On March 6, 2016 at 4:45 AM Joseph Tam <jtam.home@gmail.com> wrote:

HotSlots Webmaster <webmaster@hotslots132.com> writes:

...

I have had Dovecot working fine with SSL for nearly two years now. It's time to renew the SSL certificate, so I did (same CA). The new certificate works fine in Apache and Postfix. But when I update Dovecot to use the same certificate, and restart the server, Dovecot stops responding to connects. ... Here is the end of the dovecot -n file that mentions SSL: ... ssl_dh_parameters_length = 2048

When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%? It's possible it's generating ephemeral DH keys. In a previous post to this list, I note that the run time to generate these keys can vary wildly, and gets worse with longer keys. Sometimes you get lucky, and you'll generate then quickly, sometimes it takes a long while (minutes).

http://dovecot.org/pipermail/dovecot/2015-November/102447.html

Try running

openssl dhparam -noout 2048

to see how it varies for you. If what I suspect is true, you can try using shorter keys. A followup post suggest a way you can precompute the key

Joseph Tam <jtam.home@gmail.com>

We are going to provide ssl_dh parameter in v2.3 which replaces the current ssl parameters daemon with simple PEM encoded file that you provide.

Aki Tuomi Dovecot Oy