dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)
Timo Sirainen
tss at iki.fi
Thu Nov 2 02:01:52 EET 2017
On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dovecot at reub.net> wrote:
>
>
> That's the thing. Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files.
>
> There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file. See here:
>
> lightning dovecot # grep ssl_dh *
> grep: conf.d: Is a directory
> lightning dovecot # grep ssl_dh */*
> conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
> conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
> lightning dovecot #
>
> The rest of them must be being inherited from that statement above.
>
> But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf output. Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too.
>
> To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled. Something buggy with backwards compatibility perhaps?
>
> [Also tested with latest 2.3 -git as of today - same result]
Looks like this is pretty easily reproducible:
a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo
b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo
doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem
More information about the dovecot
mailing list