client side certificate support

Craig Ringer craig at postnewspapers.com.au
Fri Sep 3 00:52:44 EDT 2004


On Fri, 2004-09-03 at 00:22, James Miller wrote:
> Hi everyone,
> 
> I've been searching around and haven't had much success finding a good
> reference for setting up cyrus-imap to use client side certificates.

[snip]

> I have no problem with creating a CA and creating certs from the CA.  I'm
> using them w/Sendmail and STARTTLS.
> 
> I would appreciate any suggestions or pointers.

If you're trying to use a client cert as the main authentication method,
I can't help you - I don't know if it's even supported, though the
provision for it is there (isn't that what EXTERNAL is meant for?).

If you simply want to require a valid client cert, set:

tls_imap_require_cert: 1

in your imapd.conf along, presumably, with

allowplaintext: no
sasl_mech_list: PLAIN   <--- this may differ in your setup
sasl_minimum_layer: 128
sasl_pwcheck_method: saslauthd   <--- this may differ in your setup
tls_ca_file: /var/imap/ssl/ca.pem
tls_cert_file: /var/imap/ssl/mail.postnewspapers.com.au_cert.pem
tls_key_file: /var/imap/ssl/mail.postnewspapers.com.au_key.pem

My users must still authenticate with a password, but cyrus won't even
let anybody without a client cert authenticate - which, for my purposes,
is the desired result.

--
Craig Ringer

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list