ssl_dh required, even though DH is disabled.

Eric Toombs ewtoombs at uwaterloo.ca
Mon Jul 16 08:41:09 EEST 2018


Here's my config:

# 2.3.2 (582970113): /etc/dovecot/dovecot.conf
# OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux
# Hostname: vault
passdb {
  driver = pam
}
protocols = imap
service imap-login {
  inet_listener imap {
    port = 0
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem
ssl_cipher_list =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
ssl_key =  # hidden, use -P to show it
ssl_min_protocol = TLSv1.2

My filesystem is ext4.

Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't
work unless I provide an ssl_dh, delivering the following error:


Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to
initialize SSL server context: Couldn't parse DH parameters:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH
PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=<4sGi5/9w3pwKAAAB>

While providing an ssl_dh is only a minor annoyance, it would be nice if
I didn't have to.


More information about the dovecot mailing list