Secure ESMTP requires a valid, signed, X.509 certificate. The default location for the certificate file is /usr/local/courier/share/esmtpd.pem. The mkesmtpdcert generates a self-signed X.509 certificate, mainly for testing. For production use the X.509 certificate must be signed by a recognized certificate authority, in order for mail clients to accept the certificate.
/usr/local/courier/share/esmtpd.pem must be owned by the daemon user and have no group or world permissions. The mkesmtpdcert command will enforce this. To prevent an unfortunate accident, mkesmtpdcert will not work if /usr/local/courier/share/esmtpd.pem already exists.
mkesmtpdcert requires OpenSSL to be installed.