Gentoo Wiki


These instructions will help get a signed SSL certificate for your Courier Imap server. I was able to get this up and running without too much trouble. This assumes you already have Courier up and running. The ebuild configured courier to work correctly even with SSL. Minimal changes will have to be made. I am using as my certificate authority.

Note: All files are in /etc/courier-imap

Edit the imapd.cnf file with your information.

Code: imapd.cnf
RANDFILE = /usr/share/imapd.rand
[ req ]
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
OU=Mail server
[ cert_type ]
nsCertType = server
Code: Generate key
# openssl genrsa -out mail.domain.tld.key 4096
# openssl req -new -key mail.domain.tld.key -config imapd.cnf -out mail.domain.tld.csr

Plug the mail.domain.tld.csr file into the server certificate page and put the output into mail.domain.tld.crt.

To create the .pem file that courier will use we need to combine the .key file and the .crt file. Then add some extra DH at the bottom. We also want to change the permissions on these files.

Code: .PEM
# cat mail.domain.tld.key mail.domain.tld.crt > mail.domain.tld.pem
# openssl gendh >> mail.domain.tld.pem
# chmod 400 mail.domain.tld.*

Edit the imapd-ssl file to point to the new certificate and restart the daemon.

Code: imapd-ssl


Code: Restart daemon

# /etc/init.d/courier-imapd-ssl restart

Important: If you're done, stop all parts of Courier and then start all services again. Else you could get problems because some processes still think the certificate hasn't changed!

Retrieved from ""

Last modified: Mon, 26 May 2008 08:47:00 +0000 Hits: 6,990