The Problem
On your debian server (jessie) we use the Courier Mail Server to serve our emails over the imap protocol. Of course we only allow encrypted tls connections. Nevertheless we had some error messages in /var/log/syslog. Serving emails still worked, so I ignored them for some time now. The log messages were of the form:
couriertls: <path to cert file>: error:0906D06C:PEM routines:PEM_read_bio:no start line
It's an non obvious error message and it took me some time to figure out the real issue. My first thoughts were: whitespace problem, windows/unix EOL issue, incorrect number of dashes in pem file or private key not in pem file. Here are some resources one, two and three, but non of these resolved the problem.
Solution
The real problem is a missing config parameter in the file /etc/courier/imapd-ssl. In Courier version 4.15 the parameter TLS_DHCERTFILE was replaced by the new parameter TLS_DHPARAMS (see imap INSTALL). So add the following line to your config
TLS_DHPARAMS=/etc/courier/dhparams.pem
If the file /etc/courier/dhparams.pem doesn't exists, run the command mkdhparams. Don't forget to restart your daemon. Here is another blogpost which describes the same problem.
Further Housekeeping
The courier documentation for the command mkdhparams says
This script is intended to be executed from a cron job, monthly.
That's easy. Add the script
$ touch /etc/cron.monthly/mkdhparams $ chmod +x /etc/cron.monthly/mkdhparams $ cat /etc/cron.monthly/mkdhparams #!/bin/sh # Regenerate dh parameters once a month for courier imap daemon. See manpage of # mkdhparams. mkdhparams
or link directly to /usr/sbin/mkdhparams. Done!