Resolved Plesk Obsidian 18.0.73 Dovecot failed to start after install

[LRLD]

Server operating system version

Ubuntu 24.04.3

Plesk version and microupdate number

Plesk Obsidian 18.0.72 Web Pro Edition

Hi,

there's issue starting Dovecot after upgrade, caused by /etc/dovecot/conf.d/11-plesk-security-pci.conf and unknown setting disable_plaintext_auth

I have commented this out to get Dovecot started again.

I just wanted to bring this to the attention of @Sebahat.hadzhi

Thanks

 

[Dog66]

I have updated the machine with Plesk, and now Dovecot won't start and shows me this error. There isn't much information and I have tried turning off CipherTree but nothing at all... I hope someone can help me. Thank you very much in advance.

Plesk ObsidianVersión 18.0.73
AlmaLinux 9.6

[root@ns1 ~]# doveconf -Pn
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/11-plesk-security-ssl.conf line 4: ssl_prefer_server_ciphers: Unknown setting: ssl_prefer_server_ciphers

 

[King555]

I get doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/11-plesk-security-ssl.conf line 4: ssl_prefer_server_ciphers: Unknown setting: ssl_prefer_server_ciphers

I commented out the mentioned line: #ssl_prefer_server_ciphers=yes

Now it works. The file mentioned in post #1 does not exist on my server

 

[Dog66]

I get doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/11-plesk-security-ssl.conf line 4: ssl_prefer_server_ciphers: Unknown setting: ssl_prefer_server_ciphers

I commented out the mentioned line: #ssl_prefer_server_ciphers=yes

Now it works. The file mentioned in post #1 does not exist on my server

I tried to do it but it doesn't listen to reason and I had to put the courier

 

[KirkM]

I commented out the mentioned line: #ssl_prefer_server_ciphers=yes

This worked for me. I also don't have the file mentioned by the OP.

This seems to me to be an issue with the update. That setting should be there and should work. Plesk needs to issue an immediate patch.

 

[KirkM]

I just wanted to bring this to the attention of @Sebahat.hadzhi

Thanks for jumping on that LRLD!

 

[G J Piper]

Seems like the pci_compliance_resolver utility having been run in the past makes configuration files that are incompatible with the new Plesk 18.0.73 dovecot update. Mine was so unfixable I had to restore my whole server from backup to get email working again. :-(

 

[LRLD]

I have pci_compliance_resolver enabled on my servers which is why I have a different error.
I still have ssl_prefer_server_ciphers but mine is set to no, so I didn't need to touch it.

To add to my initial post, I decided to create a file /etc/dovecot/conf.d/99-require-ssl.conf and added ssl=required, which gave a warning about 10-plesk-security.conf so I commented out the line disable_plaintext_auth = no in that file too.

 

[moswak]

Exactly the same thing happened to me.
But I've disabled automatic updates. It's unthinkable that this would cause the mail servers to suddenly stop starting overnight. Plesk should fix this quickly, please.

 

[Greg Sevastos]

Hi,

there's issue starting Dovecot after upgrade, caused by /etc/dovecot/conf.d/11-plesk-security-pci.conf and unknown setting disable_plaintext_auth

I have commented this out to get Dovecot started again.

I just wanted to bring this to the attention of @Sebahat.hadzhi

Thanks

Hi LRLD,

I had the same issue. The new version of Covecot has various config changes.

Just replace `disable_plaintext_auth = yes` with `auth_allow_cleartext = no` and restart the IMAP service.

Plesk needs to update their PCI compliance docs for the new change.

This worked for me!

I also have another issue with Warden Antispam not working after the update (the vendor is onto it). I really hate when Plesk does **** like this :/

 

[KirkM]

Here is the breakdown of what happened in the case of King555 and me:

First, they have changed a lot of the settings parameter names and the Plesk update didn't account for them.
One of them is the old parameter name in /etc/dovecot/conf.d/11-plesk-security-ssl.conf

ssl_prefer_server_ciphers=(yes or no)

It has been replaced by:

ssl_server_prefer_ciphers=(client or server)

Whether to give preference to the server's cipher list over a client's list.
Dovecot documentation

Commenting out or removing the old parameter will bring Dovecot back if you are not experiencing the PCI compliance resolver issue or you can change it to the new terminology and direct it to client or server and that will also stop this particular error:

nano /etc/dovecot/conf.d/11-plesk-security-ssl.conf

ssl_server_dh_file=/usr/local/psa/etc/dhparams2048.pem
ssl_min_protocol=TLSv1.2
ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH$.....
ssl_server_prefer_ciphers=server
ssl=yes
ssl_server_cert_file=/etc/dovecot/private/dovecot.pem
ssl_server_key_file=/etc/dovecot/private/dovecot.pem

Restart Dovecot:

systemctl restart dovecot

And you should be back in business.

 

[HoracioS]

Here is the breakdown of what happened in the case of King555 and me:

First, they have changed a lot of the settings parameter names and the Plesk update didn't account for them.
One of them is the old parameter name in /etc/dovecot/conf.d/11-plesk-security-ssl.conf

It has been replaced by:

Whether to give preference to the server's cipher list over a client's list.
Dovecot documentation

Commenting out or removing the old parameter will bring Dovecot back if you are not experiencing the PCI compliance resolver issue or you can change it to the new terminology and direct it to client or server and that will also stop this particular error:



Restart Dovecot:

And you should be back in business.

This solution worked for me. I’ve only encountered this behavior on Debian 11.1; on Ubuntu 24.04 it works perfectly.

Best regards,

 

[KirkM]

I forgot to send a big thank you to King555 for finding the issue with setups without PCI compliance enabled. Mahalo nui loa!

 

[Sebahat.hadzhi]

Thank you all for reporting the issue. Our team is already working on a hotfix (PPP-69670), which should be released soon. In the meantime, the workaround our team suggests is to substitute ssl_prefer_server_ciphers = yes with ssl_server_prefer_ciphers=server and ssl_protocols with ssl_min_protocol.

 

[macadia]

Hi, the solution is published here

https://support.plesk.com/hc/en-us/articles/35298763496215-Dovecot-fails-to-start-after-a-Plesk-update-to-18-0-73

Worked for me too

 

[moswak]

Thank you all for reporting the issue. Our team is already working on a hotfix (PPP-69670), which should be released soon. In the meantime, the workaround our team suggests is to substitute ssl_prefer_server_ciphers = yes with ssl_server_prefer_ciphers=server and ssl_protocols with ssl_min_protocol.

This doesn't work for me as long as the 11-plesk-security-pci.conf says: disable_plaintext_auth = yes.
It only works when I exclude that.
Is the fix incomplete?

 

[LRLD]

This doesn't work for me as long as the 11-plesk-security-pci.conf says: disable_plaintext_auth = yes.
It only works when I exclude that.
Is the fix incomplete?

See Greg's post above...

Issue - Plesk Obsidian 18.0.73 Dovecot failed to start after install

Hi, there's issue starting Dovecot after upgrade, caused by /etc/dovecot/conf.d/11-plesk-security-pci.conf and unknown setting disable_plaintext_auth I have commented this out to get Dovecot started again. I just wanted to bring this to the attention of @Sebahat.hadzhi Thanks

talk.plesk.com

 

[Daniel Pirker]

I tried it that way, but no chance, it just doesn't start

 

[King555]

Strange – since after the update, even when correctly replacing the config value as described in the linked article, my mail app on my phone (K-9 Mail) does not fetch mails via IMAP anymore. Accessing via webmail (Roundcube) and via POP3 (Outlook) still works normally.

 

[Daniel Pirker]

Lesen Sie, ob Ihre PCI-Konformitätsdokumente für die neue Änderung aktuell sein müssen

Vorsicht bei der Verwendung des Anti-Spam- und Virenschutzes von Warden.

Login - Danami