Use a signed SSL certificate

Mail Toaster provides your clients with a number of ways to send and receive their emails securely. The good news is that all those security features are enabled by default. Unfortunately, all the SSL certificates are unsigned. If you have your own CA (Certificate Authority) you can self-sign the certificates and then install your CA cert in all your users browsers/email clients. That is one way to prevent them from getting the "invalid certificate" errors every time they securely check their mail.

The other way is to purchase a signed SSL certificate. After you get your new SSL certificate, it must be installed separately for the POP3-SSL, IMAP-SSL, HTTPS, and SMTP-TLS servers.

Installing the signed certificate consisted of:

cat /path/to/ssl/cert.key > /var/qmail/control/servercert.pem cat /path/to/ssl/cert.crt >> /var/qmail/control/servercert.pem cat /path/to/ssl/intermediary_cert.crt >> /var/qmail/control/servercert.pem

cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem chown vpopmail:vchkpw /var/qmail/control/servercert.pem chown qmaild /var/qmail/control/clientcert.pem chmod 400 /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem qmail restart

cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/imapd.pem cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/pop3d.pem imapssl stop imapssl start pop3ssl stop pop3ssl start

That's all I had to do.... other than reconfigure my email client to connect on the host name that my "real" cert uses, and it works like a charm.

Types of SSL certificates
There are various types of certificates available. The best certificates are single root certificates, meaning that their are no chains between their certificate and the root CA. These certificates work pretty much everywhere.

The other common type is a chained certificate. These certs come packaged with several additional certificates which must all be installed. Some servers do not support chained certificates, and even if the server does, the clients may not be capable of validating the chain. These chained certificates can often be purchased quite cheap (less than $50).

If the certificate doesn't say what type it is, it is chained. Avoid it and get a single root cert.

Certificates Known to work
QuickSSL by GeoTrust - order from TNPI store ($140) - M. Simerson RapidSSL - by GeoTrust - order from TNPI store ($60) - M. Simerson SSL123 - by Thawte ($150) - R. Minch. Buy it from Dotster instead for $35.

Certificates Known to NOT work
InstantSSL - by Comodo ($80/yr, chained) - M. Simerson - Works with Dovecot & Apache (both support chained certs). Does not work with courier-imap or qmail.

Interesting Certificates
Turbo SSL by GoDaddy - $20 - M. Simerson - a double-chained certificate. Requires TWO chain files. Works with Apache 2 but requires extra config options:

SSLCertificateFile     certs/www.tnpi.net.crt SSLCertificateKeyFile  certs/www.tnpi.net.key SSLCertificateChainFile certs/www.tnpi.net.crt.intermediate SSLCACertificateFile   certs/www.tnpi.net.crt.intermediate_cross
 * 1) www.tnpi.net GoDaddy cert (2007-2017)

I haven't invested the time to see if I can get it working with dovecot, courier-imap, and qmail. My initial guess is, probably not.

Jerm - I use GoDaddy Certs exclusively and they work fine with my entire toaster setup:
 * apache2 - works by using the gd_intermediate_bundle (near the bottom). Apache works great configured as if it was a single chain, ie: SSLCertificateChainFile only
 * qmail - I included the GD bundle certs at the end of my servercert.pem file and that works like a charm
 * courier - my imap and pop3 ssl configs point to my qmail servercert.pem and work swimmingly.