cyrus-imap/pop certs problems
arnau at emergetux.net
Wed Jul 26 09:23:23 EDT 2006
On Wed, 26 Jul 2006 14:17:50 +0200
Phil Pennock wrote:
> On 2006-07-26 at 12:42 +0200, Arnau Bria wrote:
> I have this working fine on Gentoo, for my personal mail. Except
> that I don't mandate that clients use certificates.
do you mean tls_require_cert? Me neither...
> > I've configured imap to use tls: (imapd.conf)
> > [...]
> > tls_ca_path: /etc/ssl/certs
> > tls_cert_file: /var/imap/cyrus-global.pem
> > tls_key_file: /var/imap/cyrus-global.key
> > tls_cafile: /etc/ssl/certs/cyrus-imapd-ca.pem
> That should be "tls_ca_file" with an extra underscore.
I've looked so many times to this file and did not notice the missing
> > tls_require_cert: 1
> That requires a _client_ cert, for all TLS connections. That may
> restrict your choice of clients somewhat. It's more common to see
> this policy applied by clients to servers; what you have is not
> wrong, but means that you're debugging too many things at once
> because you're not sure where the problem is. Once you get SSL
> working, problems after setting that option would show that the only
> problem is with some certificate used for clients but not for the
> server, which would have been another clue.
Ok, If I comment out tls_require_cert it works. I'm comparing it with
my other mail server and I don't have this option set... So, I don't
know why and when I set it to 1.
Now, my server works fine.
> Otherwise, that config looks fine; be sure to use c_rehash to update
> the symlinks in /etc/ssl/certs/. Or that new tool imported from
> Debian, update-ca-certificates, which has its own peculiar ideas
> about where master copies of certs should live.
Sure. thanks for the advice.
Many thanks for your help!
More information about the Info-cyrus