Also, if there is no UI for managing certs in Thunderbird, even basic SSL connections may fail if there is no way to install corporate root certs and trust them. That's going to be a much more common problem than not supporting client auth.
I have this sort of setup on a system I manage as a hobby. I have Cyrus IMAP running IMAP over SSL and Postfix supporting SMTP over SSL; however I'm not using client authentication, just password-based authentication over SSL. The server certs are issued using a mini-CA I operate using OpenSSL. (Nelson, please avert your eyes :-)
Thunderbird works OK with this setup, but as you note there is no way for me to import the root CA certificate for my CA. Thus I have to rely on TB to present the initial cert warning dialog, and then tell it to accept the server certificate. After that everything seems to work OK.
Not being able to manage certs is certainly an inconvenience, but let me play devil's advocate for a moment: In a real enterprise deployment of Thunderbird it might be better to ship a customized version with pre-loaded certs, as opposed to relying on users to import a corporate root cert. Thus one could make an argument that instead of trying to design and implement Thunderbird UIs for cert management it would be more useful to enterprise customers just to make it as simple as possible to do cert preloading. (When I have some spare time I should seach out the instructions on how to rebuild the relevant NSS library and see if I can do this myself.)
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
