>It works when trying with openssl and the K-9 mobile client. Thunderbird >still refuses connection - I'll need to spent some more time. Thunderbird, unfortunately, doesn't have GREAT error messaging. I have run into a lot of cases where the "real" error is hidden and it flattens down the error message to something that is generic and misleading. You can sometimes find the right error by setting the MOZ_LOG environment variable (I do not remember the format of that variable, but I am sure a search will give it). But I am wondering if Thunderbird even supports client certificate authentication? The options I see for authentication are "Normal password", "Encrypted password", "Kerberos/GSSAPI", and "NTLM". None of those are really client certificate authentication (and they all correspond to a specific SASL mechanism). To contrast. Apple Mail lists all of those mechanisms but ALSO has one called "External (TLS client certificate)" and you explicitly pick the client certificate to use, and that's what I'd expect for client certificate support. The certificate settings I know about in Thunderbird are for S/MIME support and those have nothing to do with client authentication. It sounds like from your other email that you've done all of the difficult bits on the Cyrus side. I know if you crank up logging in Cyrus you should see if a client certificate was supplied by the client; if you don't even get that from Thunderbird then I suspect either Thunderbird doesn't support it or something else is failing early. Oh, I realize that I had actually downloaded the Thunderbird source code (not the latest one but not too old) for debugging purposes, and it DOES look like it supports EXTERNAL. I see this in comm/mailnews/imap/src/nsImapProtocol.cpp: MOZ_LOG(IMAP, LogLevel::Debug, ("IMAP: trying auth method 0x%" PRIx64, m_currentAuthMethod)); if (flag & kHasAuthExternalCapability) { char* base64UserName = PL_Base64Encode(userName, strlen(userName), nullptr); nsAutoCString command(GetServerCommandTag()); command.AppendLiteral(" authenticate EXTERNAL "); command.Append(base64UserName); command.Append(CRLF); PR_Free(base64UserName); rv = SendData(command.get()); ParseIMAPandCheckForNewMail(); I see stuff like this in ChoseAuthMethod(): MOZ_LOG(IMAP, LogLevel::Debug, ("IMAP auth: server caps 0x%" PRIx64 ", pref 0x%" PRIx64 ", failed 0x%" PRIx64 ", avail caps 0x%" PRIx64, serverCaps, m_prefAuthMethods, m_failedAuthMethods, availCaps)); // clang-format off MOZ_LOG(IMAP, LogLevel::Debug, ("(GSSAPI = 0x%" PRIx64 ", CRAM = 0x%" PRIx64 ", NTLM = 0x%" PRIx64 ", MSN = 0x%" PRIx64 ", PLAIN = 0x%" PRIx64 ", LOGIN = 0x%" PRIx64 ", old-style IMAP login = 0x%" PRIx64 ", auth external IMAP login = 0x%" PRIx64 ", OAUTH2 = 0x%" PRIx64 ")", kHasAuthGssApiCapability, kHasCRAMCapability, kHasAuthNTLMCapability, kHasAuthMSNCapability, kHasAuthPlainCapability, kHasAuthLoginCapability, kHasAuthOldLoginCapability, kHasAuthExternalCapability, kHasXOAuth2Capability)); So that suggests to me you should be able to glean some ideas as to what is going on with the appropriate MOZ_LOG level. I am wondering if you imported your client certificate into Thunderbird? That would be under Preferences -> Privacy & Security -> Manage Certificates. --Ken ------------------------------------------ Cyrus: SASL Permalink: https://cyrus.topicbox.com/groups/sasl/Tc3867934b82f1aa6-Me442139a5e56e1642e46014b Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription