Frank Richter wrote, at 11/05/2008 10:58 AM: > Hi, > I've a cyrus-imapd 2.3.12 installation with these options in imapd.conf > > tls_cert_file: /etc/exim/etc/server.crt > tls_key_file: /etc/exim/etc/server.key > tls_ca_file: /etc/pki/tls/certs/ca-chain.crt > tls_require_cert: 0 > > SSL and STARTTLS are working fine. > > I've imported a personal S/MIME certificate to thunderbird. When > connecting to the IMAP server (using STARTTLS), thunderbird asks me to > select a client cert, showing (translated from German): > This website (!) requires a certificate for identification ... > Chose a certificate ... > > The server doesn't and shouldn't accept client certificates. > So who is wrong? My configuration, thunderbird ... > > I hope somebody will enlighten me ... Try appending the CA's root certificate for your personal S/MIME certificate to the file specified in tls_ca_file. FWIW, I use the bundle provided by curl (/usr/share/curl/curl-ca-bundle.crt on my system), because it's in the correct format. You might have to append additional certificates, depending on your needs. This seems to be related to Cyrus' behaviour whenever tls_ca_file is defined. The best solution seems to be to use a general purpose bundle, though I haven't tested it with client certificates. ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
