Converting the old configuration to the new one, if you are lucky, everything will work after restart. If you are not, continue reading below.
doveconf -Pn > dovecot-new-2.3.conf
vim /etc/dovecot.conf
Delete or comment out the ssl_dh_parameters_length:
#ssl_dh_parameters_length = 2048
Replace ssl_protocols with ssl_min_protocol,:
#ssl_protocols = !SSLv3
ssl_min_protocol = TLSv1.2
Since Dovecot v2.3.3 this setting has been made optional, but if you still want to support it, here are the steps.
Convert old DH parameters file into the new format:
dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
Set up the new DH parameters file, that we generated in /etc/dovecot/dovecot.conf:
ssl_dh=</etc/dovecot/dh.pem
This is a good time to improve the security of your mail server and ditch the non-ECC DH, for more info, check out the recommended settings here. Review the different options based on the clients that are used to access the server.
Restart dovecot service:
service dovecot restart && service dovecot status
imap-login: Error: Failed to initialize SSL server context: Unknown ssl_min_protocol setting '!SSLv3'
Generating a new config, fails to remove the ‘!’ in the ssl_min_protocols.