Yesterday, I upgraded my mail server’s operating system. After upgrading, I encountered the following error in dovecot:
config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
What’s dh.pem? I found the answer in the Dovecot 2.3 upgrade documentation. Apparently, the ssl-parameters.dat file is now obsolete. You should use ssl_dh setting instead by adding: ssl_dh=</etc/dovecot/dh.pem to the configuration.
But how do you get dh.pem?
One way is to can convert an existing/old ssl-parameters.dat to dh.pem:
dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
Another way, which I found here, is to generate a new dh.pem:
openssl dhparam -out /etc/dovecot/dh.pem 4096 -days 3650
It takes a LOOONG time. But once the file is ready, just add it to /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/letsencrypt/live/myserver.xyz/fullchain.pem ssl_key = </etc/letsencrypt/live/myserver.xyz/privkey.pem ssl_dh = </etc/dovecot/dh.pem
Restart dovecot and you’re back in business.