Hi all,
I've just updated the SSL setup howto found here. It's now referencing the SHA2 version of the chain certificates. When you correctly create a key/signing request in SHA2, then StartSSL will automatically sign this correctly in SHA2 as well. It's Google who is ending SHA1 as it seems insecure today. Please keep in mind though, that you must revoke a certificate if it's not outdated. This costs around 35 EUR at StartSSL. So it's better to do this change once your certificate is about to expire anyhow.
A certifcate signing request in SHA2 with 4096 bits is done like this:
I can highly suggest checking your server once configured using a tool like the Qualys SSLLabs Test: https://www.ssllabs.com/ssltest/. There is a comprehensive list of webserver settings here: https://cipherli.st/. And once you have some spare time for reading: https://bettercrypto.org/static/applied-crypto-hardening.pdf. This also mentions Postfix and Dovecot (no courier though!).
Disclaimer: I'm not related to any of these sites or their owners. I only want to share the security concerns with other users 
.