I was able to get this up and running without too much trouble. May very by distro/version but all my config files are here. # cd /etc/courier-imap # openssl genrsa -out mail.domain.com.key 4096 Edit the imapd.cnf file with your information. # nano –w imapd.cnf RANDFILE = /usr/share/imapd.rand [ req ] default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=US ST=State L=City O=Company OU=Mail server CN=mail.example.com emailAddress=root@example.com [ cert_type ] nsCertType = server Make the certificate request file. # openssl req –new –key mail.example.com.key –config imapd.cnf –out mail.example.com.csr Plug the mail.example.com.csr file into the cacert.org server certificate page and put the output into mail.example.com.crt. Note: You may see some information about editing the crt file but that is not needed for us. The straight file is what we need. To create the .pem file that courier will use we need to combine the .key file and the .crt file. Then add some extra DH at the bottom. # cat mail.example.com.key mail.example.com.crt > mail.example.com.pem # openssl gendh >> mail.example.com.pem We also want to change the permissions on these files. # chmod 400 mail.example.com.* Edit the imapd-ssl file to point to the new certificate and restart the daemon. TLS_CERTFILE=/etc/courier-imap/mail.example.com.pem # /etc/init.d/courier-imapd-ssl restart Leaving old page for posterity and the good links. These directions are correct but misleading. The output of one of the files is different than what we will have. Snizfast This is the start-up page for instructions on howto use a cacert with Courier-imap/pop. As you can see, I've not worked how to do this yet! I've been running fine with a self-signed signature for years. The best description I've found so far: http://milliwaysconsulting.net/support/systems/courier-ssl.html Here's a good debug clue: http://www.courier-mta.org/?couriertls.html I'm still getting: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Though I've not done the 'required' amount of bebugging yet. Markt Don't know if this is your bug, but I have googled endlessly looking for a fix for this. http://www.mail-archive.com/pkg-evolution-maintainers@lists.alioth.debian.org/msg00388.html Fixed it for me. > couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number If you are using Thunderbird please restart it