cyrus-imap/pop certs problems

Arnau Bria arnau at
Wed Jul 26 09:23:23 EDT 2006

On Wed, 26 Jul 2006 14:17:50 +0200
Phil Pennock wrote:

> On 2006-07-26 at 12:42 +0200, Arnau Bria wrote:

> I have this working fine on Gentoo, for my personal mail.  Except
> that I don't mandate that clients use certificates.

do you mean tls_require_cert? Me neither...
> > I've configured imap to use tls: (imapd.conf)
> > [...]
> > tls_ca_path:            /etc/ssl/certs
> > tls_cert_file: 		/var/imap/cyrus-global.pem
> > tls_key_file:   	/var/imap/cyrus-global.key
> > tls_cafile: 		/etc/ssl/certs/cyrus-imapd-ca.pem
> That should be "tls_ca_file" with an extra underscore.
I've looked so many times to this file and did not notice the  missing


> > tls_require_cert: 	1
> That requires a _client_ cert, for all TLS connections.  That may
> restrict your choice of clients somewhat.  It's more common to see
> this policy applied by clients to servers; what you have is not
> wrong, but means that you're debugging too many things at once
> because you're not sure where the problem is.  Once you get SSL
> working, problems after setting that option would show that the only
> problem is with some certificate used for clients but not for the
> server, which would have been another clue.

Ok, If I comment out tls_require_cert it works. I'm comparing it with
my other mail server and I don't have this option set... So, I don't
know why and when I set it to 1.

Now, my server works fine.

> Otherwise, that config looks fine; be sure to use c_rehash to update
> the symlinks in /etc/ssl/certs/.  Or that new tool imported from
> Debian, update-ca-certificates, which has its own peculiar ideas
> about where master copies of certs should live.

Sure. thanks for the advice.

Many thanks for your help!

More information about the Info-cyrus mailing list