Skip to main content

Dovecot Diffie-Hellman


The default key size for the DH group in Dovecot is 2048. In some cases, users may wish to increase this size for security purposes. This article discusses how this can be adjusted through the terminal.


To increase the DH group key size you will need to alter the dh.pem file that Dovecot uses to determine this. By default this is configured to be /etc/dovecot/dh.pem in the dovecot.conf configuration. You can use the following command to verify the current setting for this value.

doveconf -S | grep '^ssl_dh'

To check the current size use the following command on the dh.pem returned from the above command. Since the default is 2048 in size,  it would return output like "DH Parameters: (2048 bit)". This command can also be used to verify the change was successful.

openssl dhparam -in /etc/dovecot/dh.pem -text -noout

To update the length you will need to alter with the following command. You would replace the 2048 value with the desired length. Please note that this command may take a long time to complete and should be allowed to finish. 

openssl dhparam 2048 > /etc/dovecot/dh.pem

That's it, now your Dovecot service will use the new DH group key size!

For additional information regarding this change and the Dovecot configurations, see the official documentation from the upstream providers below.