diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am
index 836f9007fe..b49b9e0d41 100644
--- a/src/auth/Makefile.am
+++ b/src/auth/Makefile.am
@@ -58,7 +58,8 @@ auth_libs = \
 	../lib-otp/libotp.la \
 	$(LIBDOVECOT_SQL)
 
-auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS)
+auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) \
+	-I$(top_srcdir)/src/lib-ssl-iostream
 auth_LDADD = $(auth_libs) $(LIBDOVECOT) $(AUTH_LIBS) $(BINARY_LDFLAGS)
 auth_DEPENDENCIES = $(auth_libs) $(LIBDOVECOT_DEPS)
 
diff --git a/src/auth/auth-policy.c b/src/auth/auth-policy.c
index 2849b35808..796950170b 100755
--- a/src/auth/auth-policy.c
+++ b/src/auth/auth-policy.c
@@ -15,6 +15,7 @@
 #include "auth-penalty.h"
 #include "auth-settings.h"
 #include "auth-policy.h"
+#include "iostream-ssl.h"
 
 #define AUTH_POLICY_DNS_SOCKET_PATH "dns-client"
 
@@ -156,9 +157,19 @@ void auth_policy_open_and_close_to_key(const char *fromkey, const char *tokey, s
 
 void auth_policy_init(void)
 {
+	struct ssl_iostream_settings ssl_set;
+	i_zero(&ssl_set);
+
 	http_client_set.request_absolute_timeout_msecs = global_auth_settings->policy_server_timeout_msecs;
 	if (global_auth_settings->debug)
 		http_client_set.debug = 1;
+	ssl_set.ca_dir = global_auth_settings->ssl_client_ca_dir;
+	ssl_set.ca_file = global_auth_settings->ssl_client_ca_file;
+	if (*ssl_set.ca_dir == '\0' &&
+	    *ssl_set.ca_file == '\0')
+		ssl_set.allow_invalid_cert = TRUE;
+
+	http_client_set.ssl = &ssl_set;
 	http_client = http_client_init(&http_client_set);
 
 	/* prepare template */