>Thanks for your thoughts about that. Just one stupid question: How do I >tell cyrus-imap to accept TLS certificate at login? Should be possible >with SASL/EXTERNAL, right? If I add EXTERNAL to sasl_mech_list that >changes nothing. Trying to connect with Thunderbird (configured to >authenticate with a TLS certificate) it tells me the authentication >method isn't supported by the server. Well, by the time SASL/EXTERNAL is invoked, the TLS negotiation should have already taken place. The sequence should be: - STARTTLS - Send client certificate - AUTHENTICATE EXTERNAL <username> I don't know how much you know about how TLS works, so I'll explain a bit for background. As part of the TLS negotiation the TLS server tells the client, "here's a list of CA's I will accept client certificates for". So the first question I would ask is, "Is Cyrus sending a list of CAs?" You can check this with the openssl command line utility "s_client". E.g.: % openssl s_client -starttls imap -connect imap-server:143 You'll see a bunch of stuff printed out. What you WANT to see is: Acceptable client certificate CA names /C=CA-name/CN=your CA 1 /C=CA-name/CN=your CA 2 [...] (Obviously this varies depending on your issuing CAs) If you see: No client certificate CA names sent Then that's the problem. The list of CAs sent I _believe_ is controlled by the config file entry "tls_client_ca_file" (you should also probably set tls_client_ca_dir pointing to a hashed directory containing the complete certificate bundle for your PKI). Also note the "tls_client_certs" entry which controls whether or not a client certificate is optional, required, or disabled. I also remember seeing that if you crank up logging on the IMAP server it should log the certificate commonName if one was presented. I see that openssl s_client also supports sending a client certificate so you could test things out that way (I don't know if you're using a smartcard or not, it looks like only newer openssls support that and getting a smartcard working with openssl is a pain). --Ken ------------------------------------------ Cyrus: SASL Permalink: https://cyrus.topicbox.com/groups/sasl/Tc3867934b82f1aa6-M1d239511241754ae7fbf2621 Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
