search for: ssl_dh

...0 PM, Timo Sirainen wrote: >>>>> On 18 Oct 2017, at 6.34, Reuben Farrelly <reuben-dovecot at reub.net> >>>>> wrote: >> This problem below is still present in 2.3 -git, as of version 2.3.devel >> (6fc40674e) >> >>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>> >>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>> doveconf: Warning: You can generate it with: dd >>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh...

...ef Reuben Farrelly: >> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>> On 18 Oct 2017, at 6.34, Reuben Farrelly <reuben-dovecot at reub.net> >>> wrote: This problem below is still present in 2.3 -git, as of version 2.3.devel (6fc40674e) >>> Secondly, this ssl_dh messages is always printed from doveconf: >>> >>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der >...

...arrelly <reuben-dovecot at reub.net> >>>>>>>> wrote: >>>>> This problem below is still present in 2.3 -git, as of version >>>>> 2.3.devel >>>>> (6fc40674e) >>>>> >>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>> >>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>> if=/var/lib/dove...

...gt;>>>>>>>> wrote: >>>>>>> This problem below is still present in 2.3 -git, as of version >>>>>>> 2.3.devel >>>>>>> (6fc40674e) >>>>>>> >>>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>>>> >>>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>&...

...ot at reub.net> >>>>>>>>> wrote: >>>>>> This problem below is still present in 2.3 -git, as of version >>>>>> 2.3.devel >>>>>> (6fc40674e) >>>>>> >>>>>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>>>>> >>>>>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>>>>> doveconf: Warning: You can generate it with: dd >>>>>>>>>...

...t;>>> On 18 Oct 2017, at 6.34, Reuben Farrelly <reuben-dovecot at reub.net> >>>>>> wrote: >>> This problem below is still present in 2.3 -git, as of version >>> 2.3.devel >>> (6fc40674e) >>> >>>>>> Secondly, this ssl_dh messages is always printed from doveconf: >>>>>> >>>>>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >>>>>> doveconf: Warning: You can generate it with: dd >>>>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip...

https://wiki.dovecot.org/SSL/DovecotConfiguration says: "Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely." and a bit later: "From version 2.3, you must specify path to DH parameters file using ssl_dh=</path/to/dh.pem" So. 1. Is ssl_dh an optional or a must? 2. I've disabled ssl_dh in my config. Dovecot works fine except it shows warnings: doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd ... I'm using dovecot vers...

...10/2017 11:40 PM, Timo Sirainen wrote: > >>> On 18 Oct 2017, at 6.34, Reuben Farrelly <reuben-dovecot at reub.net> > >>> wrote: > > This problem below is still present in 2.3 -git, as of version 2.3.devel > (6fc40674e) > > >>> Secondly, this ssl_dh messages is always printed from doveconf: > >>> > >>> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem > >>> doveconf: Warning: You can generate it with: dd > >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh > >...

On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dovecot at reub.net> wrote: > > > That's the thing. Those extra ssl_dh lines aren't actually specified in my conf files, they have been inherited from somewhere - so I can't change them to be of any particular form because they aren't defined as being that way in my configuration files. > > There is only one place where ssl_dh is defined and that...

...(liam)<28009><4I9/OIVY6VlpbQAAzkCIew>: 4I9/OIVY6VlpbQAAzkCIew: sieve: msgid=<001a11414af89d6783055bed7dee at google.com>: stored mail into mailbox 'Youtube Notifications' [For some reason the core file is not being created, and I'm not sure why yet] Secondly, this ssl_dh messages is always printed from doveconf: doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem Yet the file is there: thunderstorm conf....

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> ssl_dh is required from 2.3.0-2.3.2. From 2.3.3 onwards its optional. You can rm the ssl-parameters.dat file to get rid of that warning. </div> <div> <br> </div> <div> Aki </div> <blockquote type="cite"> <div> On 16 March 2...

...A-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384 ssl_key =? # hidden, use -P to show it ssl_min_protocol = TLSv1.2 My filesystem is ext4. Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't work unless I provide an ssl_dh, delivering the following error: Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to initialize SSL server context: Couldn't parse DH parameters: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=...

...> This is a known issue, but thanks for reporting it. > > > > --- > Aki Tuomi > Dovecot oy > > -------- Original message -------- > From: Eric Toombs <ewtoombs at uwaterloo.ca> > Date: 16/07/2018 08:41 (GMT+02:00) > To: dovecot at dovecot.org > Subject: ssl_dh required, even though DH is disabled. > > Here's my config: > > # 2.3.2 (582970113): /etc/dovecot/dovecot.conf > # OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux > # Hostname: vault > passdb { > ? driver = pam > } > protocols = imap > service imap-login { > ? inet...

I'm subscribed, please reply to list directly. > ssl_dh is required from 2.3.0-2.3.2. From 2.3.3 onwards its optional. > You can rm the ssl-parameters.dat file to get rid of that warning. I have no ssl-parameters.dat file. -- sergio.

Does ssl_dh need to be manually updated each time the underlying certificate renews? -- 2+2=5 for sufficiently large values of 2.

...lpbQAAzkCIew>: 4I9/OIVY6VlpbQAAzkCIew: > sieve: msgid=<001a11414af89d6783055bed7dee at google.com>: stored mail > into mailbox 'Youtube Notifications' > > [For some reason the core file is not being created, and I'm not sure > why yet] > > Secondly, this ssl_dh messages is always printed from doveconf: > > doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem > doveconf: Warning: You can generate it with: dd > if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh > -inform der > /etc/dovecot/dh.pem > > Yet the f...

On Sat, Mar 16, 2019, at 11:12 PM, sergio via dovecot wrote: > I'm subscribed, please reply to list directly. > > > ssl_dh is required from 2.3.0-2.3.2. From 2.3.3 onwards its optional. > > You can rm the ssl-parameters.dat file to get rid of that warning. > > I have no ssl-parameters.dat file. Did you check /var/lib/dovecot ? -- K

I'm using SSL for dovecot, and dovecot kindly warned me on startup that I needed the ssl_dh parameter, which I specified: # grep -P '^ssl_dh' /etc/dovecot/conf.d/10-ssl.conf ssl_dh = </etc/dovecot/dh.pem And I generated the file, as specified in the comment: # openssl dhparam -out /etc/dovecot/dh.pem 4096 The file contains the appropriate headers: # grep -P '^\-...

...E-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3 I notice all the ciphers use DH, so did you a generate a permanent DH key? (https://wiki2.dovecot.org/Upgrading/2.3) ssl-parameters.dat file is now obsolete. You should use ssl_dh setting instead: ssl_dh=</etc/dovecot/dh.pem You can convert an existing ssl-parameters.dat to dh.pem: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh -inform der > /etc/dovecot/dh.pem Joseph Tam <jtam.home at gmail.com>

I haven't been tracking dovecot-2.3 until now, but I've just given it a quick run, and there are a few things that may need some attention. Linux x86-64, Gentoo, GCC-7.2.0 Dovecot 2.3 @ commit 32c2612514a404ebc226f32bb88f28d76ceb1db1 Compiled with: ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info