diff --git a/courier-imap-4.8.0-certsdir.patch b/courier-imap-4.8.0-certsdir.patch
new file mode 100644
index 0000000..8a0a7d8
--- /dev/null
+++ b/courier-imap-4.8.0-certsdir.patch
@@ -0,0 +1,351 @@
+diff -ruN courier-imap-4.8.0-orig/configure courier-imap-4.8.0/configure
+--- courier-imap-4.8.0-orig/configure	2010-05-30 23:20:04.000000000 +0200
++++ courier-imap-4.8.0/configure	2010-08-05 16:27:03.000000000 +0200
+@@ -890,6 +890,7 @@
+ with_socks
+ with_authchangepwdir
+ with_package
++with_certsdir
+ '
+       ac_precious_vars='build_alias
+ host_alias
+@@ -1540,6 +1541,7 @@
+ 
+   --with-db=gdbm          Use the GDBM library.
+   --with-db=db            Use the libdb.a library.
++  --with-certsdir[=ARG]   Directory where certs are created
+ 
+ Some influential environment variables:
+   CC          C compiler command
+@@ -11104,6 +11106,12 @@
+   HAVE_HTML_FALSE=
+ fi
+ 
++# Check whether --with-certsdir was given.
++if test "${with_certsdir+set}" = set; then :
++  withval=$with_certsdir; certsdir="$withval"
++else
++  certsdir=$datadir
++fi
+ 
+ ac_config_files="$ac_config_files Makefile dbobj.h dbobj.config imapd.rc imapd-ssl.rc pop3d.rc pop3d-ssl.rc courier-imap.sysvinit courier-imap.spec courier-imap.lpspec INSTALL.html packaging/suse/courier-imap.init"
+ 
+diff -ruN courier-imap-4.8.0-orig/imap/configure courier-imap-4.8.0/imap/configure
+--- courier-imap-4.8.0-orig/imap/configure	2010-05-30 23:20:45.000000000 +0200
++++ courier-imap-4.8.0/imap/configure	2010-08-05 16:30:02.000000000 +0200
+@@ -753,6 +753,7 @@
+ HAVE_SGML_FALSE
+ HAVE_SGML_TRUE
+ mydatadir
++certsdir
+ smap
+ NETLIBS
+ dblibrary
+@@ -902,6 +903,7 @@
+ enable_workarounds_for_imap_client_bugs
+ with_dirsync
+ with_smap
++with_certsdir
+ with_package
+ with_version
+ with_trashquota
+@@ -1556,14 +1558,15 @@
+                           both]
+   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+   --with-mailer=prog  Your mail submission program
+- --with-random=/dev/urandom - location of the system random file generator
+---without-random            - there is no system random file generator
++  --with-random=/dev/urandom - location of the system random file generator
++  --without-random            - there is no system random file generator
+ 
+   --with-piddir         Directory where imapd.pid is created
+ 
+- --with-dirsync           Manually sync queue file directory
+- --without-smap           Do not compile SMAP support
+- --with-trashquota       Count deleted messages as part of the quota
++  --with-dirsync           Manually sync queue file directory
++  --without-smap           Do not compile SMAP support
++  --with-certsdir[=ARG]    Directory where certs are created
++  --with-trashquota       Count deleted messages as part of the quota
+ 
+ Some influential environment variables:
+   CC          C compiler command
+@@ -16506,6 +16509,13 @@
+ eval "sysconfdir=$sysconfdir"
+ eval "localstatedir=$localstatedir"
+ 
++# Check whether --with-certsdir was given.
++if test "${with_certsdir+set}" = set; then :
++  withval=$with_certsdir; certsdir="$withval"
++else
++  certsdir="$datadir"
++fi
++
+ mydatadir="$datadir"
+    # Avoid useless autoconf warning
+ 
+diff -ruN courier-imap-4.8.0-orig/imap/imapd.cnf.openssl.in courier-imap-4.8.0/imap/imapd.cnf.openssl.in
+--- courier-imap-4.8.0-orig/imap/imapd.cnf.openssl.in	2007-11-04 21:49:58.000000000 +0100
++++ courier-imap-4.8.0/imap/imapd.cnf.openssl.in	2010-08-05 14:42:33.000000000 +0200
+@@ -1,5 +1,5 @@
+ 
+-RANDFILE = @mydatadir@/imapd.rand
++RANDFILE = @certsdir@/imapd.rand
+ 
+ [ req ]
+ default_bits = 1024
+@@ -15,7 +15,7 @@
+ O=Courier Mail Server
+ OU=Automatically-generated IMAP SSL key
+ CN=localhost
+-emailAddress=postmaster@example.com
++emailAddress=postmaster@localhost
+ 
+ 
+ [ cert_type ]
+diff -ruN courier-imap-4.8.0-orig/imap/imapd-ssl.dist.in courier-imap-4.8.0/imap/imapd-ssl.dist.in
+--- courier-imap-4.8.0-orig/imap/imapd-ssl.dist.in	2009-08-13 05:06:42.000000000 +0200
++++ courier-imap-4.8.0/imap/imapd-ssl.dist.in	2010-08-05 14:37:38.000000000 +0200
+@@ -260,7 +260,7 @@
+ #
+ # This is an experimental feature.
+ 
+-TLS_CERTFILE=@mydatadir@/imapd.pem
++TLS_CERTFILE=@certsdir@/imapd.pem
+ 
+ ##NAME: TLS_TRUSTCERTS:0
+ #
+diff -ruN courier-imap-4.8.0-orig/imap/Makefile.in courier-imap-4.8.0/imap/Makefile.in
+--- courier-imap-4.8.0-orig/imap/Makefile.in	2010-05-30 23:20:45.000000000 +0200
++++ courier-imap-4.8.0/imap/Makefile.in	2010-08-05 14:40:45.000000000 +0200
+@@ -234,6 +234,7 @@
+ build_vendor = @build_vendor@
+ builddir = @builddir@
+ cacerts = @cacerts@
++certsdir = @certsdir@
+ datadir = @datadir@
+ datarootdir = @datarootdir@
+ dblibrary = @dblibrary@
+diff -ruN courier-imap-4.8.0-orig/imap/mkimapdcert.8.in courier-imap-4.8.0/imap/mkimapdcert.8.in
+--- courier-imap-4.8.0-orig/imap/mkimapdcert.8.in	2010-02-20 05:12:44.000000000 +0100
++++ courier-imap-4.8.0/imap/mkimapdcert.8.in	2010-08-05 14:47:01.000000000 +0200
+@@ -29,18 +29,18 @@
+ .SH "DESCRIPTION"
+ .PP
+ IMAP over SSL requires a valid, signed, X\&.509 certificate\&. The default location for the certificate file is
+-@datadir@/imapd\&.pem\&.
++@certsdir@/imapd\&.pem\&.
+ \fBmkimapdcert\fR
+ generates a self\-signed X\&.509 certificate, mainly for testing\&. For production use the X\&.509 certificate must be signed by a recognized certificate authority, in order for mail clients to accept the certificate\&.
+ .PP
+ 
+-@datadir@/imapd\&.pem
++@certsdir@/imapd\&.pem
+ must be owned by the @mailuser@ user and have no group or world permissions\&. The
+ \fBmkimapdcert\fR
+ command will enforce this\&. To prevent an unfortunate accident,
+ \fBmkimapdcert\fR
+ will not work if
+-\fB@datadir@/imapd\&.pem\fR
++\fB@certsdir@/imapd\&.pem\fR
+ already exists\&.
+ .PP
+ 
+@@ -50,7 +50,7 @@
+ to be installed\&.
+ .SH "FILES"
+ .PP
+-@datadir@/imapd\&.pem
++@certsdir@/imapd\&.pem
+ .RS 4
+ X\&.509 certificate\&.
+ .RE
+diff -ruN courier-imap-4.8.0-orig/imap/mkimapdcert.html.in courier-imap-4.8.0/imap/mkimapdcert.html.in
+--- courier-imap-4.8.0-orig/imap/mkimapdcert.html.in	2010-02-20 05:12:44.000000000 +0100
++++ courier-imap-4.8.0/imap/mkimapdcert.html.in	2010-08-05 14:39:46.000000000 +0200
+@@ -7,22 +7,22 @@
+ --></head><body><div class="refentry" title="mkimapdcert"><a id="mkimapdcert" shape="rect"> </a><div class="titlepage"/><div class="refnamediv"><h2>Name</h2><p>mkimapdcert — create a test SSL certificate for IMAP over SSL</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">@sbindir@/mkimapdcert</code> </p></div></div><div class="refsect1" title="DESCRIPTION"><a id="id381669" shape="rect"> </a><h2>DESCRIPTION</h2><p>
+ IMAP over SSL requires a valid, signed, X.509 certificate.  The default
+ location for the certificate file is
+-<code class="filename">@datadir@/imapd.pem</code>.
++<code class="filename">@certsdir@/imapd.pem</code>.
+ <span class="command"><strong>mkimapdcert</strong></span> generates a self-signed X.509 certificate,
+ mainly for
+ testing.
+ For production use the X.509 certificate must be signed by a
+ recognized certificate authority, in order for mail clients to accept the
+ certificate.</p><p>
+-<code class="filename">@datadir@/imapd.pem</code> must be owned by the
++<code class="filename">@certsdir@/imapd.pem</code> must be owned by the
+ @mailuser@ user and
+ have no group or world permissions.
+ The <span class="command"><strong>mkimapdcert</strong></span> command will
+ enforce this.  To prevent an unfortunate accident,
+ <span class="command"><strong>mkimapdcert</strong></span>
+-will not work if <span class="command"><strong>@datadir@/imapd.pem</strong></span> already exists.</p><p>
++will not work if <span class="command"><strong>@certsdir@/imapd.pem</strong></span> already exists.</p><p>
+ <span class="command"><strong>mkimapdcert</strong></span> requires
+-<span class="application">OpenSSL</span> to be installed.</p></div><div class="refsect1" title="FILES"><a id="id397983" shape="rect"> </a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term">@datadir@/imapd.pem</span></dt><dd>
++<span class="application">OpenSSL</span> to be installed.</p></div><div class="refsect1" title="FILES"><a id="id397983" shape="rect"> </a><h2>FILES</h2><div class="variablelist"><dl><dt><span class="term">@certsdir@/imapd.pem</span></dt><dd>
+ X.509 certificate.
+ </dd><dt><span class="term">@sysconfdir@/imapd.cnf</span></dt><dd>
+ Parameters used by OpenSSL to
+diff -ruN courier-imap-4.8.0-orig/imap/mkimapdcert.in courier-imap-4.8.0/imap/mkimapdcert.in
+--- courier-imap-4.8.0-orig/imap/mkimapdcert.in	2007-11-04 21:49:58.000000000 +0100
++++ courier-imap-4.8.0/imap/mkimapdcert.in	2010-08-05 14:36:53.000000000 +0200
+@@ -18,41 +18,41 @@
+ 
+ prefix="@prefix@"
+ 
+-if test -f @mydatadir@/imapd.pem
++if test -f @certsdir@/imapd.pem
+ then
+-	echo "@mydatadir@/imapd.pem already exists."
++	echo "@certsdir@/imapd.pem already exists."
+ 	exit 1
+ fi
+ 
+ umask 077
+ 
+ cleanup() {
+-	rm -f @mydatadir@/imapd.pem
+-	rm -f @mydatadir@/imapd.rand
+-	rm -f @mydatadir@/imapd.key
+-	rm -f @mydatadir@/imapd.cert
++	rm -f @certsdir@/imapd.pem
++	rm -f @certsdir@/imapd.rand
++	rm -f @certsdir@/imapd.key
++	rm -f @certsdir@/imapd.cert
+ 	exit 1
+ }
+ 
+-cd @mydatadir@
++cd @certsdir@
+ 
+ if test "@ssllib@" = "openssl"
+ then
+-	cp /dev/null @mydatadir@/imapd.pem
+-	chmod 600 @mydatadir@/imapd.pem
+-	chown @mailuser@ @mydatadir@/imapd.pem
++	cp /dev/null @certsdir@/imapd.pem
++	chmod 600 @certsdir@/imapd.pem
++	chown @mailuser@ @certsdir@/imapd.pem
+ 
+-	dd if=@RANDOMV@ of=@mydatadir@/imapd.rand count=1 2>/dev/null
++	dd if=@RANDOMV@ of=@certsdir@/imapd.rand count=1 2>/dev/null
+ 	@OPENSSL@ req -new -x509 -days 365 -nodes \
+-		  -config @sysconfdir@/imapd.cnf -out @mydatadir@/imapd.pem -keyout @mydatadir@/imapd.pem || cleanup
+-	@OPENSSL@ gendh -rand @mydatadir@/imapd.rand 512 >>@mydatadir@/imapd.pem || cleanup
+-	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @mydatadir@/imapd.pem || cleanup
+-	rm -f @mydatadir@/imapd.rand
++		  -config @sysconfdir@/imapd.cnf -out @certsdir@/imapd.pem -keyout @certsdir@/imapd.pem || cleanup
++	@OPENSSL@ gendh -rand @certsdir@/imapd.rand 512 >>@certsdir@/imapd.pem || cleanup
++	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/imapd.pem || cleanup
++	rm -f @certsdir@/imapd.rand
+ else
+-	cp /dev/null @mydatadir@/imapd.key
+-	chmod 600 @mydatadir@/imapd.key
+-	cp /dev/null @mydatadir@/imapd.cert
+-	chmod 600 @mydatadir@/imapd.cert
++	cp /dev/null @certsdir@/imapd.key
++	chmod 600 @certsdir@/imapd.key
++	cp /dev/null @certsdir@/imapd.cert
++	chmod 600 @certsdir@/imapd.cert
+ 
+ 	@CERTTOOL@ --generate-privkey --outfile imapd.key
+ 	@CERTTOOL@ --generate-self-signed --load-privkey imapd.key --outfile imapd.cert --template @sysconfdir@/imapd.cnf
+diff -ruN courier-imap-4.8.0-orig/imap/mkpop3dcert.in courier-imap-4.8.0/imap/mkpop3dcert.in
+--- courier-imap-4.8.0-orig/imap/mkpop3dcert.in	2007-11-04 21:49:58.000000000 +0100
++++ courier-imap-4.8.0/imap/mkpop3dcert.in	2010-08-05 14:35:48.000000000 +0200
+@@ -18,41 +18,41 @@
+ 
+ prefix="@prefix@"
+ 
+-if test -f @mydatadir@/pop3d.pem
++if test -f @certsdir@/pop3d.pem
+ then
+-	echo "@mydatadir@/pop3d.pem already exists."
++	echo "@certsdir@/pop3d.pem already exists."
+ 	exit 1
+ fi
+ 
+ umask 077
+ 
+ cleanup() {
+-	rm -f @mydatadir@/pop3d.pem
+-	rm -f @mydatadir@/pop3d.rand
+-	rm -f @mydatadir@/pop3d.key
+-	rm -f @mydatadir@/pop3d.cert
++	rm -f @certsdir@/pop3d.pem
++	rm -f @certsdir@/pop3d.rand
++	rm -f @certsdir@/pop3d.key
++	rm -f @certsdir@/pop3d.cert
+ 	exit 1
+ }
+ 
+-cd @mydatadir@
++cd @certsdir@
+ 
+ if test "@ssllib@" = "openssl"
+ then
+-	cp /dev/null @mydatadir@/pop3d.pem
+-	chmod 600 @mydatadir@/pop3d.pem
+-	chown @mailuser@ @mydatadir@/pop3d.pem
++	cp /dev/null @certsdir@/pop3d.pem
++	chmod 600 @certsdir@/pop3d.pem
++	chown @mailuser@ @certsdir@/pop3d.pem
+ 
+-	dd if=@RANDOMV@ of=@mydatadir@/pop3d.rand count=1 2>/dev/null
++	dd if=@RANDOMV@ of=@certsdir@/pop3d.rand count=1 2>/dev/null
+ 	@OPENSSL@ req -new -x509 -days 365 -nodes \
+-		  -config @sysconfdir@/pop3d.cnf -out @mydatadir@/pop3d.pem -keyout @mydatadir@/pop3d.pem || cleanup
+-	@OPENSSL@ gendh -rand @mydatadir@/pop3d.rand 512 >>@mydatadir@/pop3d.pem || cleanup
+-	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @mydatadir@/pop3d.pem || cleanup
+-	rm -f @mydatadir@/pop3d.rand
++		  -config @sysconfdir@/pop3d.cnf -out @certsdir@/pop3d.pem -keyout @certsdir@/pop3d.pem || cleanup
++	@OPENSSL@ gendh -rand @certsdir@/pop3d.rand 512 >>@certsdir@/pop3d.pem || cleanup
++	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/pop3d.pem || cleanup
++	rm -f @certsdir@/pop3d.rand
+ else
+-	cp /dev/null @mydatadir@/pop3d.key
+-	chmod 600 @mydatadir@/pop3d.key
+-	cp /dev/null @mydatadir@/pop3d.cert
+-	chmod 600 @mydatadir@/pop3d.cert
++	cp /dev/null @certsdir@/pop3d.key
++	chmod 600 @certsdir@/pop3d.key
++	cp /dev/null @certsdir@/pop3d.cert
++	chmod 600 @certsdir@/pop3d.cert
+ 
+ 	@CERTTOOL@ --generate-privkey --outfile pop3d.key
+ 	@CERTTOOL@ --generate-self-signed --load-privkey pop3d.key --outfile pop3d.cert --template @sysconfdir@/pop3d.cnf
+diff -ruN courier-imap-4.8.0-orig/imap/pop3d.cnf.openssl.in courier-imap-4.8.0/imap/pop3d.cnf.openssl.in
+--- courier-imap-4.8.0-orig/imap/pop3d.cnf.openssl.in	2007-11-04 21:49:58.000000000 +0100
++++ courier-imap-4.8.0/imap/pop3d.cnf.openssl.in	2010-08-05 14:43:48.000000000 +0200
+@@ -1,5 +1,5 @@
+ 
+-RANDFILE = @mydatadir@/pop3d.rand
++RANDFILE = @certsdir@/pop3d.rand
+ 
+ [ req ]
+ default_bits = 1024
+@@ -15,7 +15,7 @@
+ O=Courier Mail Server
+ OU=Automatically-generated POP3 SSL key
+ CN=localhost
+-emailAddress=postmaster@example.com
++emailAddress=postmaster@localhost
+ 
+ 
+ [ cert_type ]
+diff -ruN courier-imap-4.8.0-orig/imap/pop3d-ssl.dist.in courier-imap-4.8.0/imap/pop3d-ssl.dist.in
+--- courier-imap-4.8.0-orig/imap/pop3d-ssl.dist.in	2009-08-13 05:06:42.000000000 +0200
++++ courier-imap-4.8.0/imap/pop3d-ssl.dist.in	2010-08-05 14:43:05.000000000 +0200
+@@ -248,7 +248,7 @@
+ #
+ # This is an experimental feature.
+ 
+-TLS_CERTFILE=@mydatadir@/pop3d.pem
++TLS_CERTFILE=@certsdir@/pop3d.pem
+ 
+ ##NAME: TLS_TRUSTCERTS:0
+ #
diff --git a/courier-imap.changes b/courier-imap.changes
index ee88545..0262cf5 100644
--- a/courier-imap.changes
+++ b/courier-imap.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Aug  5 16:06:36 UTC 2010 - chris@computersalat.de
+
+- have pop3d, imapd ssl certs in /etc/ssl/private
+  [bnc#628487]; certsdir patch
+
 -------------------------------------------------------------------
 Mon Jul  5 15:21:53 UTC 2010 - chris@computersalat.de
 
diff --git a/courier-imap.spec b/courier-imap.spec
index 16ad5e8..bf2e298 100644
--- a/courier-imap.spec
+++ b/courier-imap.spec
@@ -21,7 +21,7 @@
 Name:           courier-imap
 Summary:        An IMAP and POP3 Server for Maildir MTAs
 Version:        4.8.0
-Release:        1
+Release:        2
 License:        GPLv2+
 Group:          Productivity/Networking/Email/Servers
 Url:            http://www.courier-mta.org/imap/
@@ -37,6 +37,8 @@ Source9:        %{name}-ssl.firewall
 Patch0:         %{name}-4.8.0-sbindir.patch
 Patch1:         %{name}-4.7.0-LDFLAGS.patch
 Patch2:         %{name}-ulimit_conf.diff
+# bnc#628487
+Patch3:         %{name}-4.8.0-certsdir.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version} > 910
 BuildRequires:  audit-libs
@@ -83,6 +85,8 @@ install the entire Courier server.
 %patch0 -p1
 %patch1 -p1
 %patch2
+# bnc#628487
+%patch3 -p1
 
 %build
 %configure \
@@ -95,6 +99,7 @@ install the entire Courier server.
 	--enable-unicode \
 	--with-authdaemonvar=%{_localstatedir}/run/authdaemon.%{name} \
 	--with-certdb=%{_sysconfdir}/ssl/certs \
+	--with-certsdir=%{_sysconfdir}/ssl/private \
 	--enable-workarounds-for-imap-client-bugs
 %{__make} %{?jobs:-j%jobs}