My certificates expired and I had to figure out how to re-create them. In brief, uninstallation and removal of /etc/ssl/dovecot does not work with any of the ebuilds tested (2.2.9, 2.2.13, 2.2.16). In all cases the generated self-signed certificate was with default values (wrong locality but also rather weak RSA 1024 bit cipher): # openssl s_client -connect pop.mydomain.com:pop3s CONNECTED(00000003) depth=0 C = US, ST = California, L = Santa Barbara, O = Dovecot IMAP Server, OU = For Testing Purposes Only, CN = localhost, emailAddress = root@localhost verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Santa Barbara, O = Dovecot IMAP Server, OU = For Testing Purposes Only, CN = localhost, emailAddress = root@localhost verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = California, L = Santa Barbara, O = Dovecot IMAP Server, OU = For Testing Purposes Only, CN = localhost, emailAddress = root@localhost verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Santa Barbara/O=Dovecot IMAP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost i:/C=US/ST=California/L=Santa Barbara/O=Dovecot IMAP Server/OU=For Testing Purposes Only/CN=localhost CA/emailAddress=root@localhost --- ... I suspect that happens because the certificates are created under sandbox. Previous ebuilds installed /etc/dovecot/dovecot-openssl.cnf. The file is gone now. There used to be symlinks from /etc/ssl/dovecot/* files pointing to /etc/ssl/private/ contents. The ebuild installs a shellscript said to be used for certificate regeneration here under /usr/share/doc/dovecot-2.2.16/mkcert.sh.bz2 but it used to be installed as /etc/dovecot/mkcert.sh . I second what was said in bug #163851 that Gentoo should properly fix the paths everywhere if it is installing files into non-official directories. It is difficult to follow any 3rd-party tutorial if the common tools do not fetch values from proper files. I would like to see that Gentoo installs functional /etc/dovecot/mkcert.sh which has been used for creation of the certificate. Currently, it does not work. Even if I uncompress the mkcert.sh.bz2 file. pkg_postinst() should be more informative about re-generation of certificates. Finally, if I have existing /etc/ssl/dovecot/server.key file ebuild claims it will skipp re-generation of keys but the emerge still show it does create the keys. It just does no install them? BTW, there used to be easy-rsa subdirectory from openssl example directories but those are gone from Gentoo as well.