Cyrus Pop3 and Client Side Certificates

Dan White dwhite at
Mon Dec 17 15:11:44 EST 2012

On 12/17/12 12:26 -0600, Sumit Malhotra wrote:
>We are looking to enforce two layer of authentication on POP3S.
>We want to ensure that *if and only if* a Machine/Laptop/Client has a SSL
>Certificate is installed then only it can connect and authenticate with
>the POP3 Server else it fails. Is that possible?


tls_require_cert: 1

or, specifically just for pop3s:

<cyrus.conf/pop3s-service-name>_tls_require_cert: 1

In /etc/cyrus.conf, you'll want to remove any references to pop3 (without
the -s option). e.g.:

#pop3            cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=200
pop3s           cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=100

in imapd.conf:

pop3s_tls_require_cert: 1

You'll also need to configure tls_ca_file or tls_ca_path.

Dan White

More information about the Cyrus-devel mailing list