Switching…

This is another optional feature, you don’t have to do this configuration to get a working mail server. If you however want a secure mail server where people can login being confident that their password can’t be snooped from the network this is an option you want to configure, just like the TLS option for Postfix. The SSL or TLS option for IMAP will create an encrypted connection between the mail client and the mail server so that the authentication phase will be done securely.

First you need to setup a configuration file which will look like the questions you were asked when generating an SSL certificate with the openssl command. It is located in the directory /usr/local/etc and its called imapd.cnf. Make it look like or download the example at the bottom of the page:

RANDFILE = /usr/local/share/imapd.rand

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=Your Country
ST=State or Province
L=City
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key
CN=your.mailserver.tld
emailAddress=you@yourdomain.tld

[ cert_type ]
nsCertType = server

You must change the common name (CN) to that of the fully qualified hostname assigned to the IP address Courier IMAP will be listening on, or you will receive a certificate mismatch error when connecting with an IMAP and SSL compatible mail client. The remaining fields, Country (C), State (ST), Location (L), Organization (O), Organizational Unit (OU), and emailAddress are self explanatory and need not be specific values.

When you are happy with the values you have chosen, go to the directory /usr/local/share run mkimapdcert as root to generate a new certificate. Make sure you remove the existing imapd.pem first, or no new certificate will be created.

You will notice that the generated certificate will expire in one year. If you need more time, you can modify mkimapdcert directly, as it is just a shell script. You can increase the number of days to a value you find more reasonable.

Next the configuration file of the Courier IMAP daemon, it is located in the directory /usr/local/etc and is called imapd-ssl. Note: there is a difference with the normal IMAP configuration file imapd , both are different and are used by two different programs. Edit the imapd-ssl file so that the options look like the list below or download an example from the bottom of the page:

SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/local/bin/couriertls
TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CERTFILE=/usr/local/share/imapd.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/usr/local/var/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=/usr/local/virtual

Resources:

imapd.cnf
imapd-ssl