Generate dh.pem on start

Signed-off-by: René Jochum <rene@jochum.dev>

Dockerfile

@@ -14,7 +14,7 @@ RUN set -ex; \
     apt-get install --no-install-recommends -y -o 'DPkg::Options::=--force-confold' -o 'DPkg::Options::=--force-confdef' dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-submissiond dovecot-managesieved dovecot-sieve dovecot-pgsql dovecot-mysql python3-minimal python3-jinja2 && \
     rm -rf /var/lib/apt/lists/*
 
-COPY conf /conf
+# COPY conf /conf
 COPY docker-entrypoint.py /
 
 EXPOSE 110/tcp 143/tcp 587/tcp 995/tcp 993/tcp 2525/tcp 4190/tcp

conf/conf.d/10-ssl.conf

@@ -47,7 +47,7 @@ ssl_client_ca_file = /cert/ca.crt
 # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
 # Or migrate from old ssl-parameters.dat file with the command dovecot
 # gives on startup when ssl_dh is unset.
-ssl_dh = </usr/share/dovecot/dh.pem
+ssl_dh = </etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.

docker-entrypoint.py

@@ -34,6 +34,9 @@ for dovecot_file in glob.glob("/overrides/**/*.jinja", recursive=True):
     jinja_render_file(dovecot_file, os.environ, out_path)
     os.chmod(out_path, 600)
 
+if not os.path.isfile("/etc/dovecot/dh.pem"):
+    subprocess.call("/usr/bin/openssl", "dhparam", "-out", "/etc/dovecot/dh.pem", "4096")
+
 subprocess.call(["/bin/mkdir", "-p", "/data/vmail"])
 subprocess.call(["/bin/chmod", "u=rwX,g=rX,o=rX", "/data"])
 subprocess.call(["/bin/chown", "mail:", "/data/vmail"])