From 8dc74bb1e8074c8342c3ffe61b929deb042737b9 Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Sun, 17 Aug 2025 12:28:33 +0200
Subject: [PATCH] remove: Diffie-Hellman parameters for Postfix & Dovecot

This patch removes all custom DH parameters from DMS.

The documentation update is NOT included in this patch yet.

ref: #4538

Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
---
 Dockerfile                                 |  6 --
 docs/content/config/security/ssl.md        |  2 +
 target/dovecot/10-ssl.conf                 |  5 --
 target/postfix/main.cf                     |  1 -
 target/scripts/helpers/ssl.sh              | 17 ------
 target/scripts/start-mailserver.sh         |  1 -
 target/scripts/startup/setup.d/dovecot.sh  |  4 --
 target/scripts/startup/setup.d/postfix.sh  |  3 -
 target/shared/ffdhe4096.pem                | 13 -----
 target/shared/ffdhe4096.pem.sha512sum      |  1 -
 test/tests/parallel/set1/tls/dhparams.bats | 68 ----------------------
 11 files changed, 2 insertions(+), 119 deletions(-)
 delete mode 100644 target/shared/ffdhe4096.pem
 delete mode 100644 target/shared/ffdhe4096.pem.sha512sum
 delete mode 100644 test/tests/parallel/set1/tls/dhparams.bats

diff --git a/Dockerfile b/Dockerfile
index e2f7fc0d..d737de8b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -191,12 +191,6 @@ COPY target/getmail/getmailrc_general /etc/getmailrc_general
 COPY target/getmail/getmail-service.sh /usr/local/bin/
 COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
 
-# DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3
-# This file is for TLS <1.3 handshakes that rely on DHE cipher suites
-# Handled at build to avoid failures by doveadm validating ssl_dh filepath in 10-ssl.auth (eg generate-accounts)
-COPY target/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
-COPY target/shared/ffdhe4096.pem /etc/dovecot/dh.pem
-
 COPY \
   target/postfix/header_checks.pcre \
   target/postfix/sender_header_filter.pcre \
diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md
index 853ab446..46f12182 100644
--- a/docs/content/config/security/ssl.md
+++ b/docs/content/config/security/ssl.md
@@ -908,6 +908,8 @@ fi
 
 ## Custom DH Parameters
 
+TODO
+
 By default DMS uses [`ffdhe4096`][ffdhe4096-src] from [IETF RFC 7919][ietf::rfc::ffdhe]. These are standardized pre-defined DH groups and the only available DH groups for TLS 1.3. It is [discouraged to generate your own DH parameters][dh-avoid-selfgenerated] as it is often less secure.
 
 Despite this, if you must use non-standard DH parameters or you would like to swap `ffdhe4096` for a different group (eg `ffdhe2048`); Add your own PEM encoded DH params file via a volume to `/tmp/docker-mailserver/dhparams.pem`. This will replace DH params for both Dovecot and Postfix services during container startup.
diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf
index c52d21f5..54640c04 100644
--- a/target/dovecot/10-ssl.conf
+++ b/target/dovecot/10-ssl.conf
@@ -45,11 +45,6 @@ ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-# SSL DH parameters
-# Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
-# `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
-ssl_dh = </etc/dovecot/dh.pem
-
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
 ssl_min_protocol = TLSv1.2
diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index 518e2dc5..569dc1a9 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -45,7 +45,6 @@ smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES, SHA1
-smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
 smtpd_tls_CApath = /etc/ssl/certs
 smtp_tls_CApath = /etc/ssl/certs
 
diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh
index e3d4e7db..b19a1fc7 100644
--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@@ -1,22 +1,5 @@
 #!/bin/bash
 
-function _setup_dhparam() {
-  local DH_SERVICE=$1
-  local DH_DEST=$2
-  local DH_CUSTOM='/tmp/docker-mailserver/dhparams.pem'
-
-  _log 'debug' "Setting up ${DH_SERVICE} dhparam"
-
-  if [[ -f ${DH_CUSTOM} ]]; then # use custom supplied dh params (assumes they're probably insecure)
-    _log 'trace' "${DH_SERVICE} will use custom provided DH parameters"
-    _log 'warn' "Using self-generated dhparams is considered insecure - unless you know what you are doing, please remove '${DH_CUSTOM}'"
-
-    cp -f "${DH_CUSTOM}" "${DH_DEST}"
-  else # use official standardized dh params (provided via Dockerfile)
-    _log 'trace' "${DH_SERVICE} will use official standardized DH parameters (ffdhe4096)."
-  fi
-}
-
 function _setup_ssl() {
   _log 'debug' 'Setting up SSL'
 
diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh
index a6295ed8..f1a4fdad 100755
--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@@ -48,7 +48,6 @@ function _register_functions() {
   if [[ ${SMTP_ONLY} -ne 1 ]]; then
     _register_setup_function '_setup_dovecot'
     _register_setup_function '_setup_dovecot_sieve'
-    _register_setup_function '_setup_dovecot_dhparam'
     _register_setup_function '_setup_dovecot_quota'
     _register_setup_function '_setup_spam_subject'
     _register_setup_function '_setup_spam_to_junk'
diff --git a/target/scripts/startup/setup.d/dovecot.sh b/target/scripts/startup/setup.d/dovecot.sh
index 31f22c8a..1ef45ea8 100644
--- a/target/scripts/startup/setup.d/dovecot.sh
+++ b/target/scripts/startup/setup.d/dovecot.sh
@@ -236,7 +236,3 @@ function _setup_dovecot_inet_protocols() {
 
   sedfile -i "s|^#listen =.*|listen = ${PROTOCOL}|g" /etc/dovecot/dovecot.conf
 }
-
-function _setup_dovecot_dhparam() {
-  _setup_dhparam 'Dovecot' '/etc/dovecot/dh.pem'
-}
diff --git a/target/scripts/startup/setup.d/postfix.sh b/target/scripts/startup/setup.d/postfix.sh
index ac9c23e7..eaa29273 100644
--- a/target/scripts/startup/setup.d/postfix.sh
+++ b/target/scripts/startup/setup.d/postfix.sh
@@ -49,9 +49,6 @@ EOF
   __postfix__log 'trace' 'Setting up Postfix vhost'
   _create_postfix_vhost
 
-  __postfix__log 'trace' 'Setting up DH Parameters'
-  _setup_dhparam 'Postfix' '/etc/postfix/dhparams.pem'
-
   __postfix__log 'trace' "Configuring message size limit to '${POSTFIX_MESSAGE_SIZE_LIMIT}'"
   postconf "message_size_limit = ${POSTFIX_MESSAGE_SIZE_LIMIT}"
 
diff --git a/target/shared/ffdhe4096.pem b/target/shared/ffdhe4096.pem
deleted file mode 100644
index 3cf0fcbc..00000000
--- a/target/shared/ffdhe4096.pem
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
-7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
-nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
-8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
-iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
-zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
------END DH PARAMETERS-----
diff --git a/target/shared/ffdhe4096.pem.sha512sum b/target/shared/ffdhe4096.pem.sha512sum
deleted file mode 100644
index 0b9412b7..00000000
--- a/target/shared/ffdhe4096.pem.sha512sum
+++ /dev/null
@@ -1 +0,0 @@
-716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25  ffdhe4096.pem
diff --git a/test/tests/parallel/set1/tls/dhparams.bats b/test/tests/parallel/set1/tls/dhparams.bats
deleted file mode 100644
index 86586f28..00000000
--- a/test/tests/parallel/set1/tls/dhparams.bats
+++ /dev/null
@@ -1,68 +0,0 @@
-load "${REPOSITORY_ROOT}/test/helper/setup"
-load "${REPOSITORY_ROOT}/test/helper/common"
-
-# Test case
-# ---------
-# By default, this image is using audited FFDHE groups (https://github.com/docker-mailserver/docker-mailserver/pull/1463)
-# Reference used (22/04/2020) - Page 27 (ffdhe4096 RFC 7919, regarded as sufficient):
-# https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
-
-BATS_TEST_NAME_PREFIX='[Security] TLS (DH Parameters) '
-
-CONTAINER1_NAME='dms-test_tls-dh-params_default'
-CONTAINER2_NAME='dms-test_tls-dh-params_custom'
-
-function teardown() { _default_teardown ; }
-
-# Verify Postfix and Dovecot are using the default `ffdhe4096.pem` from Dockerfile build.
-# Verify that the file `ffdhe4096.pem` has not been modified (checksum verification against trusted third-party copy).
-@test "Default" {
-  export CONTAINER_NAME=${CONTAINER1_NAME}
-  local DH_PARAMS_DEFAULT='target/shared/ffdhe4096.pem'
-  local DH_CHECKSUM_DEFAULT=$(sha512sum "${DH_PARAMS_DEFAULT}" | awk '{print $1}')
-
-  _init_with_defaults
-  _common_container_setup
-
-  _should_match_service_copies "${DH_CHECKSUM_DEFAULT}"
-
-  # Verify integrity of the default supplied DH Params (ffdhe4096, should be equivalent to `target/shared/ffdhe4096.pem.sha512sum`):
-  # 716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25
-  local DH_CHECKSUM_MOZILLA
-  DH_CHECKSUM_MOZILLA=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
-  assert_equal "${DH_CHECKSUM_DEFAULT}" "${DH_CHECKSUM_MOZILLA}"
-}
-
-# When custom DHE parameters are supplied by the user to `/tmp/docker-mailserver/dhparams.pem`:
-# - Verify Postfix and Dovecot use the custom `custom-dhe-params.pem` (contents tested is actually `ffdhe2048.pem`).
-# - A warning is raised about usage of potentially insecure parameters.
-@test "Custom" {
-  export CONTAINER_NAME=${CONTAINER2_NAME}
-  local DH_PARAMS_CUSTOM='test/files/ssl/custom-dhe-params.pem'
-  local DH_CHECKSUM_CUSTOM=$(sha512sum "${DH_PARAMS_CUSTOM}" | awk '{print $1}')
-
-  _init_with_defaults
-  cp "${DH_PARAMS_CUSTOM}" "${TEST_TMP_CONFIG}/dhparams.pem"
-  _common_container_setup
-
-  _should_match_service_copies "${DH_CHECKSUM_CUSTOM}"
-
-  # Should emit a warning:
-  run docker logs "${CONTAINER_NAME}"
-  assert_success
-  assert_output --partial 'Using self-generated dhparams is considered insecure - unless you know what you are doing, please remove'
-}
-
-# Ensures the docker image services (Postfix and Dovecot) have the expected DH files:
-function _should_match_service_copies() {
-  local DH_CHECKSUM=$1
-
-  function __should_have_expected_checksum() {
-    _run_in_container_bash "sha512sum ${1} | awk '{print \$1}'"
-    assert_success
-    assert_output "${DH_CHECKSUM}"
-  }
-
-  __should_have_expected_checksum '/etc/dovecot/dh.pem'
-  __should_have_expected_checksum '/etc/postfix/dhparams.pem'
-}