POP3 over SSL requires a valid, signed, X.509 certificate. The default location for the certificate file is /usr/lib/courier/pop3d.pem. mkpop3dcert generates a self-signed X.509 certificate, mainly for testing. For production use the X.509 certificate must be signed by a recognized certificate authority, in order for mail clients to accept the certificate.
/usr/lib/courier/pop3d.pem must be owned by the daemon user and have no group or world permissions. The mkpop3dcert command will enforce this. To prevent an unfortunate accident, mkpop3dcert will not work if /usr/lib/courier/pop3d.pem already exists.
mkpop3dcert requires OpenSSL to be installed.