After client authenticated STARTTLS, no EXTERNAL?

Rob Siemborski rjs3 at
Thu May 27 11:04:30 EDT 2004

On Thu, 27 May 2004, Simon Josefsson wrote:

> Hello.  Is it possible to get client authenticated STARTTLS working
> with Cyrus IMAPD, without a password login?
> I'm assuming EXTERNAL would be used for this, so here is what I put in
> imapd.conf:

Yes, it can, provided you authenticate with a proper trusted client cert 
(and that there is an authzid that is usable in the certificate).

> However, even after successful client auth STARTTLS, the EXTERNAL
> mechanism is not available.  Any ideas?

To be honest, this hasn't gotten much testing because it isn't really used 
by anyone (due to the need to have some way to convert client certs CNs to 
IMAP IDs reliably).  I'd look for a problem in either cmd_starttls in 
imapd.c (to not set the SASL_AUTH_EXTERNAL value properly) or possibly 
in the code in server.c:mech_permitted in SASL.  I do know that there was 
a bug in the handling of external that was fixed in 2.1.18, btw 
(revision 1.136 of server.c)...


Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list