client side certificate support

Craig Ringer craig at
Fri Sep 3 00:52:44 EDT 2004

On Fri, 2004-09-03 at 00:22, James Miller wrote:
> Hi everyone,
> I've been searching around and haven't had much success finding a good
> reference for setting up cyrus-imap to use client side certificates.


> I have no problem with creating a CA and creating certs from the CA.  I'm
> using them w/Sendmail and STARTTLS.
> I would appreciate any suggestions or pointers.

If you're trying to use a client cert as the main authentication method,
I can't help you - I don't know if it's even supported, though the
provision for it is there (isn't that what EXTERNAL is meant for?).

If you simply want to require a valid client cert, set:

tls_imap_require_cert: 1

in your imapd.conf along, presumably, with

allowplaintext: no
sasl_mech_list: PLAIN   <--- this may differ in your setup
sasl_minimum_layer: 128
sasl_pwcheck_method: saslauthd   <--- this may differ in your setup
tls_ca_file: /var/imap/ssl/ca.pem
tls_cert_file: /var/imap/ssl/
tls_key_file: /var/imap/ssl/

My users must still authenticate with a password, but cyrus won't even
let anybody without a client cert authenticate - which, for my purposes,
is the desired result.

Craig Ringer

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list