Bug 226323

Summary: mail/dovecot: login crashes with libressl 2.6.4 because of "ssl_protocols = !SSLv2" default config
Product: Ports & Packages Reporter: Michael Büker <freebsd>
Component: Individual Port(s)Assignee: Adam Weinberger <adamw>
Status: Closed Overcome By Events    
Severity: Affects Only Me CC: freebsd
Priority: --- Flags: bugzilla: maintainer-feedback? (adamw)
Version: Latest   
Hardware: Any   
OS: Any   

Description Michael Büker 2018-03-03 11:43:38 UTC 
After the 28.02.2018 update of dovecot, I saw errors in maillog and was unable to login:

Mar  1 09:21:21 server roundcube: IMAP Error: Login failed for XXX from XXX. Failed to send LOGIN command in /var/www/rc/program/lib/Roundcube/rcube_imap.php on line 196 (POST /?_task=mail&_action=refresh) 
Mar  1 09:21:22 server dovecot: imap-login: Fatal: Unknown ssl_protocols setting: Unrecognized protocol 'SSLv2' 
Mar  1 09:21:22 server dovecot: imap-login: Fatal: Unknown ssl_protocols setting: Unrecognized protocol 'SSLv2' 
Mar  1 09:21:22 server dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs 
Mar  1 09:21:30 server dovecot: imap-login: Fatal: Unknown ssl_protocols setting: Unrecognized protocol 'SSLv2' 
Mar  1 09:21:30 server dovecot: master: Error: service(imap-login): command startup failed, throttling for 4 secs 

I traced the problem to this report, which talks about the default config option "ssl_protocols = !SSLv2", which fails if SSL has dropped all support for SSLv2: https://dovecot.org/list/dovecot/2016-November/106114.html

On my system, surprisingly, I found that "ssl_protocols = !SSLv2" is really in the default config:

# doveconf -d ssl_protocols
ssl_protocols = !SSLv2 !SSLv3

So I followed the workaround advice of overriding the default in 10-ssl.conf:

# doveconf ssl_protocols
ssl_protocols = !SSLv3

In conclusion, since LibreSSL 2.6.4 dropped all support for SSLv2, but dovecot includes "ssl_protocols = !SSLv2" as a default config option, these errors occur when logging in.
Comment 1 Michael Büker 2018-03-03 11:47:57 UTC 
(In reply to Michael Bueker from comment #0)

To clarify, my dovecot port (version 2.2.34) is linked to the libressl port (version 2.6.4) because of a make.conf entry:
DEFAULT_VERSIONS+=ssl=libressl
Comment 2 Adam Weinberger freebsd_committer freebsd_triage 2018-03-03 15:38:58 UTC 
Hi Michael,

Thanks for writing up this PR.

I'm waiting for 2.3.1 to be released later this month before committing the 2.3 branch. The new 2.3 branch only supports TLS, which will obviate any message concerning this problem..

I'm closing this PR only because a proper fix is coming (the 2.3.1 update) separately.

Just as a reminder, the 2.3 branch includes many changes to the conf files (including such things as dropping SSL support!), so please update your conf files before firing up 2.3.1 when it lands.
Comment 3 Michael Büker 2018-03-03 17:58:49 UTC 
Thanks for you explanation, Adam! I'm okay with your resolution. Do you happen to have a link with a summary of changes in configuration? Maybe you could add that to the commit information, also.
Comment 4 Michael Büker 2018-03-03 18:03:59 UTC 
Answering my own question: https://wiki2.dovecot.org/Upgrading/2.3