stefan's blag and stuff

Blog – 2015-01-05 – Housekeeping the Courier imap server

The Problem

On your debian server (jessie) we use the Courier Mail Server to serve our emails over the imap protocol. Of course we only allow encrypted tls connections. Nevertheless we had some error messages in /var/log/syslog. Serving emails still worked, so I ignored them for some time now. The log messages were of the form:

couriertls: <path to cert file>: error:0906D06C:PEM routines:PEM_read_bio:no start line

It's an non obvious error message and it took me some time to figure out the real issue. My first thoughts were: whitespace problem, windows/unix EOL issue, incorrect number of dashes in pem file or private key not in pem file. Here are some resources one, two and three, but non of these resolved the problem.


The real problem is a missing config parameter in the file /etc/courier/imapd-ssl. In Courier version 4.15 the parameter TLS_DHCERTFILE was replaced by the new parameter TLS_DHPARAMS (see imap INSTALL). So add the following line to your config


If the file /etc/courier/dhparams.pem doesn't exists, run the command mkdhparams. Don't forget to restart your daemon. Here is another blogpost which describes the same problem.

Further Housekeeping

The courier documentation for the command mkdhparams says

This script is intended to be executed from a cron job, monthly.

That's easy. Add the script

$ touch /etc/cron.monthly/mkdhparams
$ chmod +x /etc/cron.monthly/mkdhparams
$ cat /etc/cron.monthly/mkdhparams
# Regenerate dh parameters once a month for courier imap daemon. See manpage of
# mkdhparams.

or link directly to /usr/sbin/mkdhparams. Done!