I wiped out access to my Cyrus store for my father and my wife which I went to 2.2.3. It turned out that the problem was that when they connected with TLS (I didn't test that, sadly) imapd immediately exited with ``imaps: required OpenSSL options not present''.
I traced through the source to tls_enabled() in imap/tls.c, which was returning 0. I was successfully using split certificates for POP, IMAP and so on under 2.1.16: tls_imap_cert_file: /var/imap/certs/imap-cert.pem tls_imap_key_file: /var/imap/certs/imap-private.pem tls_pop3_cert_file: /var/imap/certs/pop-cert.pem tls_pop3_key_file: /var/imap/certs/pop-private.pem tls_lmtp_cert_file: disabled tls_lmtp_key_file: disabled In 2.2.3, doc/install-configure.html still says: <li>Add the following to <tt>/etc/imapd.conf</tt> to tell the server where to find the certificate and key file (used for ALL services): <pre>tls_cert_file: /var/imap/server.pem tls_key_file: /var/imap/server.pem </pre> Optionally, you can use separate certificates and key files for each service: <pre>tls_imap_cert_file: /var/imap/imap-server.pem tls_imap_key_file: /var/imap/imap-server.pem [...] You in fact can't use tls_*_cert_file. In the 2.1.16 tls.c, tls_enabled() does: snprintf(buf, sizeof(buf), "tls_%s_cert_file", ident); val = config_getstring(buf, config_getstring("tls_cert_file", NULL)); if (!val || !strcasecmp(val, "disabled")) return 0; and so on, and tls_init_serverengine() does: snprintf(buf, sizeof(buf), "tls_%s_cert_file", ident); s_cert_file = config_getstring(buf, config_getstring("tls_cert_file", NULL)); snprintf(buf, sizeof(buf), "tls_%s_key_file", ident); s_key_file = config_getstring(buf, config_getstring("tls_key_file", NULL)); In 2.2.3, the same functions do: val = config_getstring(IMAPOPT_TLS_CERT_FILE); if (!val || !strcasecmp(val, "disabled")) return 0; and s_cert_file = config_getstring(IMAPOPT_TLS_CERT_FILE); s_key_file = config_getstring(IMAPOPT_TLS_KEY_FILE); lib/imapopts.c has: { IMAPOPT_TLS_CERT_FILE, "tls_cert_file", 0, (union config_value)((const char *) NULL), OPT_STRING, { { NULL, IMAP_ENUM_ZERO } } }, So far as I can make out this breaks the ability to have distinct keys for distinct services on the same machine. I've worked around it by using the IMAP key for everything, knowing that only I used the POP3S service and I can ignore the certificate mis-match. I'm not sure why the functionality has been removed, but either it should be put back in or the documentation should be changed and something added to the change log. ian