Courier-IMAP with TLS and Roundcube - Diffie Hellman & PHP-5.6 issue
After upgrading to  php-5.6 
and  openssl-1.0.1p 
I realized that I couldn't connect to the IMAP server via Roundcube anymore. The solution wasn't easy to find. Searching the logs wasn't really helpful too. First I immediately restarted apache with  php-5.5 
and downgraded openssl afterwards too. None of this was working.
Analysis
The only error message was in the Roundcube logfile ( logs/errors  
):
[date]: <16bq96e7> IMAP Error: Login failed for XX from <IPv4>. Unable to negotiate TLS in /var/www/roundcube/program/lib/Roundcube/rcube_imap.php on line 198 (POST /?_task=mail&_action=refresh?_task=&_action=)
Following this thread with variations of parameters of  $config['imap_conn_options'] 
doesn't solve the problem neither. Seems that the ssl changes in  php-5.6 
are not the root cause. Instead smtp over TLS was still working well, but imap over TLS does not. I have to come back to this Roundcube issue later on,
As the error was “Unable to negotiate TLS …” I did
$ openssl s_client -starttls imap -connect imap.example.com:143 CONNECTED(00000003) depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU = Automatically-generated IMAP SSL key, CN = imap.example.com, emailAddress = postmaster@example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU = Automatically-generated IMAP SSL key, CN = imap.example.com, emailAddress = postmaster@example.com verify return:1 140049233454736:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3366: --- Certificate chain ... <snip>
And what to see - it couldn't connect! See the error on line 8. I really hate this kind of openssl error messages, because I was never able to find an exact solution for such errors in the past. I figured out that the DH parameters is inside the  imapd.pem 
file:
$ openssl dhparam -text -in /etc/courier/imapd.pem -noout PKCS#3 DH Parameters: (512 bit) prime: 00:eb:cf:23:c6:09:1b:dd:d8:c6:ed:c5:c9:49:ff: ... generator: 2 (0x2)
Ok, 512 bit seems to be to small. Remembering some thoughts about 1024 bit DH parameters during the last weeks.
Solution
This is a roadmap what I did with my system. Change it to your needs!
We need a stronger DH prime. This blogpost points me in the right direction. Create a file  dhparams 
if not exists:
DH_BITS=2048 mkdhparams
Usually (in my case) it was created in  /usr/share/  
. Copy/move it into your courier config directory or create a symlink. Alternative you can replace the DH parameters in  imapd.pem 
with the new value. Then the next step is not necessary, but be aware that it will be overwritten by a  mkimapdcert  
.
I couldn't find any official documentation about it, but the parameter  TLS_DHCERTFILE 
was replaced by  TLS_DHPARAMS  
. Still in the config file (Courier IMAP 4.15) is the old one present only. Edit the config file  imapd-ssl  
. Disable the  TLS_DHCERTFILE 
parameter. Add
TLS_DHPARAMS="/etc/courier/dhparams.pem"
Restart the Courier IMAP server. And voila - the connection with  openssl s_client … 
was successful. First issue solved, nevertheless
Roundcube
still doesn't work. So back to the Roundcube config file  config/config.inc.php  
. After some try and error at least this was working for me:
$config['default_host'] = 'tls://imap.example.com'; $config['default_port'] = 143; $config['smtp_server'] = 'tls://smtp.example.com'; ... $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer_name' => true, 'verify_peer' => true, 'allow_self_signed' => true, 'peer_name' => 'imap.example.com', // 'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH', // 'capath' => '/etc/ssl/certs', // 'local_cert' => '/etc/courier/imapd.pem', // 'verify_depth' => '3'; ), );
The commented params above are still here as a reference. Please note that the webserver maybe does require a restart before the changes takes effect. Otherwise as I read, for smtp are no changes necessary.
Comments
This helped me! I was wondering why I was no longer able to connect using roundcube and it turned out to be the DH key size. Thank you!
You saved my day
Thanks very much for this guide.