Possible bug with Virtualmin (dovecot)


So a couple of weeks ago I got a new SSL certificate and when I went into Virtualmin I had an option under my site SSL to “copy to dovecot” and then promptly the service stopped working.

I ended up just disabling it and today I find out that wasn’t so smart because I’m failing some PCI scans in part because the security on that port can be exploited.

Went back in and started the process over and from the command line I found this error when restarting dovecot:

doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:86: ssl_cert_file has been replaced by ssl_cert = <file doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:87: ssl_key_file has been replaced by ssl_key = <file doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:88: ssl_ca_file has been replaced by ssl_ca = <file

Long story short I ended up having to change the above to:

ssl_cert = </etc/dovecot/dovecot.cert.pem ssl_key = </etc/dovecot/dovecot.key.pem ssl_ca = </etc/dovecot/dovecot.ca.pem

And now the service starts up like a charm with no errors. The only thing I can think of is that I keep my system up to date and perhaps dovecot got updated but not the portion in virtualmin that updates the configuration file.

I just did a penssl s_client -connect www.MYSITE.com:143 | grep “Cipher is”
and received: New, (NONE), Cipher is (NONE)

Sooooo… I still have no encryption despite my changes.

Any thoughts?


Followed these instructions: http://www.virtualmin.com/documentation/security/pci

Now I get a return so I hope this will make the difference.

Okay so it looks like port 443 was actually for https and not dovecot…

Any information on forcing apache to be PCI compliant? (Did the steps in the above link and its still allowing non-secure connections)