From 93d405d58eca59bf15204b959239f211b7634b7b Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue, 17 Dec 2024 16:16:59 +0200
Subject: [PATCH 1/3] settings: Add ssl_client and ssl_server named filters

---
 data/settings.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/data/settings.js b/data/settings.js
index a6b97a596..72b920b7b 100644
--- a/data/settings.js
+++ b/data/settings.js
@@ -10121,6 +10121,13 @@ This setting is used for both incoming and outgoing SSL connections.
 See: https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites`
 	},
 
+	ssl_client: {
+		seealso: [ 'ssl', 'ssl_server', '[[link,ssl_configuration]]' ],
+		values: setting_types.NAMED_FILTER,
+		text: `
+Named filter, which can be used for specifying SSL client settings.`
+	},
+
 	ssl_client_ca_dir: {
 		seealso: [ 'ssl', '[[link,ssl_configuration]]' ],
 		values: setting_types.STRING,
@@ -10375,6 +10382,13 @@ Note: This setting doesn't yet require the certificate to be valid or
 to even exist. See [[setting,auth_ssl_require_client_cert]].`
 	},
 
+	ssl_server: {
+		seealso: [ 'ssl', 'ssl_client', '[[link,ssl_configuration]]' ],
+		values: setting_types.NAMED_FILTER,
+		text: `
+Named filter, which can be used for specifying SSL server settings.`
+	},
+
 	state_dir: {
 		default: '/var/lib/dovecot',
 		values: setting_types.STRING,

From 0887b5ddaa95b7f309bbf7282610f5135ca70f36 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue, 17 Dec 2024 16:17:33 +0200
Subject: [PATCH 2/3] settings: Change ssl_cipher_list default for ssl_client

---
 data/settings.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/settings.js b/data/settings.js
index 72b920b7b..c62570a8a 100644
--- a/data/settings.js
+++ b/data/settings.js
@@ -10095,7 +10095,7 @@ Note: [[setting,auth_ssl_username_from_cert]] MUST be enabled.`
 	},
 
 	ssl_cipher_list: {
-		default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH',
+		default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH (for ssl_server, empty for ssl_client)',
 		seealso: [ 'ssl', 'ssl_cipher_suites', 'ssl_min_protocol', '[[link,ssl_configuration]]' ],
 		values: setting_types.STRING,
 		text: `

From 2c7338b9c10260cb876a7d1b873fd1cc6e13b70b Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 19 Dec 2024 15:10:53 +0200
Subject: [PATCH 3/3] global: Add ssl_server_ prefix to ssl server settings

---
 data/settings.js                              | 87 +++++++++----------
 docs/core/config/guides/quick.md              |  8 +-
 docs/core/config/service.md                   |  2 +-
 docs/core/config/ssl.md                       | 78 ++++++++---------
 docs/core/man/doveconf.1.md                   |  2 +-
 docs/core/man/dovecot.1.md                    |  2 +-
 docs/howto/imapc_proxy.md                     |  8 +-
 docs/howto/virtual/postfix.md                 |  4 +-
 .../include/2.4-removed-other-features.inc    |  2 +-
 9 files changed, 96 insertions(+), 97 deletions(-)

diff --git a/data/settings.js b/data/settings.js
index c62570a8a..63389c093 100644
--- a/data/settings.js
+++ b/data/settings.js
@@ -4409,8 +4409,8 @@ It is usually neither necessary nor advisable to change the default.`
 	auth_ssl_require_client_cert: {
 		default: 'no',
 		seealso: [
-			'ssl_ca_file',
-			'ssl_request_client_cert',
+			'ssl_server_ca_file',
+			'ssl_server_request_client_cert',
 			'[[link,ssl_configuration]]',
 		],
 		values: setting_types.BOOLEAN,
@@ -4421,7 +4421,7 @@ provided.`
 
 	auth_ssl_username_from_cert: {
 		default: 'no',
-		seealso: [ 'ssl_cert_username_field' ],
+		seealso: [ 'ssl_server_cert_username_field' ],
 		values: setting_types.BOOLEAN,
 		text: `
 Setting to \`yes\` indicates that the username should be taken from the
@@ -4432,7 +4432,7 @@ Generally, this will be either \`commonName\` or \`x500UniqueIdentifier\`.
 The text is looked up from subject DN's specified field using OpenSSL's
 X509_NAME_get_text_by_NID() function. By default the CommonName field is
 used. You can change the field with
-[[setting,ssl_cert_username_field,name]] setting (parsed using OpenSSL's
+[[setting,ssl_server_cert_username_field,name]] setting (parsed using OpenSSL's
 OBJ_txt2nid() function).
 
 \`x500UniqueIdentifier\` is a common choice.`
@@ -10013,7 +10013,7 @@ This setting affects the \`secured\` state of connections. See
 [[link,secured_connections]].`
 	},
 
-	ssl_alt_cert_file: {
+	ssl_server_alt_cert_file: {
 		seealso: [ 'ssl', '[[link,ssl_configuration]]' ],
 		values: setting_types.FILE,
 		text: `
@@ -10025,29 +10025,29 @@ This is useful when migrating to e.g. an ECDSA certificate.
 Example:
 
 \`\`\`[dovecot.conf]
-ssl_alt_cert_file = /path/to/alternative/cert.pem
+ssl_server_alt_cert_file = /path/to/alternative/cert.pem
 \`\`\``
 	},
 
-	ssl_alt_key_file: {
-		seealso: [ 'ssl', 'ssl_alt_cert_file', '[[link,ssl_configuration]]' ],
+	ssl_server_alt_key_file: {
+		seealso: [ 'ssl', 'ssl_server_alt_cert_file', '[[link,ssl_configuration]]' ],
 		values: setting_types.FILE,
 		text: `
-Private key for [[setting,ssl_alt_cert_file]].
+Private key for [[setting,ssl_server_alt_cert_file]].
 
 Example:
 
 \`\`\`[dovecot.conf]
-ssl_alt_key_file = /path/to/alternative/key.pem
-ssl_alt_cert_file = /path/to/alternative/cert.pem
+ssl_server_alt_key_file = /path/to/alternative/key.pem
+ssl_server_alt_cert_file = /path/to/alternative/cert.pem
 \`\`\``
 	},
 
-	ssl_ca_file: {
+	ssl_server_ca_file: {
 		seealso: [
 			'ssl',
 			'ssl_client_require_valid_cert',
-			'ssl_request_client_cert',
+			'ssl_server_request_client_cert',
 		],
 		values: setting_types.FILE,
 		text: `
@@ -10058,30 +10058,30 @@ valid.
 Example:
 
 \`\`\`[dovecot.conf]
-ssl_ca_file = /etc/dovecot/ca.crt
-ssl_request_client_cert = yes
+ssl_server_ca_file = /etc/dovecot/ca.crt
+ssl_server_request_client_cert = yes
 auth_ssl_require_client_cert = yes
 \`\`\``
 	},
 
-	ssl_cert_file: {
-		seealso: [ 'ssl', 'ssl_key_file', '[[link,ssl_configuration]]' ],
+	ssl_server_cert_file: {
+		seealso: [ 'ssl', 'ssl_server_key_file', '[[link,ssl_configuration]]' ],
 		values: setting_types.FILE,
 		text: `
 Path to the PEM-encoded X.509 SSL/TLS certificate presented for incoming
 imap/pop3/etc. client connections.
 
-The [[setting,ssl_key_file]] is also needed for the private certificate.
+The [[setting,ssl_server_key_file]] is also needed for the private certificate.
 
 Example:
 
 \`\`\`[dovecot.conf]
-ssl_cert_file = /etc/ssl/private/dovecot.crt
-ssl_key_file = /etc/ssl/private/dovecot.key
+ssl_server_cert_file = /etc/ssl/private/dovecot.crt
+ssl_server_key_file = /etc/ssl/private/dovecot.key
 \`\`\``
 	},
 
-	ssl_cert_username_field: {
+	ssl_server_cert_username_field: {
 		default: 'commonName',
 		seealso: [ 'ssl', '[[link,ssl_configuration]]' ],
 		values: setting_types.STRING,
@@ -10232,7 +10232,7 @@ ssl_curve_list = P-521:P-384:P-256
 \`\`\``
 	},
 
-	ssl_dh_file: {
+	ssl_server_dh_file: {
 		seealso: [ 'ssl', '[[link,ssl_configuration]]' ],
 		values: setting_types.FILE,
 		text: `
@@ -10246,7 +10246,7 @@ You can generate a new parameters file by, for example, running
 Example:
 
 \`\`\`[dovecot.conf]
-ssl_dh_file = /path/to/dh.pem
+ssl_server_dh_file = /path/to/dh.pem
 \`\`\``
 	},
 
@@ -10258,35 +10258,35 @@ ssl_dh_file = /path/to/dh.pem
 Require a valid certificate when connecting to external SSL services?`
 	},
 
-	ssl_key_file: {
+	ssl_server_key_file: {
 		seealso: [
 			'ssl',
-			'ssl_cert_file',
-			'ssl_key_password',
+			'ssl_server_cert_file',
+			'ssl_server_key_password',
 			'[[link,ssl_configuration]]',
 		],
 		values: setting_types.FILE,
 		text: `
 Path to the PEM-encoded X.509 SSL/TLS private key for
-[[setting,ssl_cert_file]].
+[[setting,ssl_server_cert_file]].
 
 Example:
 
 \`\`\`[dovecot.conf]
-ssl_cert_file = /etc/ssl/private/dovecot.crt
-ssl_key_file = /etc/ssl/private/dovecot.key
+ssl_server_cert_file = /etc/ssl/private/dovecot.crt
+ssl_server_key_file = /etc/ssl/private/dovecot.key
 \`\`\``
 	},
 
-	ssl_key_password: {
-		seealso: [ 'ssl', 'ssl_key_file', '[[link,ssl_configuration]]' ],
+	ssl_server_key_password: {
+		seealso: [ 'ssl', 'ssl_server_key_file', '[[link,ssl_configuration]]' ],
 		values: setting_types.STRING,
 		text: `
-The password to use if [[setting,ssl_key_file]] is password-protected.
+The password to use if [[setting,ssl_server_key_file]] is password-protected.
 
 Since this file is often world-readable, you may wish to specify the path
 to a file containing the password, rather than the password itself, by
-using the format \`ssl_key_password = <path\` here. The path should
+using the format \`ssl_server_key_password = <path\` here. The path should
 be to a root-owned file with mode 0600.
 
 Alternatively, you can supply the password via the -p parameter at startup.`
@@ -10342,28 +10342,27 @@ Currently supported options are:
 :   Disable SSL session tickets.`
 	},
 
-	ssl_prefer_server_ciphers: {
-		default: 'no',
+	ssl_server_prefer_ciphers: {
+		default: 'client',
 		seealso: [ 'ssl', '[[link,ssl_configuration]]' ],
-		values: setting_types.BOOLEAN,
+		values: setting_types.ENUM,
+		values_enum: [ 'client', 'server' ],
 		text: `
-If enabled, give preference to the server's cipher list over a client's
-list. This setting is used only for server connections.`
+Whether to give preference to the server's cipher list over a client's
+list.`
 	},
 
-	ssl_require_crl: {
+	ssl_server_require_crl: {
 		default: 'yes',
-		seealso: [ 'ssl', 'ssl_ca_file', '[[link,ssl_configuration]]' ],
+		seealso: [ 'ssl', 'ssl_server_ca_file', '[[link,ssl_configuration]]' ],
 		values: setting_types.BOOLEAN,
 		text: `
 If enabled, the CRL check must succeed for presented SSL client
 certificate and any intermediate certificates. The CRL list is generally
-appended to the [[setting,ssl_ca_file]] file.
-
-This setting is used only for server connections.`
+appended to the [[setting,ssl_server_ca_file]] file.`
 	},
 
-	ssl_request_client_cert: {
+	ssl_server_request_client_cert: {
 		changed: {
 			settings_ssl_request_client_cert_changed: `
 Renamed from \`ssl_verify_client_cert\` setting.`
diff --git a/docs/core/config/guides/quick.md b/docs/core/config/guides/quick.md
index cdedd6f8b..3b6145b85 100644
--- a/docs/core/config/guides/quick.md
+++ b/docs/core/config/guides/quick.md
@@ -56,8 +56,8 @@ namespace inbox {
 passdb pam {
 }
 
-ssl_cert_file = /etc/dovecot/ssl-cert.pem
-ssl_key_file = /etc/dovecot/ssl-key.pem
+ssl_server_cert_file = /etc/dovecot/ssl-cert.pem
+ssl_server_key_file = /etc/dovecot/ssl-key.pem
 ```
 :::
 
@@ -175,8 +175,8 @@ them than the defaults.
 
 ## SSL and Plaintext Authentication
 
-Configure SSL certificate and private key paths with [[setting,ssl_cert_file]]
-and [[setting,ssl_key_file]] settings.
+Configure SSL certificate and private key paths with [[setting,ssl_server_cert_file]]
+and [[setting,ssl_server_key_file]] settings.
 
 An easy way to build a self-signed test certificate is using Dovecot's
 `doc/mkcert.sh` script. For more information see [[link,ssl_configuration]].
diff --git a/docs/core/config/service.md b/docs/core/config/service.md
index bd682777b..c037a0757 100644
--- a/docs/core/config/service.md
+++ b/docs/core/config/service.md
@@ -232,7 +232,7 @@ parsed data in simpler format to config clients.
 * Only root should be able to connect to its UNIX listener, unless there
   are no secrets in the configuration.
 
-  Passwords are obviously secrets, but less obviously [[setting,ssl_key_file]]
+  Passwords are obviously secrets, but less obviously [[setting,ssl_server_key_file]]
   is also a secret, since it contains the actual SSL key data instead of
   only a filename.
 
diff --git a/docs/core/config/ssl.md b/docs/core/config/ssl.md
index f633bdb05..816bbf700 100644
--- a/docs/core/config/ssl.md
+++ b/docs/core/config/ssl.md
@@ -29,9 +29,9 @@ The most important SSL settings are:
 ```[dovecot.conf]
 ssl = yes
 # Preferred permissions: root:root 0444
-ssl_cert_file = /etc/ssl/certs/dovecot.pem
+ssl_server_cert_file = /etc/ssl/certs/dovecot.pem
 # Preferred permissions: root:root 0400
-ssl_key_file = /etc/ssl/private/dovecot.pem
+ssl_server_key_file = /etc/ssl/private/dovecot.pem
 ```
 
 The certificate file can be world-readable, since it doesn't contain
@@ -46,16 +46,16 @@ need to give Dovecot any special permissions to read them (in fact:
 Settings for the SSL certificate and SSL secret key files:
 
 ```[dovecot.conf]
-ssl_cert_file = /etc/dovecot/dovecot.crt
-ssl_key_file = /etc/dovecot/dovecot.key
+ssl_server_cert_file = /etc/dovecot/dovecot.crt
+ssl_server_key_file = /etc/dovecot/dovecot.key
 ```
 
 It's possible to keep the certificate and the key both in the same file:
 
 ```[dovecot.conf]
 # Preferred permissions: root:root 0400
-ssl_cert_file = /etc/ssl/dovecot.pem
-ssl_key_file = /etc/ssl/dovecot.pem
+ssl_server_cert_file = /etc/ssl/dovecot.pem
+ssl_server_key_file = /etc/ssl/dovecot.pem
 ```
 
 For using different SSL certificates for different IP addresses you can put
@@ -63,13 +63,13 @@ them inside local {} blocks:
 
 ```[dovecot.conf]
 local 10.0.0.1 {
-  ssl_cert_file = /etc/dovecot/dovecot.crt
-  ssl_key_file = /etc/dovecot/dovecot.key
+  ssl_server_cert_file = /etc/dovecot/dovecot.crt
+  ssl_server_key_file = /etc/dovecot/dovecot.key
 }
 
 local 10.0.0.2 {
-  ssl_cert_file = /etc/dovecot/dovecot2.crt
-  ssl_key_file = /etc/dovecot/dovecot2.key
+  ssl_server_cert_file = /etc/dovecot/dovecot2.crt
+  ssl_server_key_file = /etc/dovecot/dovecot2.key
 }
 ```
 
@@ -77,13 +77,13 @@ If you need different SSL certificates for IMAP and POP3 protocols, you can put
 
 ```[dovecot.conf]
 protocol imap {
-  ssl_cert_file = /etc/dovecot/dovecot-imap.crt
-  ssl_key_file = /etc/dovecot/dovecot-imap.key
+  ssl_server_cert_file = /etc/dovecot/dovecot-imap.crt
+  ssl_server_key_file = /etc/dovecot/dovecot-imap.key
 }
 
 protocol pop3 {
-  ssl_cert_file = /etc/dovecot/dovecot-pop3.crt
-  ssl_key_file = /etc/dovecot/dovecot-pop3.key
+  ssl_server_cert_file = /etc/dovecot/dovecot-pop3.crt
+  ssl_server_key_file = /etc/dovecot/dovecot-pop3.key
 }
 ```
 
@@ -209,8 +209,8 @@ algorithm differs from the primary certificate. This is useful when
 migrating to, e.g., ECDSA certificate.
 
 ```[dovecot.conf]
-ssl_alt_cert_file = /path/to/alternative/cert.pem
-ssl_alt_key_file = /path/to/alternative/key.pem
+ssl_server_alt_cert_file = /path/to/alternative/cert.pem
+ssl_server_alt_key_file = /path/to/alternative/key.pem
 ```
 
 ### Different Certificates per IP and Protocol
@@ -222,32 +222,32 @@ all clients.
 # instead of IP you can also use hostname, which will be resolved
 local 192.0.2.10 {
   protocol imap {
-    ssl_cert_file = /etc/ssl/dovecot/imap-01.example.com.cert.pem
-    ssl_key_file = /etc/ssl/dovecot/imap-01.example.com.key.pem
+    ssl_server_cert_file = /etc/ssl/dovecot/imap-01.example.com.cert.pem
+    ssl_server_key_file = /etc/ssl/dovecot/imap-01.example.com.key.pem
   }
 
   protocol pop3 {
-    ssl_cert_file = /etc/ssl/dovecot/pop-01.example.com.cert.pem
-    ssl_key_file = /etc/ssl/dovecot/pop-01.example.com.key.pem
+    ssl_server_cert_file = /etc/ssl/dovecot/pop-01.example.com.cert.pem
+    ssl_server_key_file = /etc/ssl/dovecot/pop-01.example.com.key.pem
   }
 }
 
 local 192.0.2.20 {
   protocol imap {
-    ssl_cert_file = /etc/ssl/dovecot/imap-02.example.com.cert.pem
-    ssl_key_file = /etc/ssl/dovecot/imap-02.example.com.key.pem
+    ssl_server_cert_file = /etc/ssl/dovecot/imap-02.example.com.cert.pem
+    ssl_server_key_file = /etc/ssl/dovecot/imap-02.example.com.key.pem
   }
 
   protocol pop3 {
-    ssl_cert_file = /etc/ssl/dovecot/pop-02.example.com.cert.pem
-    ssl_key_file = /etc/ssl/dovecot/pop-02.example.com.key.pem
+    ssl_server_cert_file = /etc/ssl/dovecot/pop-02.example.com.cert.pem
+    ssl_server_key_file = /etc/ssl/dovecot/pop-02.example.com.key.pem
   }
 }
 ```
 
 ::: warning
-You will still need a top-level default [[setting,ssl_key_file]] and
-[[setting,ssl_cert_file]], or you will receive errors.
+You will still need a top-level default [[setting,ssl_server_key_file]] and
+[[setting,ssl_server_cert_file]], or you will receive errors.
 :::
 
 ### With Client TLS SNI (Server Name Indication) Support
@@ -262,13 +262,13 @@ SNI limitation.
 
 ```[dovecot.conf]
 local_name imap.example.org {
-  ssl_cert_file = /etc/ssl/certs/imap.example.org.crt
-  ssl_key_file = /etc/ssl/private/imap.example.org.key
+  ssl_server_cert_file = /etc/ssl/certs/imap.example.org.crt
+  ssl_server_key_file = /etc/ssl/private/imap.example.org.key
 }
 
 local_name imap.example2.org {
-  ssl_cert_file = /etc/ssl/certs/imap.example2.org.crt
-  ssl_key_file = /etc/ssl/private/imap.example2.org.key
+  ssl_server_cert_file = /etc/ssl/certs/imap.example2.org.crt
+  ssl_server_key_file = /etc/ssl/private/imap.example2.org.key
 }
 
 # ..etc..
@@ -305,13 +305,13 @@ Dovecot with the password:
 1. Starting Dovecot with `dovecot -p` asks the password. It's not stored
    anywhere, so this method prevents Dovecot from starting automatically
    at startup.
-2. [[setting,ssl_key_password]] setting. Note that `dovecot.conf` is by
+2. [[setting,ssl_server_key_password]] setting. Note that `dovecot.conf` is by
    default world-readable, so you probably shouldn't place it there
    directly. Instead you could store it in a different file, such as
    `/etc/dovecot-private.conf` containing:
 
 ```[dovecot.conf]
-ssl_key_password = secret
+ssl_server_key_password = secret
 ```
 
 and then use `!include_try /etc/dovecot-private.conf` in the main
@@ -319,7 +319,7 @@ and then use `!include_try /etc/dovecot-private.conf` in the main
 
 ## Chained SSL Certificates
 
-Put all the certificates in the [[setting,ssl_cert_file]] in this order:
+Put all the certificates in the [[setting,ssl_server_cert_file]] in this order:
 
 1. Dovecot's public certificate
 2. First Intermediate Certificate
@@ -334,7 +334,7 @@ You should use this.
 You can specify path to DH parameters file using:
 
 ```[dovecot.conf]
-ssl_dh_file = /path/to/dh.pem
+ssl_server_dh_file = /path/to/dh.pem
 ```
 
 This is fully optional, and most modern clients do not need this.
@@ -361,7 +361,7 @@ a list of the ciphers.
 For TLSv1.3 server ciphers should not longer be preferred:
 
 ```[dovecot.conf]
-ssl_prefer_server_ciphers = no
+ssl_server_prefer_ciphers = client
 ```
 
 ## SSL verbosity
@@ -380,8 +380,8 @@ If you want to require clients to present a valid SSL certificate, you'll
 need these settings:
 
 ```[dovecot.conf]
-ssl_ca_file = /etc/ssl/ca.pem
-ssl_request_client_cert = yes
+ssl_server_ca_file = /etc/ssl/ca.pem
+ssl_server_request_client_cert = yes
 
 auth_ssl_require_client_cert = yes
 # if you want to get username from certificate as well, enable this
@@ -409,7 +409,7 @@ openssl crl -in class3-revoke.crl -inform DER -outform PEM > class3-revoke.pem
 ```
 
 With the above settings, if a client connects which doesn't present a
-certificate signed by one of the CAs in the `ssl_ca` file, Dovecot won't
+certificate signed by one of the CAs in the [setting,ssl_server_ca_file]], Dovecot won't
 let the user log in. This could present a problem if you're using Dovecot
 to provide SASL authentication for an MTA (such as Postfix) which is not
 capable of supplying client certificates for SASL authentication.
@@ -434,7 +434,7 @@ setting [[setting,auth_ssl_username_from_cert,yes]].
 
 * By default the `CommonName` field is used.
 
-* You can change the field with [[setting,ssl_cert_username_field,name]]
+* You can change the field with [[setting,ssl_server_cert_username_field,name]]
   setting (parsed using OpenSSL's `OBJ_txt2nid()` function).
   `x500UniqueIdentifier` is a common choice.
 
diff --git a/docs/core/man/doveconf.1.md b/docs/core/man/doveconf.1.md
index a9652e361..bc30f58b2 100644
--- a/docs/core/man/doveconf.1.md
+++ b/docs/core/man/doveconf.1.md
@@ -94,7 +94,7 @@ configuration in easy human readable output.
 
 **-x**
 :   Expand configuration variables (e.g. `$ENV:foo`) and show file contents
-    (from e.g. `ssl_key_password = \</etc/ssl/password.txt`).
+    (from e.g. `ssl_server_key_password = \</etc/ssl/password.txt`).
 
 *section_name*
 :   Show only the current configuration of one or more specified sections.
diff --git a/docs/core/man/dovecot.1.md b/docs/core/man/dovecot.1.md
index 0827b69f5..6b22e4c85 100644
--- a/docs/core/man/dovecot.1.md
+++ b/docs/core/man/dovecot.1.md
@@ -51,7 +51,7 @@ little memory.
     as *doveconf -n*.
 
 **-p**
-:   Prompt for the ssl key password for the configured *ssl_key* on startup.
+:   Prompt for the ssl key password for the configured *ssl_server_key* on startup.
 
 **-\-build-options**
 :   Show Dovecot's build options and exit successfully.
diff --git a/docs/howto/imapc_proxy.md b/docs/howto/imapc_proxy.md
index 07d7445fc..e8f30f9dd 100644
--- a/docs/howto/imapc_proxy.md
+++ b/docs/howto/imapc_proxy.md
@@ -82,11 +82,11 @@ This is based on already having Dovecot already compiled and installed.
    ## SSL settings
 
    # These will need to ba adjusted to point to *your* certificates
-   # The ssl_ca_file line refers to the intermediate certificate bundle which
+   # The ssl_server_ca_file line refers to the intermediate certificate bundle which
    # may or may not be required by your SSL provider
-   ssl_cert_file = /etc/pki/tls/certs/machine.example.org.crt
-   ssl_key_file = /etc/pki/tls/private/machine.example.org.key
-   ssl_ca_file = /etc/pki/tls/certs/gd_bundle.crt
+   ssl_server_cert_file = /etc/pki/tls/certs/machine.example.org.crt
+   ssl_server_key_file = /etc/pki/tls/private/machine.example.org.key
+   ssl_server_ca_file = /etc/pki/tls/certs/gd_bundle.crt
    ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
    ```
 
diff --git a/docs/howto/virtual/postfix.md b/docs/howto/virtual/postfix.md
index 2f00d877c..339b1e4b9 100644
--- a/docs/howto/virtual/postfix.md
+++ b/docs/howto/virtual/postfix.md
@@ -206,8 +206,8 @@ plugin {
 
 ::: code-group
 ```[dovecot.conf]
-ssl_cert_file = /etc/ssl/certs/domain_tld_2009.crt
-ssl_key_file = /etc/ssl/private/domain_tld_2009.key
+ssl_server_cert_file = /etc/ssl/certs/domain_tld_2009.crt
+ssl_server_key_file = /etc/ssl/private/domain_tld_2009.key
 ```
 :::
 
diff --git a/docs/installation/upgrade/include/2.4-removed-other-features.inc b/docs/installation/upgrade/include/2.4-removed-other-features.inc
index 2eef8b661..c255ddecb 100644
--- a/docs/installation/upgrade/include/2.4-removed-other-features.inc
+++ b/docs/installation/upgrade/include/2.4-removed-other-features.inc
@@ -4,7 +4,7 @@
 | IPC process | Has been merged to anvil. |
 | OpenSSL support for older than 1.0.2 | Older versions are not supported anymore. |
 | Sieve extensions: `notify`, `imapflags`, `vnd.dovecot.duplicate` | These deprecated Sieve extensions have been removed. |
-| `ssl-parameters.dat` | This file is no longer converted automatically by config process, you need to set [[setting,ssl_dh_file]] setting if you need non-ECC Diffie-Hellman. |
+| `ssl-parameters.dat` | This file is no longer converted automatically by config process, you need to set [[setting,ssl_server_dh_file]] setting if you need non-ECC Diffie-Hellman. |
 | TCP wrapper support | Use [[link,auth_lua]] instead. |
 | Weak password schemes | Weak password schemes are disabled by default; you need to use [[setting,auth_allow_weak_schemes]] to enable them. |