imapd, TLS and CRLs

Wesley Craig wes at
Thu May 27 13:45:35 EDT 2010

Can you submit this to the Cyrus Bugzilla, please.


On 27 May 2010, at 13:04, Stacy Millions wrote:
> I have been working on deploying an imap server using EXTERNAL+TLS  
> authentication. Everything is working fine and then I discover that  
> there is no support CRLs in imapd; from my point of view this is a  
> Bad Thing(tm).
> I searched the mailing list and found a discussion of this in  
> 2005/02 with the final word being (I'll paraphrase) "sounds  
> interesting, patches welcome."
> All right, the attached implements CRL checking via a 'tls_crl'  
> option in imapd.conf. Just point it at a PEM encoded CRL file. The  
> file can contain multiple CRLs if you have more than one CA you  
> care about.
> What it doesn't do is:
> - implement crl_path
> - implement CRL checking in the TLS client code
> It also suffers from the fact that this code is ran at  
> initialisation time. When the CRL expires you need to get a fresh  
> CRL, you need to restart imapd; but this is the same behavior as  
> Apache httpd and sendmail.

More information about the Info-cyrus mailing list