• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue Plesk Obsidian 18.0.73 Dovecot failed to start after install

There are currently two root issues present with dovecot. One of them is related to server ciphers and the workaround mentioned above is relevant to it. There is also a second issue related to pci_compliance being enabled, which also leads to failure to start the service. You can try running:

Code:
plesk sbin pci_compliance_resolver --disable dovecot
 
Here is the breakdown of what happened in the case of King555 and me:

First, they have changed a lot of the settings parameter names and the Plesk update didn't account for them.
One of them is the old parameter name in /etc/dovecot/conf.d/11-plesk-security-ssl.conf

It has been replaced by:

Whether to give preference to the server's cipher list over a client's list.
Dovecot documentation

Commenting out or removing the old parameter will bring Dovecot back if you are not experiencing the PCI compliance resolver issue or you can change it to the new terminology and direct it to client or server and that will also stop this particular error:



Restart Dovecot:

And you should be back in business.
If I do this, the user can only log in plainly and no longer encrypted.
 
Strange – since after the update, even when correctly replacing the config value as described in the linked article, my mail app on my phone (K-9 Mail) does not fetch mails via IMAP anymore. Accessing via webmail (Roundcube) and via POP3 (Outlook) still works normally.


The same thing happened to me, but I was able to fix it in the end by fighting with an iPhone.
 
@Dog66 I found out that there was an error message (which was only visible when I went to the server settings in the K-9 Mail app and saved them). The error is that "AUTH=CRAM-MD5" is not supported anymore by my Dovecot mailserver. So I had to set the password method to plain instead of encrypted, which does not really sound right.

Apart from that I found the following error message after the update in my mail protocols:
service=lda, [email protected], ip=[]. Error: sieve: binary /var/qmail/mailnames/example.com/noreply/.dovecot.svbin: read: binary stored with different major version 2.0 (!= 3.0; automatically fixed when re-compiled)

I will observe whether these messages will continue.
 
My mail connections still appear to be encrypted. Are you missing any lines like this:
ssl_min_protocol=TLSv1.2
ssl_min_protocol=TLSv1.2
ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EECDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH:!EDH
# Removed: ssl_prefer_server_ciphers (unsupported since Dovecot 2.4)
ssl_server_prefer_ciphers=server
ssl=yes
ssl_server_cert_file=/etc/dovecot/private/dovecot.pem
ssl_server_key_file=/etc/dovecot/private/dovecot.pem
 
ssl_min_protocol=TLSv1.2
ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EECDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH:!EDH
# Removed: ssl_prefer_server_ciphers (unsupported since Dovecot 2.4)
ssl_server_prefer_ciphers=server
ssl=yes
ssl_server_cert_file=/etc/dovecot/private/dovecot.pem
ssl_server_key_file=/etc/dovecot/private/dovecot.pem
So is encryption working now? My accounts are all working with encryption on all devices.
 
No, I've had those settings before. The patch from Plesk also didn't help.
I noticed you don't have a reference to the dh pem file at the top. This is getting a bit over my head, but I see that as a difference between our config files.
ssl_server_dh_file=/usr/local/psa/etc/dhparams2048.pem
Not sure if that would be the cause or not.
 
I noticed you don't have a reference to the dh pem file at the top. This is getting a bit over my head, but I see that as a difference between our config files.
ssl_server_dh_file=/usr/local/psa/etc/dhparams2048.pem
Not sure if that would be the cause or not.
Sorry, I didn't copy it, but line is available.
 
I noticed you don't have a reference to the dh pem file at the top. This is getting a bit over my head, but I see that as a difference between our config files.
ssl_server_dh_file=/usr/local/psa/etc/dhparams2048.pem
Not sure if that would be the cause or not.
I solved it:

10-plesk-security.conf add:
auth_allow_cleartext = no
auth_mechanisms = digest-md5 cram-md5 plain login
auth_allow_weak_schemes = no

11-plesk-security-ssl.conf edit:
from ssl=yes to ssl=required

/etc/postfix/sasl/smtpd.conf
mech_list: DIGEST-MD5 CRAM-MD5
 
I solved it:

10-plesk-security.conf add:
auth_allow_cleartext = no
auth_mechanisms = digest-md5 cram-md5 plain login
auth_allow_weak_schemes = no

11-plesk-security-ssl.conf edit:
from ssl=yes to ssl=required

/etc/postfix/sasl/smtpd.conf
mech_list: DIGEST-MD5 CRAM-MD5
Great! ssl=yes works but it looks like you have configured your system to force ssl. Glad you got it sorted out.
 
@Sebahat.hadzhi After installing the latest update 18.0.73 #1 Dovecot is still missing DIGEST-MD5 and CRAM-MD5 from auth_mechanisms listed in the main configuration file /etc/dovecot/dovecot.conf
TIA
 
Back
Top