[Sorry this is a repost from a month ago; I didn't get an answer then, but maybe my timing is better now.]
For my web server, I use a certificate from Comodo which is very inexpensive by comparison with Thawte/Verisign certs, but it requires installation of an intermediary key for most browsers to be happy with it. It's not difficult with Apache and mod_ssl; I'm wondering if it will work with Cyrus, perhaps using the 'tls_ca_file'? The docs are a little sparse (and Comodo doesn't provide explicit instructions like it does for mod_ssl) and my understanding of SSL/TLS is a bit limited.
I expect that'd do it; you'll still need to install the CA certificate in browsers, though. I have a similar setup, but with a CA cert generated in-house.
My imapd.conf contains:
tls_ca_file: /var/imap/ssl/ca.pem tls_cert_file: /var/imap/ssl/mail.postnewspapers.com.au_cert.pem tls_key_file: /var/imap/ssl/mail.postnewspapers.com.au_key.pem
- the filenames are somewhat self explanatory (though your key and cert may be combined into one file).
I then install the ca cert into clients who need access. To be specific, I generate a client SSL certificate for them that also contains an embedded version of our CA cert. That way they import the CA cert when they install the client cert; I then just get them to authorize the CA cert for identifying remote hosts.
Craig Ringer
