# imapd via STARTLS not working after upgrade{SOLVED]

## octavsly

Posted so other can find the solution easier.

After updating the net-mail/courier-imap to 4.15-r1, I could not retrieve the e-mails via STARTTLS anymore. 

Strangely enough it still worked via SSL/TLS (port 993).

Tried debugging via http://www.courier-mta.org/authlib/README.authdebug.html but STARTTLS was not there.

Then found in the /var/log/messages the following error:

```
imapd-ssl: couriertls: /usr/share/dhparams.pem: error:02001002:system library:fopen:No such file or directory
```

http://www.courier-mta.org/imap/INSTALL.html shows:

 *Quote:*   

> Upgrading from Courier-IMAP 4.14, and earlier
> 
> Version 4.15 removes the TLS_DHCERTFILE parameter from imap, and pop3d configuration files. DH parameters, and DH parameters only, get read from the new TLS_DHPARAMS file (and the other functionaly of TLS_DHCERTFILE, for DSA certificates, is merged into TLS_CERTFILE). The default startup script in the package is updated to run the new mkdhparams script, that creates a new TLS_DHPARAMS file.

 

In gentoo /etc/*/impad-ssl file, parameter TLS_DHPARAMS was set to /usr/share/dhparams.pem and the file was not existent.

Two solutions:

1. Disable th aparameter in the impad-ssl file:

```
#TLS_DHPARAMS=/usr/share/dhparams.pem
```

OR 

2. Run, as the manual says, mkdhparams which will create that file

----------

## cilly

Thank you!!!!!!

 :Laughing: 

----------

## Floppe

Many thanks!

----------

## Duncan Mac Leod

Microsoft's last patchday (May 2015) introduced another problem, REQUIRING a DHE key length of 1,024 bits! (default is 768 if you are using OpenSSL and the mkdhparams tools).

If you are using a DHE key length of < 1,024 bits, a TLS connection is not possible.

https://support.microsoft.com/en-us/kb/3061518/

Two soultions:

#1 set the environment variable BITS (see manpage of mkdhparams)

or

#2 edit /usr/sbin/mkdhparams and change the value 768 to 1024

Generate a new .pem file and it will work again.

Took me hours to track down the problem, so I post this to make your life easier.

The problem occurs in our network ONLY for Windows 8.1 and Windows Server 2012 R2 systems, all other systems were not affected, but AFAIK Microsoft is planning to patch the other operating systems in the next months.

Hope that helps...

----------

## octavsly

Thanks Duncan Mac Leod for the info. 

Reason for change can be seen in https://weakdh.org/

For regenerating the key use DH_BITS instead of BITS as the manual says. 

```
rm  /usr/share/dhparams.pem ; DH_BITS=2048 mkdhparams
```

Newer versions of thunderbird also refuse connection to < 1024 bits. The message is a bit cryptic.

 *Quote:*   

> The IMAP server info@server.com does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server settings'.

 

However if Error console is opened (Ctrl+Shift+J) a more clear message appear:

 *Quote:*   

> 
> 
> Timestamp: 06/16/2015 11:02:12 AM
> 
> Error: An error occurred during a connection to imap.server.com:143.
> ...

 

I will write a bug in gentoo to have the default to 1024

----------

## mt_undershirt

 :Very Happy:  Many thanks to octavsly and MacLeod, my thunderbird just failed on multiple accounts after today's upgrade to 38.0.1 with the aforementioned cryptic error message. 

Connection was still working on other machines and iOS devices, though.   :Shocked:   :Question: 

So, you probably saved me a lot of time otherwise wasted on tracking down the problem, I truly  :Exclamation:   appreciate that.

As described, removing the old dhparams.pem and running 1024-bit modified mkdhparams on the server did the trick right away.

Regards

mtu

----------

## toralf

IMO re-creating the .pem file should be scheduled regularly, eg. via cron once per week/month or so, even if you're not paranoid.

----------

## F1r31c3r

Hi all, 

I too came across this problem and after 2 hours with my hosting provider they provided me with reassurance but nothing more.

They told me they had fixed it twice but it still did not work so i decided to disable the use of the key and force Thunderbird to use a higher encryption key.

If you go to Edit -> Preferences, then the advanced and General tab. At the bottom is a button called Config Editor. Click it and enter this then use the filter to find all ssl3 entries.

Find  *Quote:*   

> security.ssl3.dhe_rsa_aes_128_sha

 

and set it to false by double clicking it.

Now you will find the server is forced to use an alternative which has a more secure mechanism.

This is how i got around it, so if you are struggling with your hosting company then this is a quick work around untill you can kick them up the ass to fix it.

----------

