Dovecot 2.3 upgrade on Debian

PUBLISHED ON 25/02/2019 — SYSOP

Converting the old configuration to the new one, if you are lucky, everything will work after restart. If you are not, continue reading below.

doveconf -Pn > dovecot-new-2.3.conf

Editing the config

vim /etc/dovecot.conf

Delete or comment out the ssl_dh_parameters_length:

#ssl_dh_parameters_length = 2048

Replace ssl_protocols with ssl_min_protocol,:

#ssl_protocols = !SSLv3
ssl_min_protocol = TLSv1.2

Support for non-ECC DH algorithms

Since Dovecot v2.3.3 this setting has been made optional, but if you still want to support it, here are the steps.

Convert old DH parameters file into the new format:

dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem

Set up the new DH parameters file, that we generated in /etc/dovecot/dovecot.conf:

ssl_dh=</etc/dovecot/dh.pem

This is a good time to improve the security of your mail server and ditch the non-ECC DH, for more info, check out the recommended settings here. Review the different options based on the clients that are used to access the server.

Restarting and testing the services

Restart dovecot service:

service dovecot restart && service dovecot status

Caveats

imap-login: Error: Failed to initialize SSL server context: Unknown ssl_min_protocol setting '!SSLv3'

Generating a new config, fails to remove the ‘!’ in the ssl_min_protocols.

Sources

https://wiki.dovecot.org/SSL/DovecotConfiguration https://wiki2.dovecot.org/Upgrading/2.3