bg-tutorials

Cara Memasang Sertifikat SSL pada Server IMAP Kurir

In this tutorial, you will learn how to install an SSL certificate on a Courier IMAP server. You combine your certificate, private key, and CA chain into a single PEM file, point Courier’s TLS_CERTFILE setting at it, and restart the service so IMAPS and POP3S serve the new certificate.

Hasilkan kode CSR di Server IMAP Courier

If you have already generated your CSR and received the SSL files, skip part 1 and jump straight to the installation steps.

The CSR (Certificate Signing Request) is a block of encoded text that contains your contact details. You create it and send it to your Certificate Authority (CA) to pass SSL validation. Generating the CSR also creates the matching private key, which stays on your server and is needed for installation. You have two options:

To open the CSR file, use any plain text editor. When ordering, copy the entire block, including the BEGIN and END lines. Keep the private key file safe: you will merge it into your PEM file during installation.

Install an SSL certificate on Courier IMAP Server

After validation, your CA emails you a ZIP archive with your SSL files: the primary (server) certificate and one or more intermediate (CA) certificates. Extract the archive on your server, then follow the steps below.

Step 1: Combine the certificate, chain, and key into one PEM file

Courier reads the certificate and the private key from a single PEM file set in TLS_CERTFILE. Concatenate the files in this order: your server certificate first, then the CA intermediate chain, then your private key. From the directory holding the extracted files, run:

cat yourdomain.crt yourdomain.ca-bundle yourdomain.key > imapd.pem
sudo mv imapd.pem /etc/courier/imapd.pem
sudo chmod 600 /etc/courier/imapd.pem

If your CA delivered the intermediates as separate files instead of a single .ca-bundle, list each one between the certificate and the key. The finished PEM file should look like this:

-----BEGIN CERTIFICATE-----
(the text of your primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(the text of the intermediate / CA chain certificate)
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
(the text of your private key)
-----END PRIVATE KEY-----

Older keys may be labeled BEGIN RSA PRIVATE KEY instead of BEGIN PRIVATE KEY; either is fine. The key must not be encrypted with a passphrase, because Courier loads it without prompting. The PEM file must be readable only by root (the chmod 600 above), since it contains the private key.

If you would rather keep the private key in its own file, leave the key out of the PEM and set TLS_PRIVATE_KEYFILE to the key’s path in the config (Step 2). When the key is already embedded in TLS_CERTFILE, the separate key file is optional.

Step 2: Point Courier at your PEM file

Open the config file Courier uses for IMAP over SSL. The path depends on your distribution: it is usually /etc/courier/imapd-ssl, or /usr/lib/courier-imap/etc/imapd-ssl on some systems. Edit it with a text editor, for example:

sudo nano /etc/courier/imapd-ssl

Locate the TLS_CERTFILE line (or add it if missing) and set it to your PEM file:

TLS_CERTFILE=/etc/courier/imapd.pem

If you kept the private key separate in Step 1, also set its path:

TLS_PRIVATE_KEYFILE=/etc/courier/imapd.key

While you are in this file, harden the TLS settings. Remove or comment out any line that forces an obsolete protocol, such as TLS_PROTOCOL=SSL3: SSLv3 and the early TLS 1.0 and 1.1 versions are insecure and should be disabled. Set Courier to require TLS 1.2 or higher. TLS_PROTOCOL applies to the dedicated SSL port (IMAPS), and TLS_STARTTLS_PROTOCOL applies to STARTTLS on the standard port:

TLS_PROTOCOL=TLSv1.2
TLS_STARTTLS_PROTOCOL=TLSv1.2

The value TLSv1.2 means “TLS 1.2 or higher,” so TLS 1.3 is still negotiated when your OpenSSL build supports it. You do not need to set TLS_TRUSTCERTS to serve your certificate to mail clients; that variable is only for verifying client certificates.

Note on Diffie-Hellman parameters: current Courier packages generate a DH parameter file automatically (via the mkdhparams script and a periodic cron job) and read it from TLS_DHPARAMS, so you no longer create one by hand for a standard install. The old TLS_DHCERTFILE directive was removed in Courier 4.15. If mkdhparams has never run on your server, run it once to create the file.

If you also serve POP3S (port 995), open the POP3 config file, /etc/courier/pop3d-ssl (or /usr/lib/courier-imap/etc/pop3d-ssl), and apply the same settings. You can reuse the same PEM file, or create a dedicated /etc/courier/pop3d.pem with the same contents:

TLS_CERTFILE=/etc/courier/pop3d.pem
TLS_PROTOCOL=TLSv1.2
TLS_STARTTLS_PROTOCOL=TLSv1.2

Step 3: Restart Courier

Restart Courier so it loads the new certificate. On most systemd-based distributions, restart the SSL services and the authentication daemon:

sudo systemctl restart courier-imap-ssl
sudo systemctl restart courier-pop3-ssl
sudo systemctl restart courier-authdaemon

Some packages expose a single combined unit instead. If the services above are not found, try:

sudo systemctl restart courier

On a system that does not use systemd, restart through Courier’s own scripts:

/usr/lib/courier-imap/libexec/imapd-ssl.rc restart
/usr/lib/courier-imap/libexec/pop3d-ssl.rc restart

Once the service restarts cleanly, your new SSL certificate is live for IMAPS (port 993) and POP3S (port 995), as well as for STARTTLS on ports 143 and 110.

Test your SSL installation

After installation, confirm the certificate is served correctly. From a terminal, open a TLS connection to the IMAPS port and read the certificate the server presents:

openssl s_client -connect mail.yourdomain.com:993 -servername mail.yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates

For POP3S, use port 995. To test STARTTLS on the standard IMAP port instead, run:

openssl s_client -connect mail.yourdomain.com:143 -starttls imap

The first command pipes the connection into openssl x509 and prints the issuer, subject (common name), and validity dates, so you can confirm the right certificate is served. The STARTTLS command shows the full handshake: check that the issuer and chain are correct and that Verify return code: 0 (ok) appears near the end. For a full report on your certificate and its configuration, use our SSL Checker.

Frequently Asked Questions

In what order do I combine the files in the Courier PEM?

Server certificate first, then the intermediate (CA) chain, then the private key, all in one PEM file. Courier reads this file from TLS_CERTFILE and presents the full chain to clients. The private key must be unencrypted (no passphrase).

Where is the Courier SSL configuration file?

IMAP over SSL is configured in /etc/courier/imapd-ssl, and POP3 over SSL in /etc/courier/pop3d-ssl. On some distributions these live under /usr/lib/courier-imap/etc/ instead. The STARTTLS settings for the plain-text ports are in the matching imapd and pop3d files.

Do I still need Diffie-Hellman (DH) parameters for Courier?

Not by hand for a normal install. Current Courier packages generate a DH parameter file automatically with the mkdhparams script and refresh it on a schedule, reading it from TLS_DHPARAMS. The older TLS_DHCERTFILE directive was removed in Courier 4.15. Run mkdhparams once only if no DH file exists yet.

How do I disable SSLv3 and old TLS versions in Courier?

Remove any TLS_PROTOCOL=SSL3 line and set TLS_PROTOCOL=TLSv1.2 in imapd-ssl and pop3d-ssl. Set TLS_STARTTLS_PROTOCOL=TLSv1.2 for the STARTTLS ports. The TLSv1.2 value means “1.2 or higher,” so TLS 1.3 is used automatically when your OpenSSL supports it.

How do I verify the certificate after restarting Courier?

Connect to the mail port with OpenSSL and read the served certificate: openssl s_client -connect mail.yourdomain.com:993 for IMAPS, or add -starttls imap on port 143. Confirm the issuer and chain are correct and that the output shows Verify return code: 0 (ok).

Hemat 10% untuk Sertifikat SSL saat memesan hari ini!

Penerbitan cepat, enkripsi kuat, kepercayaan peramban 99,99%, dukungan khusus, dan jaminan uang kembali 25 hari. Kode kupon: SAVE10

Ditulis oleh

Penulis konten berpengalaman yang berspesialisasi dalam Sertifikat SSL. Mengubah topik keamanan siber yang rumit menjadi konten yang jelas dan menarik. Berkontribusi untuk meningkatkan keamanan digital melalui narasi yang berdampak.