First, you need to generate a key for your server if you don't already have one:
With that key, you can then generate a certificate request:openssl genrsa -out server.key 2048
If you did not customize your openssl.cnf configuration file, the above command will prompt you for the details of identify for the server in the certificate. Answer all questions as you please except for the common name "CN", which should be the host name to connect to your server.openssl req -new -key server.key -out server.csr
Now, you need to get a Certificate Authority to sign your request. For example, if you have a demoCA setup for your openssl installation, you can do:
This results in the certificate file server.crt. You then can combine the server key and certificate files to create the certificate file for the courier mail server.openssl ca -config openssl.cnf -policy policy_anything -out server.crt -infiles server.csr
This used to be sufficient. However, the newer version (0.73) of courier requires a "DH parameters" block in the certificate file. This can be generated and appended with:cat server.key server.crt > esmtpd.pem
Now, you can point the "TLS_CERTFILE" in all the configuration files to the certificate esmtpd.pem and restart your server.openssl dhparam 1024 >> esmtpd.pem