Configuring IMAP for TLS and SSL

This page is out of date, it has been replaced by a newer version which you can find here.

This is another optional feature, you don’t have to do this configuration to get a working mail server. If you however want a secure mail server where people can login being confident that their password can’t be snooped from the network this is an option you want to configure, just like the TLS option for Postfix. The SSL or TLS option for IMAP will create an encrypted connection between the mail client and the mail server so that the authentication phase will be done securely.

First you need to setup a configuration file which will look like the questions you where asked when generating an SSL certificate with the openssl command. It is located in the directory /usr/local/etc and its called imapd.cnf. Make it look like:

RANDFILE = /usr/local/share/imapd.rand

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=Your Country
ST=State or Province
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key

[ cert_type ]
nsCertType = server

You must change the common name (CN) to that of the fully qualified hostname assigned to the IP address Courier IMAP will be listening on, or you will receive a certificate mismatch error when connecting with an IMAP and SSL compatible mail client. The remaining fields, Country (C), State (ST), Location (L), Organization (O), Organizational Unit (OU), and emailAddress are self explanatory and need not be specific values.

When you are happy with the values you have chosen, go to the directory /usr/local/share run mkimapdcert as root to generate a new certificate. Make sure you remove the existing imapd.pem first, or no new certificate will be created.

You will notice that the generated certificate will expire in one year. If you need more time, you can modify mkimapdcert directly, as it is just a shell script. You can increase the number of days to a value you find more reasonable.

Next the configuration file of the Courier IMAP daemon, it is located in the directory /usr/local/etc and is called imapd-ssl. Note: there is a difference with the normal IMAP configuration file imapd, both are different and are used by two different programs. Edit the imapd-ssl file so that the option look like the list below:


Now your done with all configuration.

Next page ->, getting it all to run.

Comments are closed, to find out why read this blogpost for the reason and directions to alternatives.