Hi! I have two dedicated servers at a (shared) hosting provider. Software is going to be debian 12.4 with the default cyrus installation (3.6.1) My target setup is: *) One server running exim4 and cyrus-imapd, both requiring TLS+Client certificates *) The other server should run SOGO or Roundcube as a webmail (both are protected by client certificates themself)
I want to allow access to cyrus (IMAP clients are worldwide with dynamic IP addresses) only with client-certificate and username/password. The problem I have is, that I didn't find an option in the SOGO configuration to configure a client-certificate for the IMAP connection. My questions therefore: Would the setup described below be possible? (or would there be problem with locks in the storage, ....) ? in /etc/services, I'd add: imapsinternal 994/tcp 1) *) in /etc/cyrus.conf I'd configure: #imap cmd="imapd -U 200" listen="imap" prefork=0 maxchild=100 imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100 imapsinternal cmd="imapd -s -U 30 -C /etc/imapdinternal.conf" listen="imapsinternal" prefork=0 maxchild=100 *) The default /etc/imapdinternal.conf and /etc/imapd.conf would be the same, except, that the /etc/imapd.conf would have set the options: tls_require_cert: true tls_client_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem and the /etc/imapdinternal.conf would have set: tls_require_cert: false *) The idea is to restrict the access to port 994 with nftables to only be accessible from the webmail-server 2) What I didn't see in the configuration is, does the cyrus-imapd-ca.pem have to be a list of allowed CAs that created the client certificates or can the fiel also be a list of the allowed certificates themselves ? (there will only be around 20 to 30 client certificates all in all) ? Best Regards Joseph Wenninger ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/Tddf22e1f0e9022e0-M4c01f7fe05f929f25bd060ff Delivery options: https://cyrus.topicbox.com/groups/info/subscription
