Hi!
I have two dedicated servers at a (shared) hosting provider.
Software is going to be debian 12.4 with the default cyrus installation (3.6.1)
My target setup is:
*) One server running exim4 and cyrus-imapd, both requiring TLS+Client certificates
*) The other server should run SOGO or Roundcube as a webmail (both are protected by client certificates themself)
I want to allow access to cyrus (IMAP clients are worldwide with dynamic IP addresses) only with client-certificate and username/password.
The problem I have is, that I didn't find an option in the SOGO configuration to configure a client-certificate for the IMAP connection.
My questions therefore:
Would the setup described below be possible? (or would there be problem with locks in the storage, ....) ?
in /etc/services, I'd add:
imapsinternal 994/tcp
1)
*) in /etc/cyrus.conf I'd configure:
#imap cmd="imapd -U 200" listen="imap" prefork=0 maxchild=100
imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
imapsinternal cmd="imapd -s -U 30 -C /etc/imapdinternal.conf" listen="imapsinternal" prefork=0 maxchild=100
*) The default /etc/imapdinternal.conf and /etc/imapd.conf would be the same, except, that the /etc/imapd.conf would have set the options:
tls_require_cert: true
tls_client_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
and the /etc/imapdinternal.conf would have set:
tls_require_cert: false
*) The idea is to restrict the access to port 994 with nftables to only be accessible from the webmail-server
2) What I didn't see in the configuration is, does the cyrus-imapd-ca.pem have to be a list of allowed CAs that created the client certificates or can the fiel also be a list of the allowed certificates themselves ? (there will only be around 20 to 30 client certificates all in all) ?
Best Regards
Joseph Wenninger
