[Dovecot] SSL Client Certificate Support
Bert Koelewijn
bert at rosanneke.com
Wed Oct 1 15:03:53 EEST 2003
Andreas Jaekel wrote:
> Aloha!
>
>
> At 12:37 01/10/2003 +0200, Bert Koelewijn wrote:
>
>> Dear Timo,
>>
>> most modern enterprises make use of a Public Key Infrastructure. It
>> would be nice to have dovecot check a client certificate instead of a
>> password. This makes life much easier and more secure.
>> Mail clients like Mozilla and MS Outlook do support this. What do you
>> think of the following feature request:
>>
>> - Client authenticates with a certificate via SSL. (Like stunnel can)
>> - Dovecot looks the username up in a table with (public key, username)
>> - The mailclient gives a name and password, but dovecot ignores them
>> - Dovecot gives the client access by the username found in the table
>>
>> This way existing mail clients can use this system and you can save
>> your username with an empty password.
>
>
>
> Wouldn't it be much better to take the list of valid usernames from X.509
> extension fields instead of a lookup table? That way the usernames are
> also
> verified and trusted information.
>
> dovecot-auth would then allow the client to log in with any of the
> certified
> usernames using any arbitrary password, or to additional usernames using
> the correct password.
>
> Of course, one could also use attribute certificates... :)
>
> Anyway, one thing to remember might be that a ceritifcate usually
> identifies
> a person, not an account, so if a lookup table is used it should allow
> the person to have more than one account, and dovecot should allow that
> person into any one of them. Which one the person wants would be indicated
> by the username given to LOGIN.
>
> Regards,
> Andy
>
>
Yep, you're totally right. In our company everybody has 1 mailbox, then
one could use X.509 extensions.
Thanks!
Bert
More information about the dovecot
mailing list