4

Dovecot updated to version 2.3.8 and started to show this warning. I have no clue what this means and how to get rid of it. Using CentOS 8.

Log file has this:

Jun 30 16:28:42 bluesky.bluesky.com systemd[1]: Started Dovecot IMAP/POP3 email server.
Jun 30 16:28:42 bluesky.bluesky.com dovecot[972224]: doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf
Jun 30 16:28:42 bluesky.bluesky.com dovecot[972224]: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:60: ssl_protocols has been replaced by ssl_min_protocol
Improve this question

1 Answer 1

Reset to default
11

From time to time, software authors will change the way their product is configured. In this case the authors of Dovecot have replaced the configuration option ssl_protocols with a new option ssl_min_protocol. This is documented here: https://wiki2.dovecot.org/Upgrading/2.3

This warning is telling you that your own configuration is still using the old ssl_protocols option in the configuration file /etc/dovecot/conf.d/10-ssl.conf on line 60. More precisely it means that line 60 of that configuration file now does nothing and you should consider fixing it.

Overview of how to fix this

SSL is used to encrypt POP3 and IMAP communication with your Dovecot server. Some old versions of SSL and TLS had severe security problems (See here). The purpose of both the old ssl_protocols option and new ssl_min_protocol is to prevent Dovecot from being tricked into using old and insecure versions of SSL.

The default is TLSv1 meaning TLS v 1.0. This isn't terrible because it's supported by almost every client. If you raise the minimum you might theoretically make it more secure but theoretically stop old email clients from connecting.

At this time (30 Jun 2020) TLSv1.2 is very well supported. So much so that, in webservers, cloudflare have begun to depreciate lower versions (See here).

With the new configuration:

  • If you wish to disable TLS v 1.0 then set:

    ssl_min_protocol=TLSv1.1

  • If you wish to disable TLS v 1.1 as well then set

    ssl_min_protocol=TLSv1.2

Action you should take when you see this warning

  1. Remove the old line from your configuration file starting:

    ssl_protocols = ...

  2. Decide which minimim protocol is right for you. The default might be okay, but that is your choice.

  3. If the default is not okay for you then add a line to replace the old one such as:

    ssl_min_protocol = TLSv1.2

  4. Go through your usual change control process. Eg: Test the configuration with multiple email clients. Notify your users of the change and ask for problems to be reported.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.