Disable client certificate requests for Cyrus IMAP

Cyrus Logo

Cyrus LogoCyrus IMAPd always asks for a client certificate. This can be unnerving for users running Thunderbird as their mail client which have a user certificate installed and are thus always asked whether they want to send it. (There is no way to tell Thunderbird not to send a client certificate, you can only select which one.)

[simple_series title=”TLS Interposer articles”]

There is currently no way to disable this behavior in Cyrus IMAP without manually changing the code and compiling it. This is only for the adventurous among us.

But it is also only for the brave and those having too much time on their hand: Having your local installation forces you to keep track yourself of any bug fixes or security updates that might appear in the future.

TLS Interposer since version 1.3.0 can prevent any server from requesting certificates from the client.


To use this, download TLS Interposer, compile it (make), and place the following line somewhere where it affects the starting of Cyrus master process (cyrmaster). I like putting it in /etc/default/cyrus-imap:

export LD_PRELOAD=/usr/local/lib/libtlsinterposer.so

The first line makes sure that in all the Cyrus processes, TLS Interposer will be loaded. The second line tells TLS Interposer to disable client certificate requests.

More information on TLS Interposer is available here.


Let’s stay in touch!

Receive a mail whenever I publish a new post.

About 1-2 Mails per month, no Spam.

Follow me on the Fediverse

Web apps

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.