On 02.11.2017 02:01, Timo Sirainen wrote:
> On 1 Nov 2017, at 13.51, Reuben Farrelly <reuben-dove...@reub.net> wrote:
>>
>> That's the thing. Those extra ssl_dh lines aren't actually specified in my
>> conf files, they have been inherited from somewhere - so I can't change them
>> to be of any particular form because they aren't defined as being that way
>> in my configuration files.
>>
>> There is only one place where ssl_dh is defined and that's in the global
>> 10-ssl.conf file. See here:
>>
>> lightning dovecot # grep ssl_dh *
>> grep: conf.d: Is a directory
>> lightning dovecot # grep ssl_dh */*
>> conf.d/10-ssl.conf:# gives on startup when ssl_dh is unset.
>> conf.d/10-ssl.conf:ssl_dh=</etc/dovecot/dh.pem
>> lightning dovecot #
>>
>> The rest of them must be being inherited from that statement above.
>>
>> But back to the original question, if I *remove* the ssl-parameters.dat file
>> from /var/lib/dovecot/ then without any other configuration changes the
>> error goes away on reload and from doveconf output. Not only that, but if
>> the ssl-parameters.dat file is removed then those ssl_dh lines per-protocol
>> in doveconf -n also disappear too.
>>
>> To me that indicates that the mere presence of the ssl-parameters.dat file
>> is doing something odd with the way the ssl_dh configuration statements are
>> being handled. Something buggy with backwards compatibility perhaps?
>>
>> [Also tested with latest 2.3 -git as of today - same result]
> Looks like this is pretty easily reproducible:
>
> a) ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\n" > foo; doveconf -n
> -c foo
>
> b) not ok: printf "ssl_dh = </usr/local/etc/dovecot/dh.pem\nprotocol imap
> {\n}\n" > foo; doveconf -n -c foo
> doveconf: Warning: please set ssl_dh=</usr/local/etc/dovecot/dh.pem
Hi!
This has been fixed, see
https://github.com/dovecot/core/commit/a70d867d1fe3584149811c65eb6213deb72be824.patch
Aki
