On 03.08.2023 14:37, Ken Hornstein via
SASL wrote:
As part of the TLS negotiation the TLS server tells the client, "here's a list of CA's I will accept client certificates for". So the first question I would ask is, "Is Cyrus sending a list of CAs?" You can check this with the openssl command line utility "s_client". E.g.: % openssl s_client -starttls imap -connect imap-server:143 You'll see a bunch of stuff printed out. What you WANT to see is: Acceptable client certificate CA names /C=CA-name/CN=your CA 1 /C=CA-name/CN=your CA 2 [...]
I can see that list - so that part should be ok.
The list of CAs sent I _believe_ is controlled by the config file entry "tls_client_ca_file" (you should also probably set tls_client_ca_dir pointing to a hashed directory containing the complete certificate bundle for your PKI). Also note the "tls_client_certs" entry which controls whether or not a client certificate is optional, required, or disabled. I also remember seeing that if you crank up logging on the IMAP server it should log the certificate commonName if one was presented. I see that openssl s_client also supports sending a client certificate so you could test things out that way (I don't know if you're using a smartcard or not, it looks like only newer openssls support that and getting a smartcard working with openssl is a pain).
I'm using a "normal" certificate - no smartcard. Trying to authenticate using openssl is a good advise. The next few days I won't have much time to spent on that but I'll get back to you next week.
Best,
Johannes
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature