[opensuse] Cyrus / Postfix: TLS - disable certificate authentication
Hi, I have a Cyrus IMAP and Postfix running. Some time ago, I configured them for TLS. Recently, I started to use also Thunderbird on those and Thunderbird is asking me on startup which certificate to use for identification. I don't use any certificate authentication, neither for IMAP, nor for SMTP. Is there a way to tell Cyrus as well as Postfix to NOT request certificate authentication but use the certificate only for TLS? -Stefan -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
Stefan Gofferje wrote:
Hi,
I have a Cyrus IMAP and Postfix running. Some time ago, I configured them for TLS. Recently, I started to use also Thunderbird on those and Thunderbird is asking me on startup which certificate to use for identification. I don't use any certificate authentication, neither for IMAP, nor for SMTP. Is there a way to tell Cyrus as well as Postfix to NOT request certificate authentication but use the certificate only for TLS?
Yes there is, but you have probably configured postfix to use client certificates. Maybe post your postfix config. -- Per Jessen, Zürich (0.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/03/2013 12:26 PM, Per Jessen wrote:
Yes there is, but you have probably configured postfix to use client certificates. Maybe post your postfix config.
Configs attached. I'm not sure if Postfix actually asks for a certificate. Thunderbird asks 2 times which certificate to use on startup, so I suspect, it's either Cyrus or maybe both Cyrus and Postfix. -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
On 12/03/2013 01:22 PM, Stefan Gofferje wrote:
On 12/03/2013 12:26 PM, Per Jessen wrote:
Yes there is, but you have probably configured postfix to use client certificates. Maybe post your postfix config.
Configs attached. I'm not sure if Postfix actually asks for a certificate. Thunderbird asks 2 times which certificate to use on startup, so I suspect, it's either Cyrus or maybe both Cyrus and Postfix.
Now I just paid attention - the first request is for server:443 and the second for server:143. Why is Thunderbird accessing the mailserver via https? -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
Stefan Gofferje [03.12.2013 12:28]:
On 12/03/2013 01:22 PM, Stefan Gofferje wrote:
On 12/03/2013 12:26 PM, Per Jessen wrote:
Yes there is, but you have probably configured postfix to use client certificates. Maybe post your postfix config.
Configs attached. I'm not sure if Postfix actually asks for a certificate. Thunderbird asks 2 times which certificate to use on startup, so I suspect, it's either Cyrus or maybe both Cyrus and Postfix.
Now I just paid attention - the first request is for server:443 and the second for server:143.
Why is Thunderbird accessing the mailserver via https?
Maybe a typo in your config? The 4 is just above the 1 on the numeric keypad. Since postfix has "smtpd_tls_ask_ccert = no", it won't ask for a certificate. I do not know cyrus, I use dovecot. Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/03/2013 01:36 PM, Werner Flamme wrote:
Why is Thunderbird accessing the mailserver via https?
Maybe a typo in your config? The 4 is just above the 1 on the numeric keypad.
A look into the webserver log uncovered the secret :D. I totally forgot that I have the SoGo Owncloud connector installed and I recently experimented with certificate authentication on my webserver. So that's for the access to 443. Still the question, how do I tell Cyrus not to request a client certificate...
I do not know cyrus, I use dovecot.
I use my Cyrus / Postfix combo for over 15 years now... Is there substantial advantages to dovecot? -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
Stefan Gofferje [03.12.2013 13:01]:
I use my Cyrus / Postfix combo for over 15 years now... Is there substantial advantages to dovecot?
The setup is dead easy :-). But I guess you see the main advantage only when you have to restore your data, which I remember being a PITA with cyrus. Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/03/2013 06:01 AM, Stefan Gofferje wrote:
I use my Cyrus / Postfix combo for over 15 years now... Is there substantial advantages to dovecot?
Simple, reliable and bulletproof.... Generate your dovecot certificates, then configurations can be as simples as: cat /etc/dovecot/dovecot.conf auth_mechanisms = plain login passdb { driver = pam } userdb { driver = passwd } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem mail_location=mbox:~/Mail:INBOX=/var/spool/mail/%u I used UW for a long time, then moved to dovecot about 7 or 8 years ago. I highly recommend it -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Stefan Gofferje wrote:
I have a Cyrus IMAP and Postfix running. Some time ago, I configured them for TLS. Recently, I started to use also Thunderbird on those and Thunderbird is asking me on startup which certificate to use for identification. I don't use any certificate authentication, neither for IMAP, nor for SMTP. Is there a way to tell Cyrus as well as Postfix to NOT request certificate authentication but use the certificate only for TLS?
Doesn't TLS require a certificate? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
David C. Rankin -
James Knott -
Per Jessen -
Stefan Gofferje -
Werner Flamme