> Sorry, I read the thread but I completely forgot to update you! No problem. That was in fact the problem: I was checking for specific client certificate attributes. I'm now accepting all certificates and deferring those checks to EXTERNAL SASL authentication. Thank you. -- Daniele