I am pretty sure it should not even touch this line...

    on the upside: the postmaster address get set here too ...

    also when I change other things in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master like mail_max_userip_connections = 500 it reads after update in /etc/dovecot/dovecot.conf mail_max_userip_connections = 100

    also other defined functions are not there after update like:

    ssl = yes
    ssl_prefer_server_ciphers = yes
    ssl_dh_parameters_length = 4096
    ssl_options = no_compression

    those lines simply get purged. I cannot find the according functions in your scripts beside the ones already mentioned. Maybe I missed something? Maybe it is a bug?

    additional lines in the postfix-configuration remain there even after the update. But I did not look into this farther...

    I also tried the installer_base.lib.php to write some debugging output, but it simply didn't. Adding something undefined to the php brought the update to crash so I am pretty sure I got the right file - and that the file get's called at some point.

    So far only the workaround I posted earlier seems to be working.

    ### EDIT ###
    The files need to be named debian_dovecot2.conf.master and debian_postfix.conf.master in the /usr/local/ispconfig/server/conf-custom/install/ and not differently.
     
    Last edited: Feb 2, 2018
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The dovecot file gets replaced completely, based on the master file. This works fine here and I can alter whatever I want and it is exactly like this in the resulting dovecot.conf file. Just copied the master file to the folder and altered it. The main.cf update works differently, the update is applied with postconf, so only the lines defined in the file get altered.
     
  12. Rabenkind

    Rabenkind Member

    re-tested. no difference.

    re-downloaded the Update: (md5sum)
    a13608c0c8c51e4e464b099765edf0d2 ISPConfig-3.1.11.tar.gz

    unpacked it into /tmp
    copied "fresh" /tmp/ispconfig3_install/install/tpl/debian_dovecot2.conf.master to /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master

    changed the following lines in /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master

    ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
    mail_max_userip_connections = 500

    forced the update with /tmp/ispconfig3_install/install# php -q update.php

    and then looked into the /etc/dovecot/dovecot.conf

    ssl_protocols = !SSLv3
    mail_max_userip_connections = 100

    so - no difference

    also - just for testing - copied the newly changed /usr/local/ispconfig/server/conf-custom/install/debian_dovecot2.conf.master to /tmp/ispconfig3_install/install/tpl/

    and then did /tmp/ispconfig3_install/install# php -q update.php

    but still /etc/dovecot/dovecot.conf looks like

    ssl_protocols = !SSLv3
    mail_max_userip_connections = 100

    any ideas?
    am I doing something wrong?
     
  13. Rabenkind

    Rabenkind Member

    How wold someone apply changes in the main.cf permanently in ISPConfig?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    In main.cf directly when it's a setting that is not handled by ispconfig, otherwise in the postfix master template.
     
  15. Rabenkind

    Rabenkind Member

    If I put "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" in the master template it gets replaced anyways. I guess I will stay with my replacement-script for a while.

    I am just configuring two additional mailservers in this multiserver setup - if the changes in the master template work there i will redo this machine.

    concering the workflow I am sticking to the perfect server guide and the ISPConfig manual (although the manual is for an old version)
     
  16. Rabenkind

    Rabenkind Member

    Dear Till,
    I did a fresh installation of Debian on another server and a fresh installation of ISPConfig 3.1.11.
    I copied the master file to the location, I can alter whatever I want but dovecot still defaults back to your settings.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    I'll check that. it might be that only tls settings get overwritten.
     
  18. Rabenkind

    Rabenkind Member

    any news on this topic?
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    There was just an issue with ssl_protocols overriding as we had to modify the line due to a quite bad change of dovecot, instead of ignoring the SSLv2 option in newer versions that don't support that protocol anymore dovecot does a hard fail and as we support a bunch of versions, we had to modify the line automatically during setup. But that has been fixed already, the other things work fine and I was able to override them during update without any issues from the beginning.

    Example on Debian 9:

    cd /tmp
    wget https://ispconfig.org/downloads/ISPConfig-3.1.11.tar.gz
    tar xfz ISPConfig-3.1.11.tar.gz
    cp ispconfig3_install/install/tpl/debian6_dovecot2.conf.master /usr/local/ispconfig/server/conf-custom/install/
    vi /usr/local/ispconfig/server/conf-custom/install/debian6_dovecot2.conf.master
    and set:
    mail_max_userip_connections = 500

    [email protected]:/tmp# grep mail_max_userip_connections /usr/local/ispconfig/server/conf-custom/install/debian6_dovecot2.conf.master
    mail_max_userip_connections = 500

    [email protected]:/tmp# grep mail_max_userip_connections /etc/dovecot/dovecot.conf
    mail_max_userip_connections = 100

    ispconfig_update.sh

    [email protected]:/tmp# grep mail_max_userip_connections /etc/dovecot/dovecot.conf
    mail_max_userip_connections = 500
     
  20. Loveless

    Loveless Member

    @till, just to be sure, I installed the latest stable on a debian 9 server, and this is now the output of # doveconf -n -P
    Code:
    # 2.2.34 (874deae): /etc/dovecot/dovecot.conf
    # Pigeonhole version 0.4.22 (22940fb7)
    # OS: Linux 4.9.0-6-amd64 x86_64 Debian 9.3
    # Hostname: somedomain.tld
    auth_mechanisms = plain login
    disable_plaintext_auth = no
    listen = *,[::]
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    *** mail_max_userip_connections = 100 ***
    mail_privileged_group = vmail
    passdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    plugin {
      quota = dict:user::file:/var/vmail/%d/%n/.quotausage
      sieve = /var/vmail/%d/%n/.sieve
      sieve_max_redirects = 25
    }
    protocols = imap pop3
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0660
        user = postfix
      }
      unix_listener auth-userdb {
        group = vmail
        mode = 0600
        user = vmail
      }
      user = root
    }
    service imap-login {
      client_limit = 1000
      process_limit = 512
    }
    service lmtp {
      unix_listener /var/spool/postfix/private/dovecot-lmtp {
        group = postfix
        mode = 0600
        user = postfix
      }
    }
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    userdb {
      driver = prefetch
    }
    userdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    protocol imap {
      mail_plugins = quota imap_quota
    }
    protocol pop3 {
      mail_plugins = quota
      pop3_uidl_format = %08Xu%08Xv
    }
    protocol lda {
      mail_plugins = sieve quota
      postmaster_address = [email protected]
    }
    protocol lmtp {
      mail_plugins = quota sieve
      postmaster_address = [email protected]
    }
    
    and I would like to override it, persistent after ispconfig updates, to:
    Code:
    auth_cache_size = 24 M
    auth_cache_ttl = 18 hours
    auth_mechanisms = plain login
    disable_plaintext_auth = no
    listen = *,[::]
    log_path = /var/log/dovecot.log
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    login_greeting = mydomainname ready.
    mail_fsync = never
    mail_max_userip_connections = 500
    mail_plugins = " fts fts_lucene"
    mail_privileged_group = vmail
    mail_temp_dir = /ramdsk/dovecot
    mailbox_idle_check_interval = 59 secs
    mailbox_list_index = yes
    maildir_very_dirty_syncs = yes
    passdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    plugin {
      fts = lucene
      fts_autoindex = yes
      fts_autoindex_max_recent_msgs = 60
      fts_index_timeout = 60
      fts_lucene = [email protected] normalize no_snowball
      sieve = /var/vmail/%d/%n/.sieve
      sieve_max_redirects = 25
    }
    protocols = imap pop3
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0660
        user = postfix
      }
      unix_listener auth-userdb {
        group = vmail
        mode = 0600
        user = vmail
      }
      user = root
    }
    service imap-login {
      client_limit = 1000
      process_limit = 512
      process_min_avail = 6
      service_count = 64
      vsz_limit = 256 M
    }
    service lmtp {
      unix_listener /var/spool/postfix/private/dovecot-lmtp {
        group = postfix
        mode = 0600
        user = postfix
      }
    }
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    userdb {
      driver = prefetch
    }
    userdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    protocol pop3 {
      pop3_uidl_format = %08Xu%08Xv
    }
    protocol lda {
      mail_fsync = optimized
      mail_plugins = sieve
      postmaster_address = [email protected]
    }
    protocol lmtp {
      mail_fsync = optimized
      mail_plugins = sieve
      postmaster_address = [email protected]
    }
    
    How do I best do this? Since I don't see a template for dovecot.conf anywhere.
    My conf includes support for CLucene plugin, which is -still- the fastest FTS search option for dovecot, despite them claiming otherwise. Lucene delivers the fastest search performance on my servers anyway..
     
    Last edited: Mar 6, 2018

Share This Page