Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST):

> openssl gendh 4096 > params.pem

Ok. I then misunderstood what's written at

I thought I need to create dh.pem in two steps:

1. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
2. dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl 
dhparam -inform der > /etc/dovecot/dh.pem

That's what I did on the first installation. ssl-parameters.dat already 
existed and I just used the second command to transform it. Now I thought 
I must have had generated ssl-parameters.dat with the first command back 
then. But apparently I haven't.

Now I was trying to make steps 1 and 2 and that fails because the 
generated ssl-parameters.dat is apparently not the format expected.

openssl dhparam 4096 > /etc/dovecot/dh.pem
would do the trick? I misread that from the wiki.

Before reading your reply I checked
and tried this command:
openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096
(after reading Alexander's reply).
It just finished and dovecot seems to be working with it, although it's 
got no DH header line. At least dovecot doesn't complain when starting up.
Anyway, I'll now reuse the dh.pem from no. 1 on the other machines.

Thanks for the help!


Reply via email to