Dovecot 2.3 „Couldn’t parse DH parameters“

After an aptitude update on dovecot to version 2.3.4 our mailcluster suddently stopped working with the following error in the dovecot.log.

Error: Failed to initialize SSL server context: Couldn't parse DH parameters: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>

Of course first, we checked for the Diffie-Hellman parameters file that was there, and had the appropriate permissions.

After some debugging we found that the update changed a specific setting in the 10-ssl.conf.

The solution to this problem was to change the line

ssl_dh = /etc/dovecot/dh.pem

to

ssl_dh =</etc/dovecot/dh.pem

Yeah that’s no typo – you need to add „<“ 🙂

Afterwards dovecot is able to re-access the Diffie-Hellman Params file and works without any issues.

If you’ve not yet created you DH Params file you can use the following command to create it. Please keep in mind that creating a 4096 DH file could take some time 😉 – you can use 2048 with little less security instead

openssl dhparam -out /etc/dovecot/dh.pem 4096

Further information regarding the DOVECOT SSL settings can be found here:

https://wiki.dovecot.org/SSL/DovecotConfiguration

About the Author

Mike Schiessl