I updated my systems from debian 9 (stretch) to debian 10 (buster), which was *almost* painless. When I then updated ispConfig3 Code: php -q update.php I saw the follwoing "DH parameters" message. This is just FYI, as when I run the update again, the error disappears. Code: Reconfigure Services? (yes,no,selected) [yes]: Configuring Postfix Configuring Dovecot Creating new DHParams file, this takes several minutes. Do not interrupt the script. 142+0 records in 142+0 records out 142 bytes copied, 0.000529595 s, 268 kB/s unable to load DH parameters 3072366336:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130: 3072366336:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=DHparams Configuring Mailman I have other issues with this upgrade, but will create separate threads where relevant. Thanks for all your great work!
That's the output of the command to create the DH params file which is required for dovecot on Debian 10. Seems as if something is wrong with your OpenSSL setup when such a basic command fails. openssl dhparam -out /etc/dovecot/dh.pem 2048
For the record, I was having the same problem on Debian 10 Buster. Till's solution solved the problem. The server in question was initially based on Debian 7, and has since been upgraded to Debian 8, Debian 9, and now Debian 10. Perhaps the problem is related to the upgrade procedures.
Thanks Till - Same issue popped up for us - ubuntu 20.04 / php 7.4 / ispconfig 3.2 Solution worked perfectly, although I had to build a longer key of 4096 bits before dovecot was happy. (Still looking for that tip jar, Till ... )
That works, but is deprecated. For intermediate systems one should use these DH parameters. See: https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups You can get them for example via: Code: curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/dovecot/dh.pem (Modern systems with only TLS1.3 do not need this parameters)
I updated host yesterday, ran Debian 10 apt upgrade to get to 10.9 and from ISPConfig 3.2.2 to 3.2.3 . I guess this caused error appearing in log. excerpt: Code: Dovecot Errors. imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=167.248.133.56, lip=94.237.37.94, session=<AT7T1Yi+PrWn+IU4>: 1 Time(s) imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=167.248.133.56, lip=94.237.37.94, session=<M4vP1Yi+YJ+n+IU4>: 1 Time(s) lmtp(15533): Error: SSL context initialization failed, disabling SSL: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: 1 Time(s) lmtp(18356): Error: SSL context initialization failed, disabling SSL: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: 1 Time(s) The dh file is empty, and datestamp is from December Code: root@mail:/etc/dovecot# LANG=C ls -lhat total 56K drwxr-xr-x 126 root root 12K Mar 28 11:31 .. -rw------- 1 root root 1.6K Mar 28 11:31 dovecot-sql.conf -r-------- 1 root root 1.6K Mar 28 11:31 dovecot-sql.conf~ -rw-r--r-- 1 root root 3.3K Mar 28 11:31 dovecot.conf -rw-r--r-- 1 root root 3.3K Mar 28 11:31 dovecot.conf~ -rw-r--r-- 1 root root 0 Dec 30 20:28 dh.pem drwxr-xr-x 4 root root 4.0K Dec 30 20:28 . drwx------ 2 root root 4.0K Dec 30 17:34 private -rw-r----- 1 root dovecot 5.7K Jan 23 2019 dovecot-sql.conf.ext drwxr-xr-x 2 root root 4.0K May 8 2017 conf.d -rw-r----- 1 root dovecot 1.5K Apr 11 2017 dovecot-dict-auth.conf.ext -rw-r----- 1 root dovecot 852 Apr 11 2017 dovecot-dict-sql.conf.ext I'm trying fix from #7 with curl first.
Is this currently the most secured way? I read but when it said "may be" I become not so convinced, so not too sure whether to adopt it approach or rather use the old way of openssl dhparam with 4096 instead. I still believe randomly creating it is safer.
I forgot to restart dovecot and thus it did not work after curl method. When I did openssl dhparam with 4096 I remembered to restart, so then dovecot worked. I do not understand the benefit of the pre-defined dh, either.
At least it is recommended by the RFC: https://tools.ietf.org/html/rfc7919 The recommended groups are in the appendix. I am no crypto expert, but see this answer for some hints: https://security.stackexchange.com/a/149842 Basically, self-generated params would need to be verified by the clients which needs computational power and some of them just don't do it. The recommended groups are well known and can be easily verified. There is no security problem of downloading these as they are public anyway. (The only advantage would be if an attack against the recommended group is developed) See this post for an explanation: https://security.stackexchange.com/a/94397 In the end it is not so important as it will die out anyway with TLS1.3. It is only important for old clients which still needs TLS1.2
I now see your point but I am still not convinced. Anyway, ISPConfig developers might want to use this in its installer lib file for new server instead of using openssl dhparam with 2048, plus downloading and using this should be faster and more secure than dhparam 2048.
have the same issue after upgrading to debian 10 and tried this, also with Code: openssl dhparam -out /etc/dovecot/dh.pem 4096 unfortunately, the error persists even after reboot and restarting dovecot. Are there any other ideas, what to check? Code: Aug 1 22:25:14 nbgmx01 dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxxx, lip=xxxxx, session=<> thanks a lot for any suggestion. ***edit*** one has to update the /etc/dovecot/dovecot.conf as well: you need to add following to the end of the dovecot config: Code: ssl_dh=</etc/dovecot/dh.pem
nope - the "service dovecot restart" didn´t do the trick. I had to "service dovecot stop" and "service dovecot start"... whatever is the difference to "restart" - now it works
I am not sure that you did get me right, as you mentioned creating it in /dev/dovecot folder, where @till mentiones /etc/dovecot folder. But I guess that was a typo since your edit your post and mentioned adding /etc/dovecot in dovecot config.
