Here's my config: # 2.3.2 (582970113): /etc/dovecot/dovecot.conf # OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux # Hostname: vault passdb { ? driver = pam } protocols = imap service imap-login { ? inet_listener imap { ??? port = 0 ? } } ssl = required ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem ssl_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384 ssl_key =? # hidden, use -P to show it ssl_min_protocol = TLSv1.2 My filesystem is ext4. Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't work unless I provide an ssl_dh, delivering the following error: Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to initialize SSL server context: Couldn't parse DH parameters: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=<4sGi5/9w3pwKAAAB> While providing an ssl_dh is only a minor annoyance, it would be nice if I didn't have to.
This is a known issue, but thanks for reporting it. ---Aki TuomiDovecot oy -------- Original message --------From: Eric Toombs <ewtoombs at uwaterloo.ca> Date: 16/07/2018 08:41 (GMT+02:00) To: dovecot at dovecot.org Subject: ssl_dh required, even though DH is disabled. Here's my config: # 2.3.2 (582970113): /etc/dovecot/dovecot.conf # OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux # Hostname: vault passdb { ? driver = pam } protocols = imap service imap-login { ? inet_listener imap { ??? port = 0 ? } } ssl = required ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem ssl_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384 ssl_key =? # hidden, use -P to show it ssl_min_protocol = TLSv1.2 My filesystem is ext4. Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't work unless I provide an ssl_dh, delivering the following error: Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to initialize SSL server context: Couldn't parse DH parameters: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=<4sGi5/9w3pwKAAAB> While providing an ssl_dh is only a minor annoyance, it would be nice if I didn't have to. -------------- next part -------------- An HTML attachment was scrubbed... URL: <dovecot.org/pipermail/dovecot/attachments/20180716/00c184dd/attachment.html>
Reasonably Related Threads
- ssl_dh required, even though DH is disabled.
- New install - getting error: "Failed to initialize SSL server context: Couldn't parse DH parameters"
- New install - getting error: "Failed to initialize SSL server context: Couldn't parse DH parameters"
- one more thing i forgot...
- lmtp: Couldn't parse DH parameters