1. SH Avatar SH
  2. Untitled project
  3. MailServer
  4. Issues

missing ssl_dh parameter in Dovecot configuration

Issue #630 resolved
Roman created an issue

After upgrade from, 2.0.23 to 2.1.3 i got in problems with some clients (confirmed on Outlook 2016@Win7, not sure if there are any others, Outlook365@Win10 worked OK).

There is error message in maillog: dovecot: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem

It seems to help to add ssl_dh=</etc/ssl/dh4096.pem into ssl_dh=</etc/ssl/dh4096.pem

Not sure if it's the main cause but it helped for me.

Comments (5)

  1. Scott MacDonald

    Did you note whether the client was experiencing any error when attempting to connect or download email?

    Clients connecting use pop3s or imaps?

  2. Roman reporter

    Client is connected via IMAP, using Outlook 2016 Home & Business @ Win7. There is error 0x800ccc0e. When i tried to configue another Outlook 2016 client on other computer, it says somethink about not suppoted encryption - triend some combinations like port 143+STARTTLS and 993+SSL, all without success - i found no way to connect this clients to IMAP. Thunderbird, webmail and Outlook from Office 365 (on Win10) worked without problems

  3. Scott MacDonald

    I had a similar issue. Client using Win7 and outlook 2016. Trying to get email using pop3s. They received error about encryption method being unsupported.

    We used Nartac IIScrypto, selected the best practices template and applied then rebooted. That resolved the issue.

    So either that client's protocol/encryption schemes got messed up by something OR the KB deployed for TLS 1.2 didn't work as expected.

    Have a look for Nartac's IIScrypto tool and see if it resolves the problem.

  4. Roman reporter

    As i said - for me it's resolved by adding ssl_dh=</etc/ssl/dh4096.pem into ssl_dh=</etc/ssl/dh4096.pem

    according to log message: dovecot: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem dovecot is definitively missing DH file and can't use some types of encryption

    Now i think i found cause of this. Dovecot's documentation (https://wiki.dovecot.org/SSL/DovecotConfiguration) says: Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.

    Dovecot 2.3.4.1 is used in poste. I think older versions managed DH file by their own but from 2.3 {introduced in poste 2.1.0) there is no default DH file and in same config file there is ssl_ciphers_list incuding ciphers which need DH file. Maybe cipher list can be changed according to dovecot's docunebtation to: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

    I will try it.

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!