I use the default config file of imapd-ssl. I just defined the path to the certificate. The other variables you mentioned aren't set and I already generated a stronger dhparam.pem. Last year I already was affected by a "bug" (https://bugzilla.mozilla.org/show_bug.cgi?id=1183650#c27) and a stronger dhparam.pem was the solution. I repeated it with
root@txbweb /etc/ssl/certs # rm /etc/courier/dhparams.pem root@txbweb /etc/ssl/certs # DH_BITS=2048 mkdhparams This time, it doesnt help. The output of "openssl s_client -starttls imap -connect mail.txbweb.de:143" should be the same as "openssl s_client -starttls smtp -connect mail.txbweb.de:25", right? Very confusing. Am 2016-07-31 17:04, schrieb Sam Varshavchik: > tba...@txbweb.de writes: > >> The variable TLS_PROTOCOL was unset. So I tried to set it to TLS1.2, >> but >> I get the same error. > > No, leave the setting at the default value. Before attempting to > restrict the configuration to a specific protocol, get it working for > the generic default case. > > Also check TLS_STARTTLS_PROTOCOL too. TLS_PROTOCOL is for imapd-ssl, > TLS_STARTTLS_PROTOCOL is for imap with STARTTLS. > >> My Debian is "uptodate". Yesterday I already checked it with aptitude >> update && aptitude safe-upgrade. The version of courier-imap-ssl is >> 4.15-1.6. I ve already reinstalled courier*. I dont know what is >> broken. > > That version is almost two years old. The current version is 4.17.1 > >> Two weeks ago I just had to renew my certificates, same procedure as >> every year. But this time I get the error. > > I don't know offhand if a certificate can restrict the list of allowed > ciphers and/or cipher strength. In 4.16 the default length of DH > parameters was changed from 512 to 2048 bits; perhaps current certs > require strong ciphers, and 2048 bit DH parameters. > > Try regenerating DH parameters by rerunning the mkdhparams script, > setting the DH_BITS environment variable to 2048, before running the > script. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Courier-imap mailing list > Courier-imap@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap ------------------------------------------------------------------------------ _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
