The following ACLs assume courier-imap was installed into /usr/local/courier-imap. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143.
/sbin/lidsconf -A -o /usr/local/courier-imap -j DENY /sbin/lidsconf -A -s /usr/local/courier-imap/sbin/imaplogin \ -o /etc/shadow -j READONLY /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/authlib/authpam \ -o /etc/shadow -j READONLY /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o /usr/local/courier-imap -j READONLY /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETUID -i 3 -j GRANT /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETGID -i 3 -j GRANT /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_OVERRIDE -i 3 -j GRANT /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_READ_SEARCH -i 3 -j GRANT |