dovecot-2.3 (-git) Warning (Was Re: dovecot Digest, Vol 174, Issue 64)

[Timo Sirainen]

On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dovecot at reub.net> wrote:
> 
> 
> That's the thing.  Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files.
> 
> There is only one place where ssl_dh is defined and that's in the global 10-ssl.conf file.  See here:
> 
> lightning dovecot # grep ssl_dh *
> grep: conf.d: Is a directory
> lightning dovecot # grep ssl_dh */*
> conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
> conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
> lightning dovecot #
> 
> The rest of them must be being inherited from that statement above.
> 
> But back to the original question, if I *remove* the ssl-parameters.dat file from /var/lib/dovecot/ then without any other configuration changes the error goes away on reload and from doveconf  output.  Not only that, but if the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol in doveconf -n also disappear too.
> 
> To me that indicates that the mere presence of the ssl-parameters.dat file is doing something odd with the way the ssl_dh configuration statements are being handled.  Something buggy with backwards compatibility perhaps?
> 
> [Also tested with latest 2.3 -git as of today - same result]

Looks like this is pretty easily reproducible:

a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n -c foo

b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap {\n}\n" > foo; doveconf -n -c foo
doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem