missing ssl_dh parameter in Dovecot configuration
After upgrade from, 2.0.23 to 2.1.3 i got in problems with some clients (confirmed on Outlook 2016@Win7, not sure if there are any others, Outlook365@Win10 worked OK).
There is error message in maillog: dovecot: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem
It seems to help to add ssl_dh=</etc/ssl/dh4096.pem into ssl_dh=</etc/ssl/dh4096.pem
Not sure if it's the main cause but it helped for me.
Comments (5)
-
-
reporter Client is connected via IMAP, using Outlook 2016 Home & Business @ Win7. There is error 0x800ccc0e. When i tried to configue another Outlook 2016 client on other computer, it says somethink about not suppoted encryption - triend some combinations like port 143+STARTTLS and 993+SSL, all without success - i found no way to connect this clients to IMAP. Thunderbird, webmail and Outlook from Office 365 (on Win10) worked without problems
-
I had a similar issue. Client using Win7 and outlook 2016. Trying to get email using pop3s. They received error about encryption method being unsupported.
We used Nartac IIScrypto, selected the best practices template and applied then rebooted. That resolved the issue.
So either that client's protocol/encryption schemes got messed up by something OR the KB deployed for TLS 1.2 didn't work as expected.
Have a look for Nartac's IIScrypto tool and see if it resolves the problem.
-
reporter As i said - for me it's resolved by adding ssl_dh=</etc/ssl/dh4096.pem into ssl_dh=</etc/ssl/dh4096.pem
according to log message: dovecot: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem dovecot is definitively missing DH file and can't use some types of encryption
Now i think i found cause of this. Dovecot's documentation (https://wiki.dovecot.org/SSL/DovecotConfiguration) says: Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
Dovecot 2.3.4.1 is used in poste. I think older versions managed DH file by their own but from 2.3 {introduced in poste 2.1.0) there is no default DH file and in same config file there is ssl_ciphers_list incuding ciphers which need DH file. Maybe cipher list can be changed according to dovecot's docunebtation to: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
I will try it.
-
repo owner - changed status to resolved
fix
#630add diffie hellman params to dovecot→ <<cset b107f3a52eb8>>
- Log in to comment
Did you note whether the client was experiencing any error when attempting to connect or download email?
Clients connecting use pop3s or imaps?