cyrus-imap/pop certs problems

Phil Pennock info-cyrus-spodhuis at spodhuis.org
Wed Jul 26 08:17:50 EDT 2006


On 2006-07-26 at 12:42 +0200, Arnau Bria wrote:
> Well, I'm having problems with cyrus-imap and tls certs in my gentoo
> box.

I have this working fine on Gentoo, for my personal mail.  Except that I
don't mandate that clients use certificates.

> I've configured imap to use tls: (imapd.conf)
> [...]
> tls_ca_path:            /etc/ssl/certs
> tls_cert_file: 		/var/imap/cyrus-global.pem
> tls_key_file:   	/var/imap/cyrus-global.key
> tls_cafile: 		/etc/ssl/certs/cyrus-imapd-ca.pem

That should be "tls_ca_file" with an extra underscore.

> tls_require_cert: 	1

That requires a _client_ cert, for all TLS connections.  That may
restrict your choice of clients somewhat.  It's more common to see this
policy applied by clients to servers; what you have is not wrong, but
means that you're debugging too many things at once because you're not
sure where the problem is.  Once you get SSL working, problems after
setting that option would show that the only problem is with some
certificate used for clients but not for the server, which would have
been another clue.

> [pop3] TLS server engine: No CA file specified. Client side certs may not work

I think that's because of the missing underscore.

> [pop3] [pop3d] STARTTLS failed: localhost [127.0.0.1]

and that's probably because you mandate client certificates but don't
have a way to verify them.

Otherwise, that config looks fine; be sure to use c_rehash to update the
symlinks in /etc/ssl/certs/.  Or that new tool imported from Debian,
update-ca-certificates, which has its own peculiar ideas about where
master copies of certs should live.
-- 
"Everything has three factors: politics, money, and the right way to do it.
 In that order."  -- Gary Donahue


More information about the Info-cyrus mailing list