Skip to main content

update to 132 breaks dovecot w/ sslv3

danfbach

Here's the log from journalctl:

imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't set minimum protocol to 'SSLv3' (ssl_min_protocol setting): Unknown value: user=<>, rip=x.x.x.x, lip=x.x.x.x, session=<mNEsc3ZF6t0vMTbi>

Attempts to change minimum protocol to TLS1.2 from WHM or cli tool both silently fail and revert to SSLv3.

I have set ssl_min_protocol manually in /etc/dovecot/ssl.conf, but i know this is likely transient, and will be overwritten by cpanel at some point. Let me know if there's something else i can try or any other info needed.

Comments

14 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  This is a known issue with the current update - if there are any customizations to Dovecot the update will fail.

    You can do the following to reset the file:

    mv -v /etc/dovecot/ssl.conf{,.bak}
    /scripts/builddovecotconf

    and then I would expect the update to work normally.

    1
  • support CBNCLoud

    The issue still appears :) I need some explanation why this issue appear.

    0
  • George_Fusioned

    I'm experiencing the same on a server that was updated to v132 last night. Hundreds of customers getting

    Your server does not support the specified encryption type. Change encryption method. Please contact your mail server administrator or your Internet service provider (ISP).

    and mainlog is full of

    imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't set minimum protocol to 'SSLv3' (ssl_min_protocol setting): Unknown value
    0
  • danfbach
    • Edited

    Hey cPRex. I followed your instructions - the rebuild's new ssl.conf file has the ssl_min_protocol set to SSLv3, which is incompatible.

    Edit: after further inspection, running 

    doveconf -n | grep ssl_min_protocol

    it appears that ssl_min_protocol is no longer set at all, eventhough it is in ssl.conf. is this correct?

     

    Edit 2:

    When viewing in WHM mailserver config, it still showed SSLv3. I tried to save as TLSv1.2. Again it silently failed to SSLv3, and now does show SSLv3 when looking at doveconf, so I again just overwrote the ssl.conf file again. 

    0
  • danfbach

    George_Fusioned

    The quick workaround is editing /etc/dovecot/ssl.conf and changing the line

    ssl_min_protocol = SSLv3

    to

    ssl_min_protocol = TLSv1.2

    and then

    sudo systemctl restart dovecot.service

    Keep in mind that this workaround is likely transient and could be undone by cpanel update.

    1
  • George_Fusioned

    danfbach thank you, yes - I already did this earlier and the problem with mail clients not being able to connect has been resolved, but as you said it's not a permanent fix and can break anytime with the next cPanel update for example.

    1
  • incubatec

    The bug is still present, no matter the setting in WHM mailserver config - as soon as cPanel rebuilds the configuration, SSLv3 is written as the ssl_min_protocol.

    2
  • cPRex Jurassic Moderator

    This is likely related to CPANEL-50271, which is fixed but hasn't yet been released to a cPanel version.  https://support.cpanel.net/hc/en-us/community/posts/36924766387607-Recent-Dovecot-issues-their-related-cases-and-status

    0
  • FullHost Support

    After running;

    mv -v /etc/dovecot/ssl.conf{,.bak}
    /scripts/builddovecotconf

     

    And restarting dovecot. We still see the errors.

     

    imap-login: Error: Failed to initialize SSL connection: Couldn't initialize SSL server context: Can't set minimum protocol to 'SSLv3' (ssl_min_protocol setting):

    We are using version 132.0.9.and there is no mention of CPANEL-50271 in the release logs https://docs.cpanel.net/changelogs/132-change-log/

    0
  • danfbach

    Yeah, it doesn't work. See my comment a couple up ^^

    That will fix it, for now.

    0
  • Josh Fields

    This is a terrible bug.  I did the workaround listed above, and it is working for now... but please send out a permanent fix quickly.

    1
  • cPRex Jurassic Moderator

    Josh Fields - this one has been given priority, so I'm hoping the next release happens soon!

    0
  • incubatec

    cPRex hasnt't this been fixed with the latest release?

    132.0.11

    2025-12-10
    • Fixed CPANEL-40311: New form field to specify region of S3-compatible backup destinations.
    • Fixed CPANEL-50271: Fix ability to set Dovecot ssl.conf settings.
    • Fixed CPANEL-50422: Address additional net-snmp dependency issues not fixed for CPANEL-50161.
    • Fixed CPANEL-50639: Bump rpm.versions for cpanel-geoipfree-data version 130.3-1.cp130.
    0
  • cPRex Jurassic Moderator

    It sure has!  Although .11 is only in the Edge tier and was *just* released.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post