Courier IMAP SSL Server Certificate Installtion and Configuration

The Courier mail server is a mail transfer agent (MTA) server that provides ESMTP, IMAP, POP3, webmail, and mailing list services with individual components. But, it is best known for its IMAP / IMAPs and POP3 / POP3s (secure version) server component.

Courier can provides support for both regular UNIX operating system account (stored in /etc/passwd) and virtual mail account managed by third party backends such as OpenLDAP, MySQL and so on.

In this quick tutorial, you will learn about installing Courier IMAP SSL digital certificate.

Out setup is as follows:

  • SMTP Server:
  • Courier IMAP / POP3 Server:

Generating a CSR and private key for Courier IMAP SSL Server

Type the command to create a SSL CSR for a mail server called
# mkdir -p /usr/local/ssl
# cd /usr/local/ssl
# openssl req -new -nodes -keyout -out

Most important is Common Name, in our example it is set to For the common name, you should enter the full Courier IMAP server address of your site.

Submit CSR to CA

Next logical step is copy and paste the contents of the CSR file into the SSL certificate providers (aka CA) account and get final certificate.

Install your SSL certificate

Unzip file and upload certificates to /usr/local/ssl directory. You also need to upload your CA’s intermediate certificate. Now, you should have 4 file as follows:

  1. /usr/local/ssl/intermediate.crt
  2. /usr/local/ssl/
  3. /usr/local/ssl/
  4. /usr/local/ssl/

Now create /usr/local/ssl/ a combined .pem certificate file:
# cat /usr/local/ssl/ /usr/local/ssl/ > /usr/local/ssl/

Configure Courier IMAP SSL Certificate

Open your courier IMAP configuration file such as /usr/local/etc/courier-imap/imapd-ssl and make set directives as follows:

Save and close the file. Make sure that the file permissions are set correct and only root can read all files located in /usr/local/ssl directory. Restart Courier IMAP server:
# /usr/local/etc/rc.d/courier-imap-imapd-ssl restart

Test your installation

Use openssl utility to test configuration:
$ openssl s_client -connect
You should not see any error or warning message regarding SSL certificate.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • luciano rinetti May 27, 2011 @ 14:49

    How can i autogenerate a certificate without a CA ?

  • Bob Jul 4, 2011 @ 22:26

    You may want to add a -CApath parameter to the check command, otherwise openssl will complain about “self signed certificate in certificate chain”.
    It took me several hours and lots of downloads of RapidSSL/Geotrust intermediate and CA certs to figure this one out.


    openssl s_client -connect -CApath /etc/ssl/certs

  • Richard Jul 30, 2011 @ 20:50

    Hey Bob – You just saved me hours thanks mate for -CApath patch. Taa saves me from the RapidSSL / Geotrust Cheers mate

  • p Jan 3, 2013 @ 12:57

    Thanks Bob

  • ashwin Jan 9, 2013 @ 20:31

    I see that courier is not in rhel repos for a long time . Do you know why ?

  • Arjun May 12, 2013 @ 5:11

    After the following steps, you also need to move the generated .pem file to the /etc/courier folder and rename it as imapd.pem and pop3d.pem

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum