Don't know if this was corrected in 2.3.4 (haven't upgraded yet but didn't see it in the notes) - but in 2.3.3 I see this in my log:
imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=
So...either there's an undocumented feature of SSH-over-IMAP (that's Dovecot - always on the cutting edge!) or someone had a coffee shortage during a coding session...
-- Daniel
Daniel Miller via dovecot skrev den 2018-12-16 23:30: So...either there's an undocumented feature of SSH-over-IMAP (that's
Dovecot - always on the cutting edge!) or someone had a coffee shortage during a coding session...
its std way of drinking coffee :=)
https://www.sidorenko.io/post/2014/02/secure-ssl-configuration-for-apache-po...
make one for dovecot or reuse one from postfix
Am 16.12.2018 um 23:30 schrieb Daniel Miller via dovecot:
Don't know if this was corrected in 2.3.4 (haven't upgraded yet but didn't see it in the notes) - but in 2.3.3 I see this in my log:
imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=
So...either there's an undocumented feature of SSH-over-IMAP (that's Dovecot - always on the cutting edge!) or someone had a coffee shortage during a coding session...
# doveconf -n | egrep '(2.3|_dh)' # 2.3.4 (0ecbaf23d): /etc/dovecot/dovecot.conf ssl_dh = # hidden, use -P to show it
Alexander
Daniel, as of 2.3.x, you have to create a dh.pem parameter file unless you can convert an existing parameter file: https://wiki.archlinux.org/index.php/dovecot#Generate_DH_parame ters To generate a new DH parameters file (this will take very long):
# openssl dhparam -out /etc/dovecot/dh.pem 4096
then add the file to /etc/dovecot/conf.d/10-ssl.conf
ssl_dh = </etc/dovecot/dh.pemThis creates a file dh.pem. The dh.pem file contains the base g and modulo p. These parameters define how OpenSSL performs the Diffie- Hellman (DH) key-exchange.
More light reading: https://security.stackexchange.com/questions/45963/diffie-hellm an-key-exchange-in-plain-english https://security.stackexchange.com/questions/94390/whats-the-pu rpose-of-dh-parameters
Yes it took a very long time, indeed five hours in my case. But now it works. I took a nap and listened to Messiah while it ground away...
Enjoy...
:-)
participants (5)
-
Aki Tuomi
-
Alexander Dalloz
-
Benny Pedersen
-
C. Andrews Lavarre
-
Daniel Miller