diff --git a/Dockerfile b/Dockerfile
index a792361..3072092 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,7 +32,8 @@ ENV \
     LDAP_ITERATE_FILTER="(objectClass=inetOrgPerson)" \
     LDAP_DEFAULT_PASS_SCHEME=CRYPT \
     ANTISPAM_ENABLE=yes \
-    IMAP_URLAUTH_HOST="*"
+    IMAP_URLAUTH_HOST="*" \
+    SSL_CLIENT_CA_DIR="/etc/ssl/certs"
 
 RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
   && mkdir -p /vmail && chown vmail:vmail /vmail \
@@ -46,6 +47,7 @@ RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
      dovecot-antispam \
      bogofilter \
      ssl-cert \
+     ca-certificates \
   && rm -rf /var/lib/apt/lists/* \
   && mkdir -p /ssl && chmod 700 /ssl \
   && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
@@ -55,7 +57,6 @@ RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
 
 ADD 10-mail.conf \
   10-master.conf \
-  10-ssl.conf \
   15-mailboxes.conf \
   90-antispam.conf \
   90-sieve.conf \
diff --git a/confd/conf.d/ssl.toml b/confd/conf.d/ssl.toml
new file mode 100644
index 0000000..d5ce69f
--- /dev/null
+++ b/confd/conf.d/ssl.toml
@@ -0,0 +1,6 @@
+[template]
+src = "10-ssl.conf.tmpl"
+dest = "/etc/dovecot/local.d/10-ssl.conf"
+keys = [
+    "/ssl/client/ca/dir",
+]
diff --git a/10-ssl.conf b/confd/templates/10-ssl.conf.tmpl
similarity index 96%
rename from 10-ssl.conf
rename to confd/templates/10-ssl.conf.tmpl
index 39c821d..82ed656 100644
--- a/10-ssl.conf
+++ b/confd/templates/10-ssl.conf.tmpl
@@ -30,7 +30,7 @@ ssl_key = </ssl/key.pem
 # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
 # directory is usually /etc/ssl/certs in Debian-based systems and the file is
 # /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+{{ with getv "/ssl/client/ca/dir" }}ssl_client_ca_dir = {{.}}{{ end }}
 #ssl_client_ca_file =
 
 # Request client to send a certificate. If you also want to require it, set