Dovecote.conf feedback

CentOS Linux 7.8.2003
Webmin 1.954
Usermin 1.803
Virtualmin 6.11
Authentic theme 19.53-2

I’m conscious that I might be repeating existing posts and I know there has been some work done on this, thought I would give my feedback having applied the latest updates and in case anything still needs to be sorted.

Updated to the above versions last night - because there was also a certbot update I then did an SSL renew to make sure all was working.

Checked my email client this morning - it seemed dovecote was down, a missing bracket:

local_name www.mysystemdomain.com {
ssl_cert = </home/mysystemdomain/ssl.cert
ssl_cert = </home/mysystemdomain/ssl.combined
ssl_key = </home/mysystemdomain/ssl.key
} [this was missing]
local_name anotherdomain.com {
ssl_cert = </home/anotherdomain/ssl.combined
ssl_key = </home/anotherdomain/ssl.key
}

I then renewed the cert again to make sure the dovecote.conf edit stuck, it seemed to and now results in:

local_name www.mysystemdomain.com {
ssl_cert = </home/mysystemdomain/ssl.combined
ssl_cert = </home/mysystemdomain/ssl.combined
ssl_key = </home/mysystemdomain/ssl.key
}
local_name anotherdomain.com {
ssl_cert = </home/anotherdomain/ssl.combined
ssl_key = </home/anotherdomain/ssl.key
}

There’s a duplicate ssl.combined line. But all seems to be working.

Hi,

… just to be clear - all of this (missing curly bracket) happened with you with Webmin 1.954 and Virtualmin 6.11? If so, are you sure about that? If so, is there a way to share dovecot.conf file as it was prior calling Lets Encrypt renewal?

Yes, it was with wmin 1.954 and vmin 6.11. I’ll rollback and repeat the steps to make doubly sure, I’ll post the before and after conf files.

Ok, steps were:

  1. updated to webmin 1.954 & virtualmin 6.11
    updates applied:
    certbot
    clamav
    fail2ban
    python
    usermin
    virtualmin-config
    wbm-*
    webmin

Dovecote server working

  1. renewed LE cert for mysystemdomain.com
    requested certificate for:
    mysystemdomain.com
    mail.mysystemdomain.com
    www.mysystemdomain.com
    server1.mysystemdomain.com

Dovecote server stopped could not restart

dovecote.conf - after updating webmin & virtualmin but before LE cert request:

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
local_name mail.mysystemdomain.com {
  ssl_cert = </home/mysystemdomain/ssl.cert
  ssl_key = </home/mysystemdomain/ssl.key
}
local_name mysystemdomain.com {
ssl_cert = </home/mysystemdomain/ssl.cert
ssl_key = </home/mysystemdomain/ssl.key
  ssl_ca = </home/mysystemdomain/ssl.ca
}
local_name www.mysystemdomain.com {
ssl_cert = </home/mysystemdomain/ssl.cert
ssl_key = </home/mysystemdomain/ssl.key
  ssl_ca = </home/mysystemdomain/ssl.ca
}
local_name anotherdomain.com {
ssl_cert = </home/anotherdomain/ssl.cert
ssl_key = </home/anotherdomain/ssl.key
}
...4500 more lines with domains/alias'/sub domains

dovecote.conf - after updating webmin & virtualmin and after subsequent LE cert request:

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
local_name mail.mysystemdomain.com {
  ssl_cert = </home/mysystemdomain/ssl.combined
  ssl_key = </home/mysystemdomain/ssl.key
}
local_name mysystemdomain.com {
  ssl_cert = </home/mysystemdomain/ssl.combined
  ssl_key = </home/mysystemdomain/ssl.key
}
local_name www.mysystemdomain.com {
ssl_cert = </home/mysystemdomain/ssl.cert
  ssl_cert = </home/mysystemdomain/ssl.combined
  ssl_key = </home/mysystemdomain/ssl.key
local_name anotherdomain.com {
ssl_cert = </home/anotherdomain/ssl.cert
ssl_key = </home/anotherdomain/ssl.key
}
...4500 more lines with domains/alias'/sub domains

As I said before adding the missing bracket and dovecote restarted.

Now I’ve posted this I do remember @Joe mentioning something somewhere about extraneous ssl_ca lines in the conf file perhaps those were causing the problem,

100% the O.P is correct.
Virtualmin did the exact same thing on my system for a single domain.
The missing closing bracket took out my entire mail server for every domain on my system.

I had to manually add it back in again. As soon as the missing closing bracket for that single domain was readded everything started working again and emails were delivered.

I’m pretty pissed off about it and starting to really get fed up with the instability of email with virtualmin. Its not good enough for a production system. My clients are now so paranoid, they are blaming me for everything…one even when they forget to renew ther own domain name at their own registrar, they grumble i did it. Another uses a vpn which screws up email deliverability to his email client every time he forgets to turn it off…he now sends me letters complaining im causing the trouble. We had a telstra dns outage Australia wide on Sunday…clients were even blaming me for that!.. I cant offer services that are unstable …it causes chaos.

If this is happening on Virtualmin 6.11, then it’s no good. :slightly_frowning_face: I will have to take a super close look in this then. I will update this ticket within few days, when I find something.

Same thing here today, with update applied.

Example1.com” was the domain receiving the SSL update.

local_name example1.com {
  ssl_cert = </home/example1/ssl.combined
  ssl_key = </home/example1/ssl.key
}
local_name www.example1.com {
  ssl_cert = </home/example1/ssl.combined
  ssl_key = </home/example1/ssl.key
}
local_name mail.example1.com {
  ssl_cert = </home/example1/ssl.combined
  ssl_key = </home/example1/ssl.key
}
local_name example1.com {
  ssl_cert = </home/example1/ssl.combined
  ssl_key = </home/example1/ssl.key
}
local_name www.example1.com {
  ssl_cert = </home/example1/ssl.cert
  ssl_cert = </home/example1/ssl.combined
  ssl_key = </home/example1/ssl.key
local_name mail.example1.com {
  ssl_cert = </home/example1/ssl.cert
  ssl_key = </home/example1/ssl.key
  ssl_cert = </home/example1/ssl.combined
  ssl_key = </home/example1/ssl.key
  ssl_cert = </home/example2/domains/mike.example2.com/ssl.combined
  ssl_key = </home/example2/domains/mike.example2.com/ssl.key
}

Richard

There also were superfluous, but correct duplicate entries below that for “example2.com.” Basically the entire entries repeated. I’ve learned this past few weeks that Dove is tolerant of duplicates as long as they are syntactically correct.

Richard

Okay, guys, if you request Lets Encrypt certificate manually, does it happen (breaks Dovecot configs) the same way then?

Yes. Manually updated SSL for irewiredmytrailer.com.

Result:

local_name irewiredmytrailer.com {
  ssl_cert = </home/irewiredmytrailer/ssl.combined
  ssl_key = </home/irewiredmytrailer/ssl.key
}
local_name www.irewiredmytrailer.com {
  ssl_cert = </home/irewiredmytrailer/ssl.combined
  ssl_key = </home/irewiredmytrailer/ssl.key
}
local_name mail.irewiredmytrailer.com {
  ssl_cert = </home/irewiredmytrailer/ssl.combined
  ssl_key = </home/irewiredmytrailer/ssl.key
}
local_name irewiredmytrailer.com {
  ssl_cert = </home/irewiredmytrailer/ssl.combined
  ssl_key = </home/irewiredmytrailer/ssl.key
}
local_name www.irewiredmytrailer.com {
  ssl_cert = </home/irewiredmytrailer/ssl.cert
  ssl_cert = </home/irewiredmytrailer/ssl.combined
  ssl_key = </home/irewiredmytrailer/ssl.key
local_name mail.irewiredmytrailer.com {
  ssl_cert = </home/irewiredmytrailer/ssl.cert
  ssl_key = </home/irewiredmytrailer/ssl.key
  ssl_cert = </home/irewiredmytrailer/ssl.combined
  ssl_key = </home/irewiredmytrailer/ssl.key
  ssl_cert = </home/rjmweb/ssl.combined
  ssl_key = </home/rjmweb/ssl.key
}
local_name *.rjmweb.com {
  ssl_cert = </home/rjmweb/ssl.combined
  ssl_key = </home/rjmweb/ssl.key
}

Richard

Okay, to narrow down the problem. If, before manually requesting certificates, you edit dovecot.conf file and remove all duplicates, only leaving ssl_cert and ssl_key - will it still happen?

No, didn’t break anything that way.

Manually updated SSL for motoroilbasics.com. Output to dovecot.conf:

local_name motoroilbasics.com {
  ssl_cert = </home/tribologist/ssl.combined
  ssl_key = </home/tribologist/ssl.key
}
local_name www.motoroilbasics.com {
  ssl_cert = </home/tribologist/ssl.combined
  ssl_key = </home/tribologist/ssl.key
}
local_name mail.motoroilbasics.com {
  ssl_cert = </home/tribologist/ssl.combined
  ssl_key = </home/tribologist/ssl.key
}

Richard

So, the issue happens when there are duplicate entries —great finding. Okay, one more thing - if you apply this patch, restart Webmin with /etc/webmin/restart and then take that old config with duplicate entries and re-request certificate over again - will you still have initial problem with missing curly bracket or after the patch it would produce working config? If so, how does the config look like now?

I’ll have to check whether I have any backups with the dupe entries. I usually only back up good stuff. Broken stuff, not so much.

Give me a few minutes.

Also, what is the path to that file in the patch? I can’t find it.

Richard

EDIT: Never mind. I found it.

/etc/dovecot/dovecot.conf

No the one for the patch was /usr/libexec/webmin/virtual-server/feature-ssl.pl

1 Like

Okay, with the patch to feature-ssl.pl applied, and with the duplicate entries having been reinserted into dovecot.conf, manually renewing the cert did not remove the dupe entries, but also didn’t cause the problem with the missing closing bracket.

So in other words, there were no errors in dovecot.conf except the dupes that were already there, and Dove was able to restart successfully.

Richard

Great, very helpful. We’ll take it from here. I also suspect presence of ssl_ca directive in block is actually causing an issue.

1 Like

Okay, this issue has been addressed in the patch below. We will discuss internally, if we’re keeping it this way. Nevertheless, it must work flawlessly now for any kind of configs, even broken ones.

Give it a try patching a file and restarting Webmin afterwards.

Note: Line 1834 doesn’t exist on your system, don’t look for it and don’t be surprised it’s not there.

The simple way to apply the patch, is to run the following command (from SSH console or in-built Webmin command line), for Debian/Ubuntu:

curl https://raw.githubusercontent.com/virtualmin/virtualmin-gpl/1d7306073f1f002e509ec178d41f0db39d5f2eb6/feature-ssl.pl -o /usr/share/webmin/virtual-server/feature-ssl.pl && systemctl stop webmin && systemctl start webmin

… for RHEL (CentOS/Fedora):

curl https://raw.githubusercontent.com/virtualmin/virtualmin-gpl/1d7306073f1f002e509ec178d41f0db39d5f2eb6/feature-ssl.pl -o /usr/libexec/webmin/virtual-server/feature-ssl.pl && systemctl stop webmin && systemctl start webmin
2 Likes

So, that mostly seemed to fix it.

However, there’s still other issues:

local_name beautiquemedspa.com {
ssl_cert = </home/beautiq/ssl.cert
ssl_key = </home/beautiq/ssl.key
ssl_ca = </home/houseofsilnyevents/ssl.ca
}

You’ll see the ssl_ca attribute is not correct. FWIW, houseofsilnyevents is a deleted account. It was deleted yesterday, and I patched the code just now.

local_name azzurecontractors.com {
ssl_cert = </home/azzurec/ssl.cert
ssl_key = </home/azzurec/ssl.key
ssl_cert = </home/azzurec/ssl.combined
ssl_key = </home/azzurec/ssl.key
ssl_cert = </home/azzurec/ssl.cert ssl_key = </home/azzurec/ssl.key ssl_ca = </home/azzurec/ssl.ca ssl_cert = </home/azzurec/ssl.combined ssl_key = </home/azzurec/ssl.key ssl_key = </home/baldini/ssl.key ssl_ca = </home/baldini/ssl.ca }

baldini is another one I deleted yesterday. Also, you’ll see there’s multiple duplicated lines for azzurec.

So while it was easier to fix the config this time, it’s still broken; just not as badly, and now it seems to be directly related to deleted vhosts.