You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
... I have understood that answers are voluntary and community-driven, and not commercial support.
... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
Hi,
the alpine container and its OpenSSL version used for dovecot does not support TLS versions lower than TLSv1.2 by default: https://debugpointnews.com/alpine-linux-3-17/
This means, setting ssl_min_protocol like described in the [manual](https://docs.mailcow.email/manual-guides/u_e-reeanble-weak-protocols/) also does not work.
The patch for openssl.cnf in [this post](https://github.com/nginxinc/docker-nginx/issues/743#issuecomment-1491683964) makes older TLS versions work again:
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@@ -52,13 +52,6 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+CipherString = DEFAULT@SECLEVEL=0
# List of providers to load
[provider_sect]
### Logs:
```plain text
$ openssl s_client -connect my_mailserver:993 -tls1 -cipher "DEFAULT:@SECLEVEL=0"
Connecting to 123.4.5.6
CONNECTED(00000003)
40D708911B7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:645:
### Steps to reproduce:
```plain text
1. Set `ssl_min_protocol = TLSv1` in data/conf/dovecot/extra.conf
2. Use `openssl s_client -connect my_mailserver:993 -tls1 -cipher "DEFAULT:@SECLEVEL=0"` to see a failed connection attempt
3. Apply the patch for openssl.cnf (can be done in a running container, no restart needed)
4. Use the openssl s_client command again to see a working connection
Contribution guidelines
I've found a bug and checked that ...
Description
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Ubuntu 22.04 LTS
Server/VM specifications:
4GB Ram, 4 CPUs
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
24.0.5
docker-compose version or docker compose version:
v2.26.1
mailcow version:
2024-04
Reverse proxy:
caddy
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check:
The text was updated successfully, but these errors were encountered: