Courier IMAP SSL Installation Instructions

Create The PEM File

Once you have downloaded your certificates from your certificate authority, open the primary certificate and the private key that you created earlier in a text editor. Copy and paste the text in the  Primary Certificate and then from the Private Key. Save the file with a .pem extension (i.e myCertificate.pem) The file should look like this when finished:

-----BEGIN CERTIFICATE-----
(Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key)
-----END RSA PRIVATE KEY-----

If your certificate requires an intermediate certificate, open it in a text editor and save it as a new file named intermediate.txt.

Import and Install the Certificate

Courier IMAP

  1. Locate and open the imapd-ssl file (usually found in /usr/lib/courier-imap/etc/). Add the following directives pointing to the files you created above:

    TLS_CERTFILE=/some/path/myCertificate.pem
    TLS_TRUSTCERTS=/some/path/intermediate.txt

  2. Verify that the line below is allowing TLS
  3. IMAPDSSLSTART=NO
    IMAPDSTARTTLS=YES
    IMAP_TLS_REQUIRED=1
    TLS_PROTOCOL=TLS1
    TLS_STARTTLS_PROTOCOL=TLS1

POP3

  1. Locate and open pop3d-ssl file (usually found in /usr/lib/courier-imap/etc/). Add the following directives pointing to the files you created above:
  2. TLS_CERTFILE=/some/path/myCertificate.pem
    TLS_TRUSTCERTS=/some/path/intermediate.txt

Restart the Courier IMAP server.

Note: These are the basic instructions for installing an SSL certificate in Courier IMAP. There are many configuration options that can cause problems if you aren't aware of them. Mozilla's lead SSL developer, Nelson Bolyard, mentioned the two most common SSL problems with Courier IMAP that he deals with:

a) The server requests the email client to authenticate itself to the server with a client certificate, but the server does not recognize ANY client certificates as valid for this purpose, so clients that have certs and attempt to use them fail to authenticate to the server.  The server should not request client authentication unless it really is set up to properly use them.

b) The server does not enable its SSL session cache.  Consequently, the server goes through the whole slow and CPU-intensive handshake with certificates on every connection (for every IMAP folder). For servers that request client certificate authentication, this means the client is asked to reauthenticate itself for every folder.  The solution to this is to enable the server's SSL session cache.

Useful Courier IMAP SSL Links

Courier IMAP SSL Installation Instructions Comments