First, if you're using squirrelmail-imap_proxy with SSL, you have Ken Murchison to thank for that. He added this feature. squirrelmail-imap_proxy only supports TLS between the proxy server and the real IMAP server. It does not support TLS between a client (usually webmail) and the proxy server. The idea here is that you can run the IMAP proxy on the same machine as your webserver. If you're using TLS to your webserver, the webserver can then send plaintext auth to the proxy without the password ever crossing the network, then the proxy can use TLS to the IMAP server. The proxy will only use TLS if the real IMAP server forces it to do so by advertising LOGINDISABLED in the capability string. squirrelmail-imap_proxy does not support the deprecated notion of imaps using port 993. It only supports the use of the STARTTLS command to initiate SSL/TLS from within a regular IMAP connection (do NOT set the "server_port" setting in imapproxy.conf to 993!). However, keep reading... If you are trying to proxy to an IMAP server that is only available using imaps/port 993 (e.g., Gmail), you can setup a SSL tunnel (check out stunnel) to that server and let squirrelmail-imap_proxy talk to the local (plaintext) end of that tunnel (in which case, no SSL setup is required for squirrelmail-imap_proxy). There are four configuration file options that you'll have to set in order for SSL to work. They are tls_ca_file, tls_ca_path, tls_cert_file and tls_key_file. I haven't had time to write my own ssl tuturial (and I might never) but you can find a wealth of information here: http://www.sendmail.org/~ca/email/starttls.html Steve Lidie from lehigh.edu contributed the following information that should help you along, also: The only change I found necessary was in the OpenSSL configuration file: # diff openssl.cnf~ openssl.cnf 37c37 < dir = ./demoCA # Where everything is kept --- > dir = . # Where everything is kept Copied here vebatim, are the required steps: To make certificate authority: mkdir CA cd CA mkdir certs crl newcerts private echo "01" > serial cp /dev/null index.txt cp /usr/local/openssl/openssl.cnf.sample openssl.cnf vi openssl.cnf (set values) openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf To make a new certificate: cd CA (same directory created above) openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf Certificate and private key in file newreq.pem. To sign new certificate with certificate authority: cd CA (same directory created above) openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem rm -f tmp.pem newcert.pem contains the signed certificate, newreq.pem still contains the unsigned certificate and private key. The resulting imapproxy.config lines then look like this: tls_ca_path /usr/local/etc/CA/ tls_ca_file /usr/local/etc/CA/cacert.pem tls_cert_file /usr/local/etc/CA/newcert.pem tls_key_file /usr/local/etc/CA/newreq.pem