Hi!

I have two dedicated servers at a (shared) hosting provider.
Software is going to be debian 12.4 with the default cyrus installation (3.6.1)
My target setup is:
*) One server running exim4 and cyrus-imapd, both requiring TLS+Client 
certificates
*) The other server should run SOGO or Roundcube as a webmail (both are 
protected by client certificates themself)

I want to allow access to cyrus (IMAP clients are worldwide with dynamic IP 
addresses) only with client-certificate and username/password.


The problem I have is, that I didn't find an option in the SOGO configuration 
to configure a client-certificate for the IMAP connection.

My questions therefore:
Would the setup described below be possible? (or would there be problem with 
locks in the storage, ....) ?

in /etc/services, I'd add:
imapsinternal           994/tcp

1)
*) in /etc/cyrus.conf I'd configure:
#imap          cmd="imapd -U 200" listen="imap" prefork=0 maxchild=100
imaps          cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
imapsinternal  cmd="imapd -s -U 30 -C /etc/imapdinternal.conf" 
listen="imapsinternal" prefork=0 maxchild=100

*) The default /etc/imapdinternal.conf and /etc/imapd.conf would be the same, 
except, that the /etc/imapd.conf would have set the options:

tls_require_cert: true
tls_client_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem

and the /etc/imapdinternal.conf would have set:
tls_require_cert: false

*) The idea is to restrict the access to port 994 with nftables to only be 
accessible from the webmail-server


2) What I didn't see in the configuration is, does the cyrus-imapd-ca.pem have 
to be a list of allowed CAs that created the client certificates or can the 
fiel also be a list of the allowed certificates themselves ? (there will only 
be around 20 to 30 client certificates all in all) ?

Best Regards
Joseph Wenninger
------------------------------------------
Cyrus: Info
Permalink: 
https://cyrus.topicbox.com/groups/info/Tddf22e1f0e9022e0-M4c01f7fe05f929f25bd060ff
Delivery options: https://cyrus.topicbox.com/groups/info/subscription

Reply via email to