In this tutorial, you will learn how to install an SSL certificate on a Courier IMAP server. You combine your certificate, private key, and CA chain into a single PEM file, point Courier’s TLS_CERTFILE setting at it, and restart the service so IMAPS and POP3S serve the new certificate.
Hasilkan kode CSR di Server IMAP Courier
If you have already generated your CSR and received the SSL files, skip part 1 and jump straight to the installation steps.
The CSR (Certificate Signing Request) is a block of encoded text that contains your contact details. You create it and send it to your Certificate Authority (CA) to pass SSL validation. Generating the CSR also creates the matching private key, which stays on your server and is needed for installation. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on Courier IMAP Server.
To open the CSR file, use any plain text editor. When ordering, copy the entire block, including the BEGIN and END lines. Keep the private key file safe: you will merge it into your PEM file during installation.
Install an SSL certificate on Courier IMAP Server
After validation, your CA emails you a ZIP archive with your SSL files: the primary (server) certificate and one or more intermediate (CA) certificates. Extract the archive on your server, then follow the steps below.
Step 1: Combine the certificate, chain, and key into one PEM file
Courier reads the certificate and the private key from a single PEM file set in TLS_CERTFILE. Concatenate the files in this order: your server certificate first, then the CA intermediate chain, then your private key. From the directory holding the extracted files, run:
cat yourdomain.crt yourdomain.ca-bundle yourdomain.key > imapd.pem
sudo mv imapd.pem /etc/courier/imapd.pem
sudo chmod 600 /etc/courier/imapd.pem
If your CA delivered the intermediates as separate files instead of a single .ca-bundle, list each one between the certificate and the key. The finished PEM file should look like this:
-----BEGIN CERTIFICATE-----
(the text of your primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(the text of the intermediate / CA chain certificate)
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
(the text of your private key)
-----END PRIVATE KEY-----
Older keys may be labeled BEGIN RSA PRIVATE KEY instead of BEGIN PRIVATE KEY; either is fine. The key must not be encrypted with a passphrase, because Courier loads it without prompting. The PEM file must be readable only by root (the chmod 600 above), since it contains the private key.
If you would rather keep the private key in its own file, leave the key out of the PEM and set TLS_PRIVATE_KEYFILE to the key’s path in the config (Step 2). When the key is already embedded in TLS_CERTFILE, the separate key file is optional.
Step 2: Point Courier at your PEM file
Open the config file Courier uses for IMAP over SSL. The path depends on your distribution: it is usually /etc/courier/imapd-ssl, or /usr/lib/courier-imap/etc/imapd-ssl on some systems. Edit it with a text editor, for example:
sudo nano /etc/courier/imapd-ssl
Locate the TLS_CERTFILE line (or add it if missing) and set it to your PEM file:
TLS_CERTFILE=/etc/courier/imapd.pem
If you kept the private key separate in Step 1, also set its path:
TLS_PRIVATE_KEYFILE=/etc/courier/imapd.key
While you are in this file, harden the TLS settings. Remove or comment out any line that forces an obsolete protocol, such as TLS_PROTOCOL=SSL3: SSLv3 and the early TLS 1.0 and 1.1 versions are insecure and should be disabled. Set Courier to require TLS 1.2 or higher. TLS_PROTOCOL applies to the dedicated SSL port (IMAPS), and TLS_STARTTLS_PROTOCOL applies to STARTTLS on the standard port:
TLS_PROTOCOL=TLSv1.2
TLS_STARTTLS_PROTOCOL=TLSv1.2
The value TLSv1.2 means “TLS 1.2 or higher,” so TLS 1.3 is still negotiated when your OpenSSL build supports it. You do not need to set TLS_TRUSTCERTS to serve your certificate to mail clients; that variable is only for verifying client certificates.
Note on Diffie-Hellman parameters: current Courier packages generate a DH parameter file automatically (via the mkdhparams script and a periodic cron job) and read it from TLS_DHPARAMS, so you no longer create one by hand for a standard install. The old TLS_DHCERTFILE directive was removed in Courier 4.15. If mkdhparams has never run on your server, run it once to create the file.
If you also serve POP3S (port 995), open the POP3 config file, /etc/courier/pop3d-ssl (or /usr/lib/courier-imap/etc/pop3d-ssl), and apply the same settings. You can reuse the same PEM file, or create a dedicated /etc/courier/pop3d.pem with the same contents:
TLS_CERTFILE=/etc/courier/pop3d.pem
TLS_PROTOCOL=TLSv1.2
TLS_STARTTLS_PROTOCOL=TLSv1.2
Step 3: Restart Courier
Restart Courier so it loads the new certificate. On most systemd-based distributions, restart the SSL services and the authentication daemon:
sudo systemctl restart courier-imap-ssl
sudo systemctl restart courier-pop3-ssl
sudo systemctl restart courier-authdaemon
Some packages expose a single combined unit instead. If the services above are not found, try:
sudo systemctl restart courier
On a system that does not use systemd, restart through Courier’s own scripts:
/usr/lib/courier-imap/libexec/imapd-ssl.rc restart
/usr/lib/courier-imap/libexec/pop3d-ssl.rc restart
Once the service restarts cleanly, your new SSL certificate is live for IMAPS (port 993) and POP3S (port 995), as well as for STARTTLS on ports 143 and 110.
Test your SSL installation
After installation, confirm the certificate is served correctly. From a terminal, open a TLS connection to the IMAPS port and read the certificate the server presents:
openssl s_client -connect mail.yourdomain.com:993 -servername mail.yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates
For POP3S, use port 995. To test STARTTLS on the standard IMAP port instead, run:
openssl s_client -connect mail.yourdomain.com:143 -starttls imap
The first command pipes the connection into openssl x509 and prints the issuer, subject (common name), and validity dates, so you can confirm the right certificate is served. The STARTTLS command shows the full handshake: check that the issuer and chain are correct and that Verify return code: 0 (ok) appears near the end. For a full report on your certificate and its configuration, use our SSL Checker.
Frequently Asked Questions
Server certificate first, then the intermediate (CA) chain, then the private key, all in one PEM file. Courier reads this file from TLS_CERTFILE and presents the full chain to clients. The private key must be unencrypted (no passphrase).
IMAP over SSL is configured in /etc/courier/imapd-ssl, and POP3 over SSL in /etc/courier/pop3d-ssl. On some distributions these live under /usr/lib/courier-imap/etc/ instead. The STARTTLS settings for the plain-text ports are in the matching imapd and pop3d files.
Not by hand for a normal install. Current Courier packages generate a DH parameter file automatically with the mkdhparams script and refresh it on a schedule, reading it from TLS_DHPARAMS. The older TLS_DHCERTFILE directive was removed in Courier 4.15. Run mkdhparams once only if no DH file exists yet.
Remove any TLS_PROTOCOL=SSL3 line and set TLS_PROTOCOL=TLSv1.2 in imapd-ssl and pop3d-ssl. Set TLS_STARTTLS_PROTOCOL=TLSv1.2 for the STARTTLS ports. The TLSv1.2 value means “1.2 or higher,” so TLS 1.3 is used automatically when your OpenSSL supports it.
Connect to the mail port with OpenSSL and read the served certificate: openssl s_client -connect mail.yourdomain.com:993 for IMAPS, or add -starttls imap on port 143. Confirm the issuer and chain are correct and that the output shows Verify return code: 0 (ok).
Hemat 10% untuk Sertifikat SSL saat memesan hari ini!
Penerbitan cepat, enkripsi kuat, kepercayaan peramban 99,99%, dukungan khusus, dan jaminan uang kembali 25 hari. Kode kupon: SAVE10

