Cyrus IMAPd always asks for a client certificate. This can be unnerving for users running Thunderbird as their mail client which have a user certificate installed and are thus always asked whether they want to send it. (There is no way to tell Thunderbird not to send a client certificate, you can only select which one.)

[simple_series title=”TLS Interposer articles”]

There is currently no way to disable this behavior in Cyrus IMAP without manually changing the code and compiling it. This is only for the adventurous among us.

But it is also only for the brave and those having too much time on their hand: Having your local installation forces you to keep track yourself of any bug fixes or security updates that might appear in the future.

TLS Interposer since version 1.3.0 can prevent any server from requesting certificates from the client.

Usage

To use this, download TLS Interposer, compile it (make), and place the following line somewhere where it affects the starting of Cyrus master process (cyrmaster). I like putting it in /etc/default/cyrus-imap:

export LD_PRELOAD=/usr/local/lib/libtlsinterposer.so
export TLS_INTERPOSER_OPTIONS=-ccert

The first line makes sure that in all the Cyrus processes, TLS Interposer will be loaded. The second line tells TLS Interposer to disable client certificate requests.

More information on TLS Interposer is available here.