I was able to get this up and running without too much trouble. May very by distro/version but all my config files are here.
# cd /etc/courier-imap
# openssl genrsa -out mail.domain.com.key 4096
Edit the imapd.cnf file with your information.
# nano –w imapd.cnf
RANDFILE = /usr/share/imapd.rand
[ req ]
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=US
ST=State
L=City
O=Company
OU=Mail server
CN=mail.example.com
emailAddress=root@example.com
[ cert_type ]
nsCertType = server
Make the certificate request file.
# openssl req –new –key mail.example.com.key –config imapd.cnf –out mail.example.com.csr
Plug the mail.example.com.csr file into the cacert.org server certificate page and put the output into mail.example.com.crt.
Note: You may see some information about editing the crt file but that is not needed for us. The straight file is what we need.
To create the .pem file that courier will use we need to combine the .key file and the .crt file. Then add some extra DH at the bottom.
# cat mail.example.com.key mail.example.com.crt > mail.example.com.pem
# openssl gendh >> mail.example.com.pem
We also want to change the permissions on these files.
# chmod 400 mail.example.com.*
Edit the imapd-ssl file to point to the new certificate and restart the daemon.
TLS_CERTFILE=/etc/courier-imap/mail.example.com.pem
# /etc/init.d/courier-imapd-ssl restart
Leaving old page for posterity and the good links. These directions are correct but misleading. The output of one of the files is different than what we will have. Snizfast
This is the start-up page for instructions on howto use a cacert with Courier-imap/pop.
As you can see, I've not worked how to do this yet!
I've been running fine with a self-signed signature for years.
The best description I've found so far:
http://milliwaysconsulting.net/support/systems/courier-ssl.html
Here's a good debug clue: http://www.courier-mta.org/?couriertls.html
I'm still getting: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Though I've not done the 'required' amount of bebugging yet.
Markt
Don't know if this is your bug, but I have googled endlessly looking for a fix for this. http://www.mail-archive.com/pkg-evolution-maintainers@lists.alioth.debian.org/msg00388.html Fixed it for me.
> couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number If you are using Thunderbird please restart it