• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

pop3d.pem no start line

Hans_Meiser

New Pleskian
Hello,

I get the following error message in my mail logs:

/usr/share/courier-imap/pop3d.pem: error:0906D06C:pEM routines:pEM_read_bio:no start line

This happens even with the "Plesk-Default-Cert" in pop3d.pem.

I believe I tried every suggestion from the internet...text block positions, user rights, some modifications in the confs according to the Plesk-how to's etc.

My Configurations are the recommended ones from the Plesk knowledge base.

I must say that my client is Outlook 2003 which is rather old.

Does someone has another idea? My client does not send any certificate.
 
Most probably there are Windows EOL symbols in certificate. Try to check it with

# dos2unix /usr/share/courier-imap/pop3d.pem
 
Thank you, but double checked with the same result...

couriertls: /usr/share/courier-imap/pop3d.pem: error:0906D06C:pEM routines:pEM_read_bio:no start line
 
Hi Hans_Meiser,

This happens even with the "Plesk-Default-Cert" in pop3d.pem.
Did you change the content from the file "/usr/share/courier-imap/pop3d.pem" ? With which software did you edit the file "/usr/share/courier-imap/pop3d.pem" ?

I believe I tried every suggestion from the internet...text block positions, user rights, some modifications in the confs according to the Plesk-how to's etc.

My Configurations are the recommended ones from the Plesk knowledge base.
Could you please name the How-To's you used? s?
Could you please name the KB - articles, that you followed to configure the certificates or it's changes?
 
Last edited by a moderator:
Hi Hans_Meiser,

even if you maybe double and tribble checked, i recommend to use a "pure" text-editor, when editing certificates to merge them. As you can see in your case, there are certificates issues, which only result from incorrect pastings, or additional signs, or even bad converts.

I would as well recommend to use both paths
Code:
/usr/share/imapd.pem 
/usr/share/pop3d.pem
AND
Code:
/usr/share/courier-imap/imapd.pem
/usr/share/courier-imap/pop3d.pem
for your certificates, when you save them.
 
Hi,

I created a self singed cert and only edited it with cat (merging the Openssl-outputs)

cat /home/xxx/tmp/cert.crt > /usr/share/courier-imap/pop3d.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/courier-imap/pop3d.pem

cat /home/xxx/tmp/cert.crt > /usr/share/courier-imap/imapd.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/courier-imap/imapd.pem

cat /home/xxx/tmp/cert.crt > /usr/share/pop3d.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/pop3d.pem

cat /home/xxx/tmp/cert.crt > /usr/share/imapd.pem
cat /home/xxx/tmp/cert-stripped.key >> /usr/share/imapd.pem

...with the same result.

By the way, I would not believe that the Plsek defualt cert comes damaged too.

...strange...

but when I use a default cert from an older server the message disapears.

Seems it has to do with the kind of cert.

...double strange...

the older cert/pem bundle has:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----

...and the key seems to be shorter...may be an older format is involved too.
 
Last edited:
SOLVED:

The all in one-error message "no start line" is misleading.
I hate those messages. They can cause hours, days and weeks of investigations.

My system needs a dhparam section in the pop3d.pem

This is not metioned in the Paralleles Plesk KB...

http://kb.odin.com/en/1062

I'm not sure, but I believe the Plesk default SSL-configuration in /usr/share/courier-imap/ has no dhparam section too.
So this could be a serious configuration- and documentation bug (could lead to a MITM vulnerability).
I took advantage of some PCI complience optimisations. May be they are involved too.

PS:
openssl dhparam -out mysexyserver.com_dhparam.pem 4096
 
Last edited:
Back
Top