First, if you're using squirrelmail-imap_proxy with SSL, you have Ken
Murchison to thank for that.  He added this feature.

squirrelmail-imap_proxy only supports TLS between the proxy server and the
real IMAP server.  It does not support TLS between a client (usually webmail)
and the proxy server.  The idea here is that you can run the IMAP proxy on
the same machine as your webserver.  If you're using TLS to your webserver,
the webserver can then send plaintext auth to the proxy without the password
ever crossing the network, then the proxy can use TLS to the IMAP server.

The proxy will only use TLS if the real IMAP server forces it to do so by
advertising LOGINDISABLED in the capability string.

squirrelmail-imap_proxy does not support the deprecated notion of imaps
using port 993.  It only supports the use of the STARTTLS command to
initiate SSL/TLS from within a regular IMAP connection (do NOT set the
"server_port" setting in imapproxy.conf to 993!).  However, keep reading...

If you are trying to proxy to an IMAP server that is only available using
imaps/port 993 (e.g., Gmail), you can setup a SSL tunnel (check out stunnel)
to that server and let squirrelmail-imap_proxy talk to the local (plaintext)
end of that tunnel (in which case, no SSL setup is required for
squirrelmail-imap_proxy).

There are four configuration file options that you'll have to set in order
for SSL to work.  They are tls_ca_file, tls_ca_path, tls_cert_file and
tls_key_file.

I haven't had time to write my own ssl tuturial (and I might never) but you
can find a wealth of information here:

http://www.sendmail.org/~ca/email/starttls.html


Steve Lidie from lehigh.edu contributed the following information
that should help you along, also:

The only change I found necessary was in the OpenSSL configuration file:

# diff openssl.cnf~ openssl.cnf
37c37
< dir           = ./demoCA              # Where everything is kept
---
> dir           = .             # Where everything is kept

Copied here vebatim, are the required steps:

To make certificate authority:

 mkdir CA
 cd CA
 mkdir certs crl newcerts private
 echo "01" > serial
 cp /dev/null index.txt
 cp /usr/local/openssl/openssl.cnf.sample openssl.cnf
 vi openssl.cnf   (set values)
 openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

To make a new certificate:

 cd CA        (same directory created above)
 openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf

Certificate and private key in file newreq.pem.
To sign new certificate with certificate authority:

 cd CA        (same directory created above)
 openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
 openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
 rm -f tmp.pem

newcert.pem contains the signed certificate, newreq.pem still
contains the unsigned certificate and private key.

The resulting imapproxy.config lines then look like this:

tls_ca_path   /usr/local/etc/CA/
tls_ca_file   /usr/local/etc/CA/cacert.pem
tls_cert_file /usr/local/etc/CA/newcert.pem
tls_key_file  /usr/local/etc/CA/newreq.pem