On 02.11.2017 02:01, Timo Sirainen wrote: > On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dove...@reub.net> wrote: >> >> That's the thing. Those extra ssl_dh lines aren't actually specified in my >> conf files, they have been inherited from somewhere - so I can't change them >> to be of any particular form because they aren't defined as being that way >> in my configuration files. >> >> There is only one place where ssl_dh is defined and that's in the global >> 10-ssl.conf file. See here: >> >> lightning dovecot # grep ssl_dh * >> grep: conf.d: Is a directory >> lightning dovecot # grep ssl_dh */* >> conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset. >> conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem >> lightning dovecot # >> >> The rest of them must be being inherited from that statement above. >> >> But back to the original question, if I *remove* the ssl-parameters.dat file >> from /var/lib/dovecot/ then without any other configuration changes the >> error goes away on reload and from doveconf output. Not only that, but if >> the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol >> in doveconf -n also disappear too. >> >> To me that indicates that the mere presence of the ssl-parameters.dat file >> is doing something odd with the way the ssl_dh configuration statements are >> being handled. Something buggy with backwards compatibility perhaps? >> >> [Also tested with latest 2.3 -git as of today - same result] > Looks like this is pretty easily reproducible: > > a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n > -c foo > > b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap > {\n}\n" > foo; doveconf -n -c foo > doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem Hi!
This has been fixed, see https://github.com/dovecot/core/commit/a70d867d1fe3584149811c65eb6213deb72be824.patch Aki