Diffie-Hellman key upgrade

[dernst-art]

We have migrated a few servers using this script and it works great, however in some cases the Dovecot daemon complained about the size of the Diffie-Hellman key. Before the update a length of 1024 was valid, but after the update it was no longer valid, so customers were unable to retrieve their emails.

Jul 4 12:16:31 XXX dovecot[1147]: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<002nPWkcaM6wBgw5>

Plesk support suggests a oneliner to fix the problem:
plesk sbin sslmng --service dovecot --strong-dh --dhparams-size=2048

Maybe this could be automated if dovecot is used?

[farisc1]

This is strange. Nobody complained about email after we upgraded a live system over the weekend. Is this only Roundcube or IMAp in general?

Anyway, I checked and it had the correct settings in /etc/dovecot/conf.d/11-plesk-security-ssl.conf:

ssl_dh=</usr/local/psa/etc/dhparams2048.pem

Maybe this change was trigged by some other mechanism at some point in the past on my particular system, so I think it would be a very useful thing to check for post-upgrade! if there's a vote for this check, please add my vote :-)

[dernst-art]

If the key length is set to 1024 bits, after the upgrade neither Roundcube (since Roundcube uses IMAP to retrieve emails), IMAP and also POP3 will work, but fortunately Postfix still accepts emails so the problem is not quite as critical. Currently I have migrated about 20 servers and this happened to three of them.

[SandakovMM]

Hello @dernst-art,

Maybe this could be automated if dovecot is used?

I tried to automate it in 1.2.4, but it does not work in some cases. I will try to fix it in the upcoming release. Thank you for highlighting the problem.