Fixing Dovecot Diffie-Hellman Parameter Error

This guide helps you resolve SSL/TLS connection issues in Dovecot IMAP server when Diffie-Hellman parameters are missing. The error prevents secure email client connections and requires generating cryptographic parameters and updating the Dovecot configuration.

The Error

When you see this in your Dovecot logs:

dovecot: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssl_dh=</path/to/dh.pem

This means Dovecot needs DH parameters for SSL/TLS connections but can't find the required file.

Solution

1. Generate DH Parameters

# 2048-bit (recommended - faster generation, still secure)
openssl dhparam -out /etc/ssl/certs/dh.pem 2048

# OR 4096-bit (higher security, much slower generation)
openssl dhparam -out /etc/ssl/certs/dh.pem 4096

Note: Generation takes time — much longer for 4096-bit than for 2048-bit. This is normal; the process is generating cryptographically secure prime numbers.

2. Configure Dovecot

Add this line to your Dovecot configuration (usually /etc/dovecot/dovecot.conf or /etc/dovecot/conf.d/10-ssl.conf):

ssl_dh = </etc/ssl/certs/dh.pem

3. Restart Dovecot

systemctl restart dovecot

Key Points

• 2048-bit is the minimum acceptable and generates much faster; modern recommendations (NIST, BSI) favour 3072-bit or higher for new deployments
• 4096-bit provides higher security but takes significantly longer to generate
• Long generation time is normal — the process is doing real cryptographic work