diff --git a/README.md b/README.md
index 66fdd15..7aa88a0 100644
--- a/README.md
+++ b/README.md
@@ -304,6 +304,7 @@ To see a more complete description of the attributes, go to the [Dovecot wiki2 c
 | `node['dovecot']['conf']['ssl_verify_client_cert']`    | *nil*        | Request client to send a certificate.
 | `node['dovecot']['conf']['ssl_cert_username_field']`   | *nil*        | Which field from certificate to use for username.
 | `node['dovecot']['conf']['ssl_parameters_regenerate']` | *nil*        | How often to regenerate the SSL parameters file.
+| `node['dovecot']['conf']['ssl_dh']`                    | *nil*        | DH parameters to use. Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
 | `node['dovecot']['conf']['ssl_dh_parameters_length']`  | *nil*        | DH parameters length to use.
 | `node['dovecot']['conf']['ssl_protocols']`             | *nil*        | SSL protocols to use.
 | `node['dovecot']['conf']['ssl_cipher_list']`           | *nil*        | SSL ciphers to use.
diff --git a/attributes/conf_10_ssl.rb b/attributes/conf_10_ssl.rb
index d597d9a..a2c0358 100644
--- a/attributes/conf_10_ssl.rb
+++ b/attributes/conf_10_ssl.rb
@@ -64,6 +64,7 @@
 default['dovecot']['conf']['ssl_cert_username_field'] = nil
 default['dovecot']['conf']['ssl_parameters_regenerate'] = nil
 default['dovecot']['conf']['ssl_dh_parameters_length'] = nil
+default['dovecot']['conf']['ssl_dh'] = nil
 default['dovecot']['conf']['ssl_protocols'] = nil
 default['dovecot']['conf']['ssl_cipher_list'] = nil
 default['dovecot']['conf']['ssl_prefer_server_ciphers'] = nil
diff --git a/templates/default/conf.d/10-ssl.conf.erb b/templates/default/conf.d/10-ssl.conf.erb
index 3946f57..3765ce5 100644
--- a/templates/default/conf.d/10-ssl.conf.erb
+++ b/templates/default/conf.d/10-ssl.conf.erb
@@ -64,6 +64,12 @@
 # DH parameters length to use.
 <%= DovecotCookbook::Conf.attribute(@conf, 'ssl_dh_parameters_length', 1024) %>
 
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+<%= DovecotCookbook::Conf.attribute(@conf, 'ssl_dh', '</usr/share/dovecot/dh.pem') %>
+
 # SSL protocols to use
 <%= DovecotCookbook::Conf.attribute(@conf, 'ssl_protocols', '!SSLv2') %>