[Dovecot] SSL Client Certificate Support

Bert Koelewijn bert at rosanneke.com
Wed Oct 1 15:23:04 EEST 2003 

Bert Koelewijn wrote:

> Andreas Jaekel wrote:
> 
>> Aloha!
>>
>>
>> At 12:37 01/10/2003 +0200, Bert Koelewijn wrote:
>>
>>> Dear Timo,
>>>
>>> most modern enterprises make use of a Public Key Infrastructure. It 
>>> would be nice to have dovecot check a client certificate instead of a 
>>> password. This makes life much easier and more secure.
>>> Mail clients like Mozilla and MS Outlook do support this. What do you 
>>> think of the following feature request:
>>>
>>> - Client authenticates with a certificate via SSL. (Like stunnel can)
>>> - Dovecot looks the username up in a table with (public key, username)
>>> - The mailclient gives a name and password, but dovecot ignores them
>>> - Dovecot gives the client access by the username found in the table
>>>
>>> This way existing mail clients can use this system and you can save 
>>> your username with an empty password.
>>
>>
>>
>>
>> Wouldn't it be much better to take the list of valid usernames from X.509
>> extension fields instead of a lookup table?  That way the usernames 
>> are also
>> verified and trusted information.
>>
>> dovecot-auth would then allow the client to log in with any of the 
>> certified
>> usernames using any arbitrary password, or to additional usernames using
>> the correct password.
>>
>> Of course, one could also use attribute certificates... :)
>>
>> Anyway, one thing to remember might be that a ceritifcate usually 
>> identifies
>> a person, not an account, so if a lookup table is used it should allow
>> the person to have more than one account, and dovecot should allow that
>> person into any one of them.  Which one the person wants would be 
>> indicated
>> by the username given to LOGIN.
>>
>> Regards,
>>   Andy
>>
>>
> 
> Yep, you're totally right. In our company everybody has 1 mailbox, then 
> one could use X.509 extensions.
> 
> Thanks!
> 
> Bert
> 
> 
>
If you don't use a lookup table, you HAVE to implement CRL's! You can 
make a script to download a new CRL and set it in your cron tabs.

Regards,

Bert

More information about the dovecot mailing list