[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cyrus-devel
Subject:    Re: Cyrus Pop3 and Client Side Certificates
From:       Dan White <dwhite () olp ! net>
Date:       2012-12-17 20:11:44
Message-ID: 20121217201144.GG6645 () dan ! olp ! net
[Download RAW message or body]

On 12/17/12 12:26 -0600, Sumit Malhotra wrote:
>We are looking to enforce two layer of authentication on POP3S.
>
>We want to ensure that *if and only if* a Machine/Laptop/Client has a SSL
>Certificate is installed then only it can connect and authenticate with
>the POP3 Server else it fails. Is that possible?

set:

tls_require_cert: 1

or, specifically just for pop3s:

<cyrus.conf/pop3s-service-name>_tls_require_cert: 1

In /etc/cyrus.conf, you'll want to remove any references to pop3 (without
the -s option). e.g.:

#pop3            cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=200
pop3s           cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=100

in imapd.conf:

pop3s_tls_require_cert: 1

You'll also need to configure tls_ca_file or tls_ca_path.

-- 
Dan White
[prev in list] [next in list] [prev in thread] [next in thread]