error ssh_dh=</path/to/dh.pem

[mikysal78]

• Distribution: Debian
• Codename: Buster.
• Arch: 64 Bits
• Database: MySQL

Log mail.err

root@mx:log # more mail.err Jan 27 00:31:53 mx dovecot: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem

[tonioo]

@mikysal78 Looks like this setting is available starting with dovecot 2.3.

[Kedakai]

No!

This output is wrong. The option is called ssl_dh not as printed ssh_dh.

Someone made a mistake there that still isn't fixed.

[almereyda]

Yes, we should include DH parameters for Dovecot as well, as done for Postfix and Nginx already:

• https://doc.dovecot.org/settings/core/#core_setting-ssl_dh

Postfix:

https://github.com/modoboa/modoboa-installer/blob/33a909a264d2f4d816a5a2c4130f6cbb647f8e4a/modoboa_installer/scripts/postfix.py#L89-L91

https://github.com/modoboa/modoboa-installer/blob/7f87c2518cb092b15c71aa13de3b64e2d93a0a47/modoboa_installer/scripts/files/postfix/main.cf.tpl#L44

Nginx:

https://github.com/modoboa/modoboa-installer/blob/33a909a264d2f4d816a5a2c4130f6cbb647f8e4a/modoboa_installer/scripts/nginx.py#L88-L89

https://github.com/modoboa/modoboa-installer/blob/58f5a8af094ab7db6c3c2acb246dc9c51bab257a/modoboa_installer/scripts/files/nginx/modoboa.conf.tpl#L25

A reference to the ssl_dh parameter is missing entirely in the Dovecot-associated installer files.

• https://github.com/modoboa/modoboa-installer/blob/master/modoboa_installer/scripts/dovecot.py
• https://github.com/modoboa/modoboa-installer/blob/master/modoboa_installer/scripts/files/dovecot/dovecot.conf.tpl
• https://github.com/modoboa/modoboa-installer/blob/master/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl

I'd suggest to add parameter generation logic to dovecot.py, and reference this file through ssl_dh in 10-ssl.conf.tpl.