The latest courier update breaks existing installations configured to use STARTTLS. As the new parameter TLS_DHPARAMS is set by default in the new configuration files, pointing to /usr/share/courier/dhparams.pem, this file should get automatically created somehow. This could be done in the courier init script (as it's already done with the server certificates) or - as suggested by the mkdhparams manpage - in a monthly cron job, or maybe in the ebuild's postinstall step. As a side note, the file locations used by courier (on Gentoo only?) seem to be suboptimal. The autogenerated certificates and the dhparams should be located in /etc/courier, /usr/share/courier just feels wrong for dynamically created configuration data.
This happens with USE=gnutls (but probably works okay with openssl) due to a hard-coded path for certtool pointing to /usr/local/bin. This causes the mkcert scripts to fail silently thus no pem files get generated, either by the init script or by hand. To add even more fun, courier imad-ssl fails to log anything without the cert files (also hard-coded in the configs) so it's not very obvious what the problem is without a lot of poking and prodding. So, with the correct path, the scripts *do* work and create working cert files, but you *still* need to "force" ssl/tls on the server side, even after setting STARTBLAH=YES. After enabling the ssl version of the service (whether esmtpd, imapd, or pop3d) you should also set this: IMAP_TLS_REQUIRED=1 in spite of what the comments say about it. This appears to be required now (at least with the latest versions of courier) to make some mail clients actually do starttls/ssl. Lastly there's no dependency for the domainname command (and I don't even know which package provides it) so I switched it to the equivalent hostname command which should always be there. I'll attach my ebuild patch.
Created attachment 507472 [details, diff] patch for latest courier ebuild Fixes missing command and bad certtool path.
2 more nuggets from a fresh arm64 install: * USE=gnutls requires gnutls[tools] or the cert scripts will fail because of missing certtool * the path to authdaemond changed but the /etc/init.d/courier script contains the old path (change ${libexecdir}/authlib/authdaemond to ${libexecdir}/courier-authlib/authdaemond)
diff of init script: # diff -u /usr/portage/mail-mta/courier/files/courier-init-r4 /etc/init.d/courier --- /usr/portage/mail-mta/courier/files/courier-init-r4 2017-02-28 15:43:13.000000000 -0500 +++ /etc/init.d/courier 2018-01-30 21:48:47.070280596 -0500 @@ -61,8 +61,8 @@ ebegin " Starting courierfilterd" ${sbindir}/courierfilter start - [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/authlib/authdaemond ] && \ - ${libexecdir}/authlib/authdaemond start && ebegin " Starting authdaemond" + [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/courier-authlib/authdaemond ] && \ + ${libexecdir}/courier-authlib/authdaemond start && ebegin " Starting authdaemond" [ -x ${sbindir}/webmaild ] && \ ${sbindir}/webmaild start && ebegin " Starting webmaild" @@ -179,8 +179,8 @@ [ -x ${sbindir}/webmaild ] && \ ( ${sbindir}/webmaild stop ; ebegin " Stopping webmaild" ) - [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/authlib/authdaemond ] && \ - ( ${libexecdir}/authlib/authdaemond stop ; ebegin " Stopping authdaemond" ) + [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/courier-authlib/authdaemond ] && \ + ( ${libexecdir}/courier-authlib/authdaemond stop ; ebegin " Stopping authdaemond" ) ${sbindir}/courierfilter stop ebegin " Stopping courierfilterd"
And one more stupid bug on arm64; the arm64 profile apparently has no /usr/lib symlink (instead it's a directory) so a few things get installed there instead of /usr/lib64, BUT the courier init scripts have /usr/lib and assume it *is* a symlink so courier-authlib fails silently when it can't find authdaemond. Changing the initscript to use /usr/lib64 for AUTHLIB makes it work as expected.