At installation Dovecot creates a self-signed certificate that will expire in one year. Often your server installation will be in place longer than this. So, one solution is to create a new certificate that expires in 5 years. To do so follow these instructions.
By default, the certificate and key are located at: /etc/ssl/
Start by copying the existing files as a backup:
sudo cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key-backup
sudo cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem-backup
Create a new key:
openssl genrsa -out server.key 1024
Create a new certificate using the key:
openssl req -new -x509 -key server.key -out server.pem -days 1826
Here's what I enter for the prompts at this point:
country code: US
state or province: California
city: Paso Robles
company name: xxx or you can leave this blank
common name: your host's FQDN
email address: admin@domainname, root@domainname, or root@localhost
Replace the old files with the two new ones just made:
sudo mv server.key /etc/ssl/private/ssl-cert-snakeoil.key
sudo mv server.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
Restart the Dovecot IMAP server:
sudo service dovecot restart
Make sure the security settings on the new files are appropriate. Look at the old ones to get an idea. Generally, the key file should only be readable by root.