[Dovecot] Problem with requiring client certificates for external connections
Frank Crawford
frank at crawford.emu.id.au
Sun Dec 19 04:12:31 EET 2010
Folks,
I'm trying to configure my dovecot installation to require client
certificates for external/Internet connections, while still allowing my
local network to not need certificates.
This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've
tried to use the "remote" block to give different definitions for my
local network vs the defaults. While most options seem to be set fine,
if I set "auth_ssl_require_client_cert" to yes as the default, and reset
it to no for my local network, dovecot still requests a client
certificate and fails as one is not supplied.
Am I correct that it can be reset in a "remote" block, or is it treated
differently to other options? In fact do I have the configuration
correct, as there doesn't really seem to be anything documenting
"remote" or "remote_ip" or related items for Dovecot 2.
Related to this, much of the documentation states that the variable is
"ssl_require_client_cert", seems to be accepted by ignored, vs
"auth_ssl_require_client_cert" which does have some effects.
Also, in the configuration dump, it duplicates the netmask.
The configuration is below, as generated with "dovecot -n".
Regards
Frank
# 2.0.8: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.36.1 x86_64 Fedora release 14 (Laughlin) ext4
auth_ssl_require_client_cert = yes
mail_location = maildir:/var/spool/maildir/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster at crawford.emu.id.au
ssl = required
ssl_ca = </etc/pki/CA/cacert.pem
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
ssl_verify_client_cert = yes
userdb {
driver = passwd
}
protocol pop3 {
pop3_uidl_format = %v.%u
}
remote 203.16.204.0/24/24 {
auth_ssl_require_client_cert = no
disable_plaintext_auth = no
ssl = no
ssl_verify_client_cert = no
}
remote fdd2:7aad:d478:1::/64/64 {
auth_ssl_require_client_cert = no
disable_plaintext_auth = no
ssl = no
ssl_verify_client_cert = no
}
remote 2001:44b8:62:140::/64/64 {
auth_ssl_require_client_cert = no
disable_plaintext_auth = no
ssl = no
ssl_verify_client_cert = no
}
More information about the dovecot
mailing list