Dovecot 2.3 requires ssl_dh=</path/to/dh.pem

[fgaz]

The 18.03 channel includes dovecot 2.3, which requires ssl_dh to be set.

If i generate it with # openssl dhparam -out /etc/dovecot/dh.pem 4096 and add ssl_dh = </etc/dovecot/dh.pem to /etc/dovecot.conf then everything works.

[uwap]

Hey,
thank you for reporting this issue. You are right, the Diffie-Hellman parameters should be generated and given to dovecot. I think though, that this is more of a problem that should be integrated into nixpkgs. I am going to write a pull request to nixpkgs soon that will automatically set ssl_dh for dovecot using https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix.

[qknight]

@uwap any news?

[qknight]

@fgaz i've implemented this now in 0d914ec

best solution would be to have this upstream, so i will create a PR for an upstream change (code below) and later we can revert this patch.

diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
index 543e732127a..92569693470 100644
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@@ -25,6 +25,7 @@ let
       ssl_cert = <${cfg.sslServerCert}
       ssl_key = <${cfg.sslServerKey}
       ${optionalString (!(isNull cfg.sslCACert)) ("ssl_ca = <" + cfg.sslCACert)}
+      ssl_dh = </var/lib/dhparams/dovecot2.pem
       disable_plaintext_auth = yes
     '')
 
@@ -297,10 +298,14 @@ in
 
 
   config = mkIf cfg.enable {
-
     security.pam.services.dovecot2 = mkIf cfg.enablePAM {};
-
-    services.dovecot2.protocols =
+    security.dhparams = {
+      enable = true;
+      params = {
+        dovecot2 = 4096;
+      };
+    };
+   services.dovecot2.protocols =
      optional cfg.enableImap "imap"
      ++ optional cfg.enablePop3 "pop3"
      ++ optional cfg.enableLmtp "lmtp";

[qknight]

NixOS/nixpkgs#39507

@fgaz thanks for the bug report!