On Fri, 2004-09-03 at 00:22, James Miller wrote: > Hi everyone, > > I've been searching around and haven't had much success finding a good > reference for setting up cyrus-imap to use client side certificates.
[snip] > I have no problem with creating a CA and creating certs from the CA. I'm > using them w/Sendmail and STARTTLS. > > I would appreciate any suggestions or pointers. If you're trying to use a client cert as the main authentication method, I can't help you - I don't know if it's even supported, though the provision for it is there (isn't that what EXTERNAL is meant for?). If you simply want to require a valid client cert, set: tls_imap_require_cert: 1 in your imapd.conf along, presumably, with allowplaintext: no sasl_mech_list: PLAIN <--- this may differ in your setup sasl_minimum_layer: 128 sasl_pwcheck_method: saslauthd <--- this may differ in your setup tls_ca_file: /var/imap/ssl/ca.pem tls_cert_file: /var/imap/ssl/mail.postnewspapers.com.au_cert.pem tls_key_file: /var/imap/ssl/mail.postnewspapers.com.au_key.pem My users must still authenticate with a password, but cyrus won't even let anybody without a client cert authenticate - which, for my purposes, is the desired result. -- Craig Ringer --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
