ssl_dh required, even though DH is disabled.
Eric Toombs
ewtoombs at uwaterloo.ca
Mon Jul 16 08:41:09 EEST 2018
Here's my config:
# 2.3.2 (582970113): /etc/dovecot/dovecot.conf
# OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux
# Hostname: vault
passdb {
driver = pam
}
protocols = imap
service imap-login {
inet_listener imap {
port = 0
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem
ssl_cipher_list =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
My filesystem is ext4.
Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't
work unless I provide an ssl_dh, delivering the following error:
Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to
initialize SSL server context: Couldn't parse DH parameters:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH
PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=<4sGi5/9w3pwKAAAB>
While providing an ssl_dh is only a minor annoyance, it would be nice if
I didn't have to.
More information about the dovecot
mailing list