At installation Dovecot creates a self-signed certificate that will expire in one year. Often your server installation will be in place longer than this. So, one solution is to create a new certificate that expires in 5 years. To do so follow these instructions.

By default, the certificate and key are located at: /etc/ssl/

Start by copying the existing files as a backup:

sudo cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key-backup
sudo cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem-backup

Create a new key:

openssl genrsa -out server.key 1024

Create a new certificate using the key:

openssl req -new -x509 -key server.key -out server.pem -days 1826

Here's what I enter for the prompts at this point:

country code: US
state or province: California
city: Paso Robles
company name: xxx or you can leave this blank
common name: your host's FQDN
email address: admin@domainname, root@domainname, or root@localhost

Replace the old files with the two new ones just made:

sudo mv server.key /etc/ssl/private/ssl-cert-snakeoil.key
sudo mv server.pem /etc/ssl/certs/ssl-cert-snakeoil.pem

Restart the Dovecot IMAP server:

sudo service dovecot restart

Make sure the security settings on the new files are appropriate. Look at the old ones to get an idea. Generally, the key file should only be readable by root.