Univention Bugzilla – Bug 53075
Cleanup dovecot SSL config to prevent warnings
Last modified: 2021-04-28 10:45:58 CEST
Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:59: ssl_dh_parameters_length is no longer needed Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:65: ssl_parameters_regenerate is no longer needed Apr 14 05:29:35 primary60 dovecot: doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:69: ssl_protocols has been replaced by ssl_min_protocol
*** Bug 53110 has been marked as a duplicate of this bug. ***
Apr 15 08:07:35 backup51 dovecot: config: Warning: please set ssl_dh=</etc/dovecot/dh.pem Apr 15 08:07:35 backup51 dovecot: config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem See https://wiki2.dovecot.org/Upgrading/2.3#dhparams: Diffie-Hellman Parameters for SSL * ssl-parameters.dat file is now obsolete. You should use ssl_dh setting instead: ssl_dh=</etc/dovecot/dh.pem *You can convert an existing ssl-parameters.dat to dh.pem: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem * ssl-params process has also been removed, as it is no longer used to generate these parameters. * You are encouraged to create at least 2048 bit parameters. 4096 is industry recommendation. * Note that it will take LONG TIME to generate the parameters, and it should be done with a machine that has GOOD SOURCE OF ENTROPY. Running it on a virtual machine is not recommended, unless there is some entropy helper/driver installed. Running this on your production proxy can starve connections due to lack of entropy. * Since v2.3.3+ DH parameter usage is optional and can be omitted. You are invited to amend ciphers to disallow non-ECC based DH algorithms, but if you don't and someone does try to use them, error will be emitted. Example: ssl_cipher_list=ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW:!DH@STRENGTH