[Dovecot] SSL Client Certificate Support
Timo Sirainen
tss at iki.fi
Mon May 10 03:09:08 EEST 2004
On 9.5.2004, at 00:38, jan at weitan.org wrote:
> I would appreciate this feature as well. Because i am using postfix
> relaying with permit_tls_clientcerts and it just checks the
> fingerprints
> of the certs. It find it far more convenient than using something like
> pam
> and authorising with user accounts. Postfix can use this features also
> in
> combination with normal sasl methods.
I've been thinking about doing this lately as well. Shouldn't really be
much of a job. Just tell OpenSSL library to require a valid client
certificate. Optionally also force the cert's common name to be
client's login name.
I think it would still be a good idea to use passwords as well. Wasn't
the one OpenSSL hole a year ago exploitable only with servers requiring
client certificates?..
Maybe the passwordless authentication would work just by keeping
password fields empty in password database? Or maybe I'll just create a
new "nocheck" passdb. EXTERNAL SASL mechanism would also be useful for
this.
> < Using OpenSSL for authentication brings
>> in tons of more code that has to be relied on.
> Your port 22 is closed or does not rely on the the OpenSSL lib ?
Closed except from a few IPs :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040510/eba83ff4/PGP.pgp
More information about the dovecot
mailing list