Don't know if this was corrected in 2.3.4 (haven't upgraded yet but didn't see it in the notes) - but in 2.3.3 I see this in my log: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem So...either there's an undocumented feature of SSH-over-IMAP (that's Dovecot - always on the cutting edge!) or someone had a coffee shortage during a coding session... -- Daniel
Daniel Miller via dovecot skrev den 2018-12-16 23:30: So...either there's an undocumented feature of SSH-over-IMAP (that's> Dovecot - always on the cutting edge!) or someone had a coffee > shortage during a coding session...its std way of drinking coffee :=) https://www.sidorenko.io/post/2014/02/secure-ssl-configuration-for-apache-postfix-dovecot/ make one for dovecot or reuse one from postfix
Am 16.12.2018 um 23:30 schrieb Daniel Miller via dovecot:> Don't know if this was corrected in 2.3.4 (haven't upgraded yet but > didn't see it in the notes) - but in 2.3.3 I see this in my log: > > imap-login: Error: Diffie-Hellman key exchange requested, but no DH > parameters provided. Set ssh_dh=</path/to/dh.pem > > So...either there's an undocumented feature of SSH-over-IMAP (that's > Dovecot - always on the cutting edge!) or someone had a coffee shortage > during a coding session...# doveconf -n | egrep '(2.3|_dh)' # 2.3.4 (0ecbaf23d): /etc/dovecot/dovecot.conf ssl_dh = # hidden, use -P to show it Alexander
Daniel, as of 2.3.x, you have to create a dh.pem parameter file unless you can convert an existing parameter file: https://wiki.archlinux.org/index.php/dovecot#Generate_DH_parame ters To generate a new DH parameters file (this will take very long): # openssl dhparam -out /etc/dovecot/dh.pem 4096 then add the file to?/etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem This creates a file dh.pem.?The dh.pem file contains the base g and modulo p. These parameters define how OpenSSL performs the Diffie- Hellman (DH) key-exchange. More light reading: https://security.stackexchange.com/questions/45963/diffie-hellm an-key-exchange-in-plain-english https://security.stackexchange.com/questions/94390/whats-the-pu rpose-of-dh-parameters Yes?it took a very long time, indeed five hours in my case.?But now it works. I took a nap and listened to Messiah while it ground away... Enjoy... :-)? -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181216/6ce456d3/attachment.html>
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 17 December 2018 at 00:30 Daniel Miller via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> Don't know if this was corrected in 2.3.4 (haven't upgraded yet but </div> <div> didn't see it in the notes) - but in 2.3.3 I see this in my log: </div> <div> <br> </div> <div> imap-login: Error: Diffie-Hellman key exchange requested, but no DH </div> <div> parameters provided. Set ssh_dh=</path/to/dh.pem </div> <div> <br> </div> <div> So...either there's an undocumented feature of SSH-over-IMAP (that's </div> <div> Dovecot - always on the cutting edge!) or someone had a coffee shortage </div> <div> during a coding session... </div> <div> <br> </div> <div> <br> </div> <div> -- </div> <div> Daniel </div> </blockquote> <div> <br> </div> <div> It's a typo. We made non-ec DH optional in 2.3.4. This means you can remove all non-ec dh crypto algos from cipherlist. This was because ec support is pretty good and generating safe dh parameters takes a very long time, so one can simply stop supporting non-ec dh based algorithms. </div> <div class="io-ox-signature"> --- <br>Aki Tuomi </div> </body> </html>
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 17 December 2018 at 07:08 Aki Tuomi < <a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> <br> </div> <blockquote type="cite"> <div> On 17 December 2018 at 00:30 Daniel Miller via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> Don't know if this was corrected in 2.3.4 (haven't upgraded yet but </div> <div> didn't see it in the notes) - but in 2.3.3 I see this in my log: </div> <div> <br> </div> <div> imap-login: Error: Diffie-Hellman key exchange requested, but no DH </div> <div> parameters provided. Set ssh_dh=</path/to/dh.pem </div> <div> <br> </div> <div> So...either there's an undocumented feature of SSH-over-IMAP (that's </div> <div> Dovecot - always on the cutting edge!) or someone had a coffee shortage </div> <div> during a coding session... </div> <div> <br> </div> <div> <br> </div> <div> -- </div> <div> Daniel </div> <div> <br> </div> </blockquote> <div> It's a typo. We made non-ec DH optional in 2.3.4. This means you can remove all non-ec dh crypto algos from cipherlist. This was because ec support is pretty good and generating safe dh parameters takes a very long time, so one can simply stop supporting non-ec dh based algorithms. </div> <div> --- </div> <div> Aki Tuomi </div> </blockquote> <div class="io-ox-signature"> And I ment in 2.3.3. </div> <div class="io-ox-signature"> <br> </div> <div class="io-ox-signature"> --- <br>Aki Tuomi </div> </body> </html>