On 2006-07-26 at 12:42 +0200, Arnau Bria wrote: > Well, I'm having problems with cyrus-imap and tls certs in my gentoo > box. I have this working fine on Gentoo, for my personal mail. Except that I don't mandate that clients use certificates. > I've configured imap to use tls: (imapd.conf) > [...] > tls_ca_path: /etc/ssl/certs > tls_cert_file: /var/imap/cyrus-global.pem > tls_key_file: /var/imap/cyrus-global.key > tls_cafile: /etc/ssl/certs/cyrus-imapd-ca.pem That should be "tls_ca_file" with an extra underscore. > tls_require_cert: 1 That requires a _client_ cert, for all TLS connections. That may restrict your choice of clients somewhat. It's more common to see this policy applied by clients to servers; what you have is not wrong, but means that you're debugging too many things at once because you're not sure where the problem is. Once you get SSL working, problems after setting that option would show that the only problem is with some certificate used for clients but not for the server, which would have been another clue. > [pop3] TLS server engine: No CA file specified. Client side certs may not work I think that's because of the missing underscore. > [pop3] [pop3d] STARTTLS failed: localhost [127.0.0.1] and that's probably because you mandate client certificates but don't have a way to verify them. Otherwise, that config looks fine; be sure to use c_rehash to update the symlinks in /etc/ssl/certs/. Or that new tool imported from Debian, update-ca-certificates, which has its own peculiar ideas about where master copies of certs should live. -- "Everything has three factors: politics, money, and the right way to do it. In that order." -- Gary Donahue ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html