search for: client_and_server_ca_extensions

..._extensions ] basicConstraints = CA:false keyUsage = keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1 If you just do that, then the SSL certificate doesn't work in dovecot (it will work fine in Apache, or Postfix etc etc). You also need the certificate to be valide for client side work: [ client_and_server_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.1 I believe this is a fault with Dovecot. This is with the Debian package for Dovecot 1.2.11 (Version: 1:1.2.11-1). The default self-signed certificate the Debian post-i...