From 536fd584eb8c8aae579828664c501289ea5eead1 Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Sat, 2 Aug 2025 16:37:37 +0200
Subject: [PATCH] fix: Dovecot: ssl config

Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
---
 Dockerfile                    |  2 +-
 target/dovecot/10-ssl.conf    | 10 +++++-----
 target/scripts/helpers/ssl.sh |  4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index fc91b11b..8658290d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -189,7 +189,7 @@ COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
 
 # DH parameters for DHE cipher suites, ffdhe4096 is the official standard 4096-bit DH params now part of TLS 1.3
 # This file is for TLS <1.3 handshakes that rely on DHE cipher suites
-# Handled at build to avoid failures by doveadm validating ssl_dh filepath in 10-ssl.auth (eg generate-accounts)
+# Handled at build to avoid failures by doveadm validating ssl_server_dh_file filepath in 10-ssl.auth (eg generate-accounts)
 COPY target/shared/ffdhe4096.pem /etc/dovecot/dh.pem
 
 COPY \
diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf
index c52d21f5..13baf20f 100644
--- a/target/dovecot/10-ssl.conf
+++ b/target/dovecot/10-ssl.conf
@@ -9,8 +9,8 @@
 # dropping root privileges, so keep the key file unreadable by anyone but root.
 # These [snakeoil files actually exist](https://askubuntu.com/questions/396120/what-is-the-purpose-of-the-ssl-cert-snakeoil-key), but shouldn't ever be used in production!
 # As `SSL_TYPE` env is required by docker-mailserver, these "snakeoil" files will be replaced on container startup.
-ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
-ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
+ssl_server_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ssl_server_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 # Fallback/Hybrid cert support. docker-mailserver will enable these when using ENV vars `SSL_ALT_CERT_PATH` and `SSL_ALT_KEY_PATH`.
 #ssl_alt_cert = </path/to/alternative/cert.pem
 #ssl_alt_key = </path/to/alternative/key.pem
@@ -48,7 +48,7 @@ ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 # SSL DH parameters
 # Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
 # `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
-ssl_dh = </etc/dovecot/dh.pem
+ssl_server_dh_file = /etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
@@ -57,8 +57,8 @@ ssl_min_protocol = TLSv1.2
 # SSL ciphers to use
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
-# Prefer the server's order of ciphers over client's.
-ssl_prefer_server_ciphers = yes
+# ref: https://doc.dovecot.org/main/core/summaries/settings.html#ssl_server_prefer_ciphers
+ssl_server_prefer_ciphers = server
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh
index 4c98a601..23286096 100644
--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@@ -51,8 +51,8 @@ function _setup_ssl() {
 
     # Dovecot configuration
     sedfile -i -r \
-      -e "s|^(ssl_key =).*|\1 <${DOVECOT_KEY}|" \
-      -e "s|^(ssl_cert =).*|\1 <${DOVECOT_CERT}|" \
+      -e "s|^(ssl_server_key_file =).*|\1 <${DOVECOT_KEY}|" \
+      -e "s|^(ssl_server_cert_file =).*|\1 <${DOVECOT_CERT}|" \
       "${DOVECOT_CONFIG_SSL}"
   }