Resolved Plesk Obsidian 18.0.73 Dovecot failed to start after install

[Sebahat.hadzhi]

There are currently two root issues present with dovecot. One of them is related to server ciphers and the workaround mentioned above is relevant to it. There is also a second issue related to pci_compliance being enabled, which also leads to failure to start the service. You can try running:

plesk sbin pci_compliance_resolver --disable dovecot

 

[AlkatraZ]

After updating Plesk: Unit, dovercot.service could not be found. (Ubuntu 24)

 

[AlkatraZ]

After updating Plesk: Unit, dovercot.service could not be found. (Ubuntu 24)

I apologize, I solved my problem.

 

[sweetp]

this fix didn't work for me:
https://support.plesk.com/hc/en-us/...ails-to-start-after-a-Plesk-update-to-18-0-73
what worked what commenting out the line:

#ssl_prefer_server_ciphers=server

in the file:
/etc/dovecot/conf.d/11-plesk-security-ssl.conf

Ubuntu 24.0.4

 

[ThiloS]

In my case commeting out the ciphers-line worked as well - but as a side-effect the "monitoring" feature stopped working by commenting it out... is that possible or just a coincidence?


And as people mentioned before - when using warden-antispam you have another headache here:

How can I fix the error: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/99-warden.conf line 9: Unknown section name: plugin after upgrading to Plesk 18.0.73? - Knowledgebase - Danami

 

[srt10coupe]

Here is the breakdown of what happened in the case of King555 and me:

First, they have changed a lot of the settings parameter names and the Plesk update didn't account for them.
One of them is the old parameter name in /etc/dovecot/conf.d/11-plesk-security-ssl.conf

It has been replaced by:

Whether to give preference to the server's cipher list over a client's list.
Dovecot documentation

Commenting out or removing the old parameter will bring Dovecot back if you are not experiencing the PCI compliance resolver issue or you can change it to the new terminology and direct it to client or server and that will also stop this particular error:



Restart Dovecot:

And you should be back in business.

If I do this, the user can only log in plainly and no longer encrypted.

 

[KirkM]

this fix didn't work for me:
https://support.plesk.com/hc/en-us/...ails-to-start-after-a-Plesk-update-to-18-0-73
what worked what commenting out the line:

#ssl_prefer_server_ciphers=server

in the file:
/etc/dovecot/conf.d/11-plesk-security-ssl.conf

Ubuntu 24.0.4

I believe that line is now ssl_server_prefer_ciphers=server. They changed the word order in the setting with this new release.

 

[KirkM]

If I do this, the user can only log in plainly and no longer encrypted.

My mail connections still appear to be encrypted. Are you missing any lines like this:
ssl_min_protocol=TLSv1.2

 

[Dog66]

Strange – since after the update, even when correctly replacing the config value as described in the linked article, my mail app on my phone (K-9 Mail) does not fetch mails via IMAP anymore. Accessing via webmail (Roundcube) and via POP3 (Outlook) still works normally.

The same thing happened to me, but I was able to fix it in the end by fighting with an iPhone.

 

[sweetp]

@KirkM Ah i didn’t catch the change. I’ll try it out. Thx

 

[King555]

@Dog66 I found out that there was an error message (which was only visible when I went to the server settings in the K-9 Mail app and saved them). The error is that "AUTH=CRAM-MD5" is not supported anymore by my Dovecot mailserver. So I had to set the password method to plain instead of encrypted, which does not really sound right.

Apart from that I found the following error message after the update in my mail protocols:
service=lda, [email protected], ip=[]. Error: sieve: binary /var/qmail/mailnames/example.com/noreply/.dovecot.svbin: read: binary stored with different major version 2.0 (!= 3.0; automatically fixed when re-compiled)

I will observe whether these messages will continue.

 

[KirkM]

Looks like Plesk has released the mu patch.

 

[srt10coupe]

My mail connections still appear to be encrypted. Are you missing any lines like this:
ssl_min_protocol=TLSv1.2

ssl_min_protocol=TLSv1.2
ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EECDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH:!EDH
# Removed: ssl_prefer_server_ciphers (unsupported since Dovecot 2.4)
ssl_server_prefer_ciphers=server
ssl=yes
ssl_server_cert_file=/etc/dovecot/private/dovecot.pem
ssl_server_key_file=/etc/dovecot/private/dovecot.pem

 

[KirkM]

ssl_min_protocol=TLSv1.2
ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EECDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH:!EDH
# Removed: ssl_prefer_server_ciphers (unsupported since Dovecot 2.4)
ssl_server_prefer_ciphers=server
ssl=yes
ssl_server_cert_file=/etc/dovecot/private/dovecot.pem
ssl_server_key_file=/etc/dovecot/private/dovecot.pem

So is encryption working now? My accounts are all working with encryption on all devices.

 

[srt10coupe]

So is encryption working now? My accounts are all working with encryption on all devices.

No, I've had those settings before. The patch from Plesk also didn't help.

 

[KirkM]

No, I've had those settings before. The patch from Plesk also didn't help.

I noticed you don't have a reference to the dh pem file at the top. This is getting a bit over my head, but I see that as a difference between our config files.
ssl_server_dh_file=/usr/local/psa/etc/dhparams2048.pem
Not sure if that would be the cause or not.

 

[srt10coupe]

I noticed you don't have a reference to the dh pem file at the top. This is getting a bit over my head, but I see that as a difference between our config files.
ssl_server_dh_file=/usr/local/psa/etc/dhparams2048.pem
Not sure if that would be the cause or not.

Sorry, I didn't copy it, but line is available.

 

[srt10coupe]

I noticed you don't have a reference to the dh pem file at the top. This is getting a bit over my head, but I see that as a difference between our config files.
ssl_server_dh_file=/usr/local/psa/etc/dhparams2048.pem
Not sure if that would be the cause or not.

I solved it:

10-plesk-security.conf add:
auth_allow_cleartext = no
auth_mechanisms = digest-md5 cram-md5 plain login
auth_allow_weak_schemes = no

11-plesk-security-ssl.conf edit:
from ssl=yes to ssl=required

/etc/postfix/sasl/smtpd.conf
mech_list: DIGEST-MD5 CRAM-MD5

 

[KirkM]

I solved it:

10-plesk-security.conf add:
auth_allow_cleartext = no
auth_mechanisms = digest-md5 cram-md5 plain login
auth_allow_weak_schemes = no

11-plesk-security-ssl.conf edit:
from ssl=yes to ssl=required

/etc/postfix/sasl/smtpd.conf
mech_list: DIGEST-MD5 CRAM-MD5

Great! ssl=yes works but it looks like you have configured your system to force ssl. Glad you got it sorted out.

 

[LRLD]

@Sebahat.hadzhi After installing the latest update 18.0.73 #1 Dovecot is still missing DIGEST-MD5 and CRAM-MD5 from auth_mechanisms listed in the main configuration file /etc/dovecot/dovecot.conf
TIA