I’m assuming the courier you’re talking about is a server? Have you read Courier’s documentation?
The certificate to use. TLS_CERTFILE is required for SSL/TLS servers, and is optional for SSL/TLS clients. filename must not be world-readable.
Load trusted root certificates from pathname. pathname can be a file or a directory. If a file, the file should contain a list of trusted certificates, in PEM format. If a directory, the directory should contain the trusted certificates, in PEM format, one per file and hashed using OpenSSL’s c_rehash script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set to PEER or REQUIREPEER).
Whether to verify peer’s X.509 certificate. The exact meaning of this option depends upon whether couriertls is used in the client or server mode. In server mode: NONE - do not request an X.509 certificate from the client; PEER - request an optional X.509 certificate from the client, if the client returns one, the SSL/TLS connection is shut down unless the certificate is signed by a trusted certificate authority (see TLS_TRUSTCERTS); REQUIREPEER - same as PEER, except that the SSL/TLS connects is also shut down if the client does not return the optional X.509 certificate. In client mode: NONE - ignore the server’s X.509 certificate; PEER - verify the server’s X.509 certificate according to the -domain option, (see above).
Do you run a Courier server? If the answer is yes: do you want to verify clients by X.509 certificates? If the answer is no: can you answer the following question after reading the above: do you need to set
TLS_CERTFILE in your configuration?