Disable client authentication with certificates

Wolfgang Breyha wbreyha at gmx.net
Tue Dec 10 11:12:48 EST 2013

Stefan Gofferje wrote, on 10.12.2013 16:33:
> Maybe the existing options could just be extended, like in the Postfix
> setting for TLS, e.g.
> tls_imap_require_cert: no|ask|require

Changing the way how existing options work and breaking compatibility to
existing configurations is most likely not the best idea;-)

> I think, having logical options which are clear to the admin are better
> than some implicit consequences which are not not bilaterally logical.
> I don't know if I express this right/understandable :).

Adding a new option is easy. Done in 30 minutes. I can do it if a official dev
says it makes sense and will be added... but I don't get any answers from Bron
for very long time now. So I'm pushing the patches I use myself locally to
bugzilla waiting for a response.

> The background is that a bunch of TLS tutorials on the web include
> configuring the CA but not explaining in detail why, so an inexperienced
> admin could assume that he should put the CA certificate for the server
> cert's CA there.

TLS tutorials for cyrus-imapd including tls_ca_path/file by default? Most
likely to get rid of the debug warnings.

Greetings, Wolfgang
Wolfgang Breyha <wbreyha at gmx.net> | http://www.blafasel.at/
Vienna University Computer Center | Austria

More information about the Info-cyrus mailing list