I was able to get this up and running without too much trouble. May very by distro/version but all my config files are here.

# cd /etc/courier-imap

# openssl genrsa -out mail.domain.com.key 4096

Edit the imapd.cnf file with your information.

# nano –w imapd.cnf

RANDFILE = /usr/share/imapd.rand

[ req ]

default_bits = 4096

encrypt_key = yes

distinguished_name = req_dn

x509_extensions = cert_type

prompt = no

[ req_dn ]

C=US

ST=State

L=City

O=Company

OU=Mail server

CN=mail.example.com

emailAddress=root@example.com

[ cert_type ]

nsCertType = server

Make the certificate request file.

# openssl req –new –key mail.example.com.key –config imapd.cnf –out mail.example.com.csr

Plug the mail.example.com.csr file into the cacert.org server certificate page and put the output into mail.example.com.crt.

Note: You may see some information about editing the crt file but that is not needed for us. The straight file is what we need.

To create the .pem file that courier will use we need to combine the .key file and the .crt file. Then add some extra DH at the bottom.

# cat mail.example.com.key mail.example.com.crt > mail.example.com.pem

# openssl gendh >> mail.example.com.pem

We also want to change the permissions on these files.

# chmod 400 mail.example.com.*

Edit the imapd-ssl file to point to the new certificate and restart the daemon.

TLS_CERTFILE=/etc/courier-imap/mail.example.com.pem

# /etc/init.d/courier-imapd-ssl restart

Leaving old page for posterity and the good links. These directions are correct but misleading. The output of one of the files is different than what we will have. Snizfast

This is the start-up page for instructions on howto use a cacert with Courier-imap/pop.

As you can see, I've not worked how to do this yet!

I've been running fine with a self-signed signature for years.

The best description I've found so far:

http://milliwaysconsulting.net/support/systems/courier-ssl.html

Here's a good debug clue: http://www.courier-mta.org/?couriertls.html

I'm still getting: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Though I've not done the 'required' amount of bebugging yet.

Markt

Don't know if this is your bug, but I have googled endlessly looking for a fix for this. http://www.mail-archive.com/pkg-evolution-maintainers@lists.alioth.debian.org/msg00388.html Fixed it for me.

> couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number If you are using Thunderbird please restart it

courier (last edited 2009-02-24 18:25:03 by rubin)