+
+ if test "@ssllib@" = "openssl"
+ then
+- cp /dev/null @mydatadir@/imapd.pem
+- chmod 600 @mydatadir@/imapd.pem
+- chown @mailuser@ @mydatadir@/imapd.pem
++ cp /dev/null @certsdir@/imapd.pem
++ chmod 600 @certsdir@/imapd.pem
++ chown @mailuser@ @certsdir@/imapd.pem
+
+- dd if=@RANDOMV@ of=@mydatadir@/imapd.rand count=1 2>/dev/null
++ dd if=@RANDOMV@ of=@certsdir@/imapd.rand count=1 2>/dev/null
+ @OPENSSL@ req -new -x509 -days 365 -nodes \
+- -config @sysconfdir@/imapd.cnf -out @mydatadir@/imapd.pem -keyout @mydatadir@/imapd.pem || cleanup
+- @OPENSSL@ gendh -rand @mydatadir@/imapd.rand 512 >>@mydatadir@/imapd.pem || cleanup
+- @OPENSSL@ x509 -subject -dates -fingerprint -noout -in @mydatadir@/imapd.pem || cleanup
+- rm -f @mydatadir@/imapd.rand
++ -config @sysconfdir@/imapd.cnf -out @certsdir@/imapd.pem -keyout @certsdir@/imapd.pem || cleanup
++ @OPENSSL@ gendh -rand @certsdir@/imapd.rand 512 >>@certsdir@/imapd.pem || cleanup
++ @OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/imapd.pem || cleanup
++ rm -f @certsdir@/imapd.rand
+ else
+- cp /dev/null @mydatadir@/imapd.key
+- chmod 600 @mydatadir@/imapd.key
+- cp /dev/null @mydatadir@/imapd.cert
+- chmod 600 @mydatadir@/imapd.cert
++ cp /dev/null @certsdir@/imapd.key
++ chmod 600 @certsdir@/imapd.key
++ cp /dev/null @certsdir@/imapd.cert
++ chmod 600 @certsdir@/imapd.cert
+
+ @CERTTOOL@ --generate-privkey --outfile imapd.key
+ @CERTTOOL@ --generate-self-signed --load-privkey imapd.key --outfile imapd.cert --template @sysconfdir@/imapd.cnf
+diff -urN courier-imap-4.3.0.orig/imap/mkpop3dcert.8.in courier-imap-4.3.0/imap/mkpop3dcert.8.in
+--- courier-imap-4.3.0.orig/imap/mkpop3dcert.8.in 2007-04-22 17:33:36.000000000 +0200
++++ courier-imap-4.3.0/imap/mkpop3dcert.8.in 2008-01-19 19:55:01.929235273 +0100
+@@ -21,18 +21,18 @@
+ .SH "DESCRIPTION"
+ .PP
+ POP3 over SSL requires a valid, signed, X.509 certificate. The default location for the certificate file is
+-\fI@datadir@/pop3d.pem\fR.
++\fI@certsdir@/pop3d.pem\fR.
+ \fBmkpop3dcert\fR
+ generates a self\-signed X.509 certificate, mainly for testing. For production use the X.509 certificate must be signed by a recognized certificate authority, in order for mail clients to accept the certificate.
+ .PP
+
+-\fI@datadir@/pop3d.pem\fR
++\fI@certsdir@/pop3d.pem\fR
+ must be owned by the @mailuser@ user and have no group or world permissions. The
+ \fBmkpop3dcert\fR
+ command will enforce this. To prevent an unfortunate accident,
+ \fBmkpop3dcert\fR
+ will not work if
+-\fB@datadir@/pop3d.pem\fR
++\fB@certsdir@/pop3d.pem\fR
+ already exists.
+ .PP
+
+@@ -42,7 +42,7 @@
+ to be installed.
+ .SH "FILES"
+ .PP
+-@datadir@/pop3d.pem
++@certsdir@/pop3d.pem
+ .RS 4
+ X.509 certificate.
+ .RE
+diff -urN courier-imap-4.3.0.orig/imap/mkpop3dcert.html.in courier-imap-4.3.0/imap/mkpop3dcert.html.in
+--- courier-imap-4.3.0.orig/imap/mkpop3dcert.html.in 2007-04-22 17:33:35.000000000 +0200
++++ courier-imap-4.3.0/imap/mkpop3dcert.html.in 2008-01-19 19:55:15.619924063 +0100
+@@ -7,22 +7,22 @@
+ --></head><body><div class="refentry" lang="en" xml:lang="en"><a id="mkpop3dcert" shape="rect"> </a><div class="titlepage"/><div class="refnamediv"><h2>Name</h2><p>mkpop3dcert — create a test SSL certificate for POP3 over SSL</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">@sbindir@/mkpop3dcert</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id281688" shape="rect"> </a><h2>DESCRIPTION</h2><p>
+ POP3 over SSL requires a valid, signed, X.509 certificate. The default
+ location for the certificate file is
+-<code class="filename">@datadir@/pop3d.pem</code>.
++<code class="filename">@certsdir@/pop3d.pem</code>.
+ <span><strong class="command">mkpop3dcert</strong></span> generates a self-signed X.509 certificate,
+ mainly for
+ testing.
+ For production use the X.509 certificate must be signed by a
+ recognized certificate authority, in order for mail clients to accept the
+ certificate.</p><p>
+-<code class="filename">@datadir@/pop3d.pem</code> must be owned by the
++<code class="filename">@certsdir@/pop3d.pem</code> must be owned by the
+ @mailuser@ user and
+ have no group or world permissions.
+ The <span><strong class="command">mkpop3dcert</strong></span> command will
+ enforce this. To prevent an unfortunate accident,
+ <span><strong class="command">mkpop3dcert</strong></span>
+-will not work if <span><strong class="command">@datadir@/pop3d.pem</strong></span> already exists.</p><p>
++will not work if <span><strong class="command">@certsdir@/pop3d.pem</strong></span> already exists.</p><p>
+ <span><strong class="command">mkpop3dcert</strong></span> requires
+-<span class="application">OpenSSL</span> to be installed.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id282351" shape="rect"> </a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term">@datadir@/pop3d.pem</span></dt><dd>
++<span class="application">OpenSSL</span> to be installed.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id282351" shape="rect"> </a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term">@certsdir@/pop3d.pem</span></dt><dd>
+ X.509 certificate.
+ </dd><dt><span class="term">@sysconfdir@/pop3d.cnf</span></dt><dd>
+ Parameters used by OpenSSL to
+diff -urN courier-imap-4.3.0.orig/imap/mkpop3dcert.in courier-imap-4.3.0/imap/mkpop3dcert.in
+--- courier-imap-4.3.0.orig/imap/mkpop3dcert.in 2007-11-04 21:50:15.000000000 +0100
++++ courier-imap-4.3.0/imap/mkpop3dcert.in 2008-01-19 19:59:17.935447993 +0100
+@@ -18,41 +18,41 @@