remove: Diffie-Hellman parameters for Postfix & Dovecot

This patch removes all custom DH parameters from DMS. The documentation update is NOT included in this patch yet. ref: #4538 Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2025-08-22 09:57:53 +00:00 · 2025-08-17 12:28:33 +02:00 · 2025-08-17 12:28:33 +02:00 · 8dc74bb1e8
commit 8dc74bb1e8
parent c1da4265d3
11 changed files with 2 additions and 119 deletions
--- a/6
+++ b/6
@ -191,12 +191,6 @@ COPY target/getmail/getmailrc_general /etc/getmailrc_general
 COPY target/getmail/getmail-service.sh /usr/local/bin/
 COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/

-# DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3
-# This file is for TLS <1.3 handshakes that rely on DHE cipher suites
-# Handled at build to avoid failures by doveadm validating ssl_dh filepath in 10-ssl.auth (eg generate-accounts)
-COPY target/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
-COPY target/shared/ffdhe4096.pem /etc/dovecot/dh.pem
-
 COPY \
  target/postfix/header_checks.pcre \
  target/postfix/sender_header_filter.pcre \
--- a/docs/content/config/security/ssl.md
+++ b/docs/content/config/security/ssl.md
@ -908,6 +908,8 @@ fi

 ## Custom DH Parameters

+TODO
+
 By default DMS uses [`ffdhe4096`][ffdhe4096-src] from [IETF RFC 7919][ietf::rfc::ffdhe]. These are standardized pre-defined DH groups and the only available DH groups for TLS 1.3. It is [discouraged to generate your own DH parameters][dh-avoid-selfgenerated] as it is often less secure.

 Despite this, if you must use non-standard DH parameters or you would like to swap `ffdhe4096` for a different group (eg `ffdhe2048`); Add your own PEM encoded DH params file via a volume to `/tmp/docker-mailserver/dhparams.pem`. This will replace DH params for both Dovecot and Postfix services during container startup.
--- a/target/dovecot/10-ssl.conf
+++ b/target/dovecot/10-ssl.conf
@ -45,11 +45,6 @@ ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName

-# SSL DH parameters
-# Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
-# `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
-ssl_dh = </etc/dovecot/dh.pem
-
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
 ssl_min_protocol = TLSv1.2
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@ -45,7 +45,6 @@ smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 smtpd_tls_exclude_ciphers = aNULL, SEED, CAMELLIA, RSA+AES, SHA1
-smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
 smtpd_tls_CApath = /etc/ssl/certs
 smtp_tls_CApath = /etc/ssl/certs

--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@ -1,22 +1,5 @@
 #!/bin/bash

-function _setup_dhparam() {
-  local DH_SERVICE=$1
-  local DH_DEST=$2
-  local DH_CUSTOM='/tmp/docker-mailserver/dhparams.pem'
-
-  _log 'debug' "Setting up ${DH_SERVICE} dhparam"
-
-  if [[ -f ${DH_CUSTOM} ]]; then # use custom supplied dh params (assumes they're probably insecure)
-    _log 'trace' "${DH_SERVICE} will use custom provided DH parameters"
-    _log 'warn' "Using self-generated dhparams is considered insecure - unless you know what you are doing, please remove '${DH_CUSTOM}'"
-
-    cp -f "${DH_CUSTOM}" "${DH_DEST}"
-  else # use official standardized dh params (provided via Dockerfile)
-    _log 'trace' "${DH_SERVICE} will use official standardized DH parameters (ffdhe4096)."
-  fi
-}
-
 function _setup_ssl() {
  _log 'debug' 'Setting up SSL'

--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@ -48,7 +48,6 @@ function _register_functions() {
  if [[ ${SMTP_ONLY} -ne 1 ]]; then
    _register_setup_function '_setup_dovecot'
    _register_setup_function '_setup_dovecot_sieve'
-    _register_setup_function '_setup_dovecot_dhparam'
    _register_setup_function '_setup_dovecot_quota'
    _register_setup_function '_setup_spam_subject'
    _register_setup_function '_setup_spam_to_junk'
--- a/target/scripts/startup/setup.d/dovecot.sh
+++ b/target/scripts/startup/setup.d/dovecot.sh
@ -236,7 +236,3 @@ function _setup_dovecot_inet_protocols() {

  sedfile -i "s|^#listen =.*|listen = ${PROTOCOL}|g" /etc/dovecot/dovecot.conf
 }
-
-function _setup_dovecot_dhparam() {
-  _setup_dhparam 'Dovecot' '/etc/dovecot/dh.pem'
-}
--- a/target/scripts/startup/setup.d/postfix.sh
+++ b/target/scripts/startup/setup.d/postfix.sh
@ -49,9 +49,6 @@ EOF
  __postfix__log 'trace' 'Setting up Postfix vhost'
  _create_postfix_vhost

-  __postfix__log 'trace' 'Setting up DH Parameters'
-  _setup_dhparam 'Postfix' '/etc/postfix/dhparams.pem'
-
  __postfix__log 'trace' "Configuring message size limit to '${POSTFIX_MESSAGE_SIZE_LIMIT}'"
  postconf "message_size_limit = ${POSTFIX_MESSAGE_SIZE_LIMIT}"

--- a/target/shared/ffdhe4096.pem
+++ b/target/shared/ffdhe4096.pem
@ -1,13 +0,0 @@
-----BEGIN DH PARAMETERS-----
-MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
-7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
-nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
-8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
-iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
-zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----
--- a/target/shared/ffdhe4096.pem.sha512sum
+++ b/target/shared/ffdhe4096.pem.sha512sum
@ -1 +0,0 @@
-716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25  ffdhe4096.pem
--- a/test/tests/parallel/set1/tls/dhparams.bats
+++ b/test/tests/parallel/set1/tls/dhparams.bats
@ -1,68 +0,0 @@
-load "${REPOSITORY_ROOT}/test/helper/setup"
-load "${REPOSITORY_ROOT}/test/helper/common"
-
-# Test case
-# ---------
-# By default, this image is using audited FFDHE groups (https://github.com/docker-mailserver/docker-mailserver/pull/1463)
-# Reference used (22/04/2020) - Page 27 (ffdhe4096 RFC 7919, regarded as sufficient):
-# https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
-
-BATS_TEST_NAME_PREFIX='[Security] TLS (DH Parameters) '
-
-CONTAINER1_NAME='dms-test_tls-dh-params_default'
-CONTAINER2_NAME='dms-test_tls-dh-params_custom'
-
-function teardown() { _default_teardown ; }
-
-# Verify Postfix and Dovecot are using the default `ffdhe4096.pem` from Dockerfile build.
-# Verify that the file `ffdhe4096.pem` has not been modified (checksum verification against trusted third-party copy).
-@test "Default" {
-  export CONTAINER_NAME=${CONTAINER1_NAME}
-  local DH_PARAMS_DEFAULT='target/shared/ffdhe4096.pem'
-  local DH_CHECKSUM_DEFAULT=$(sha512sum "${DH_PARAMS_DEFAULT}" | awk '{print $1}')
-
-  _init_with_defaults
-  _common_container_setup
-
-  _should_match_service_copies "${DH_CHECKSUM_DEFAULT}"
-
-  # Verify integrity of the default supplied DH Params (ffdhe4096, should be equivalent to `target/shared/ffdhe4096.pem.sha512sum`):
-  # 716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25
-  local DH_CHECKSUM_MOZILLA
-  DH_CHECKSUM_MOZILLA=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
-  assert_equal "${DH_CHECKSUM_DEFAULT}" "${DH_CHECKSUM_MOZILLA}"
-}
-
-# When custom DHE parameters are supplied by the user to `/tmp/docker-mailserver/dhparams.pem`:
-# - Verify Postfix and Dovecot use the custom `custom-dhe-params.pem` (contents tested is actually `ffdhe2048.pem`).
-# - A warning is raised about usage of potentially insecure parameters.
-@test "Custom" {
-  export CONTAINER_NAME=${CONTAINER2_NAME}
-  local DH_PARAMS_CUSTOM='test/files/ssl/custom-dhe-params.pem'
-  local DH_CHECKSUM_CUSTOM=$(sha512sum "${DH_PARAMS_CUSTOM}" | awk '{print $1}')
-
-  _init_with_defaults
-  cp "${DH_PARAMS_CUSTOM}" "${TEST_TMP_CONFIG}/dhparams.pem"
-  _common_container_setup
-
-  _should_match_service_copies "${DH_CHECKSUM_CUSTOM}"
-
-  # Should emit a warning:
-  run docker logs "${CONTAINER_NAME}"
-  assert_success
-  assert_output --partial 'Using self-generated dhparams is considered insecure - unless you know what you are doing, please remove'
-}
-
-# Ensures the docker image services (Postfix and Dovecot) have the expected DH files:
-function _should_match_service_copies() {
-  local DH_CHECKSUM=$1
-
-  function __should_have_expected_checksum() {
-    _run_in_container_bash "sha512sum ${1} | awk '{print \$1}'"
-    assert_success
-    assert_output "${DH_CHECKSUM}"
-  }
-
-  __should_have_expected_checksum '/etc/dovecot/dh.pem'
-  __should_have_expected_checksum '/etc/postfix/dhparams.pem'
-}
				`@ -1 +0,0 @@`
				`716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25 ffdhe4096.pem`