The following ACLs assume courier-imap was installed into /usr/local/courier-imap. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143.
/sbin/lidsconf -A -o /usr/local/courier-imap -j DENY
/sbin/lidsconf -A -s /usr/local/courier-imap/sbin/imaplogin \
-o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/authlib/authpam \
-o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
-o /usr/local/courier-imap -j READONLY
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
-o CAP_SETUID -i 3 -j GRANT
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
-o CAP_SETGID -i 3 -j GRANT
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
-o CAP_DAC_OVERRIDE -i 3 -j GRANT
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
-o CAP_DAC_READ_SEARCH -i 3 -j GRANT |