I have recently upgraded my mail server from Debian Wheezy to Debian Jessie, which along with it brings new versions of software, including Courier. For the most part this hasn’t been an issue except when it came to the IMAP service. On Thunderbird clients you would see “Checking mail server capabilities” and nothing more when connecting to the server, other clients I assume would have differing error messages, or just flat fail to connect. A quick fix was to switch the clients to SSL, BUT this I don’t think is a good fix as it requires your users to have to make a change. I have thankfully after much googling discovered what seems to be a fix (works for me ™ ).
Courier now uses dhparams.pem (Generate Diffie-Hellman Parameters – OpenSSL Wiki article). Now my fresh new courier install already had one of these present, but I suspect this may be too small. Regenerating this with a nice big 2048bit version rectified my STARTTLS issues instantly (well I did restart courier-imap and courier-imap-ssl too 🙂 )
The command I used is :
openssl dhparam -out dhparams.pem 2048
(This WILL take a fair amount of time, don’t worry it does finish 🙂 )
whilst within the /etc/courier path, followed by a restart of the imap services. My original dhparams.pem file was 201 bytes, after generating a new one it is 424 bytes 🙂
Hopefully this will help save someone’s hair 🙂