IMAP over SSL requires a valid, signed, X.509 certificate. The default location for the certificate file is /usr/lib/courier/imapd.pem. mkimapdcert generates a self-signed X.509 certificate, mainly for testing. For production use the X.509 certificate must be signed by a recognized certificate authority, in order for mail clients to accept the certificate.
/usr/lib/courier/imapd.pem must be owned by the daemon user and have no group or world permissions. The mkimapdcert command will enforce this. To prevent an unfortunate accident, mkimapdcert will not work if /usr/lib/courier/imapd.pem already exists.
mkimapdcert requires OpenSSL to be installed.