[Dovecot] SSL Client Certificate Support

Timo Sirainen tss at iki.fi
Mon May 10 03:09:08 EEST 2004


On 9.5.2004, at 00:38, jan at weitan.org wrote:

> I would appreciate this feature as well. Because i am using postfix
> relaying with permit_tls_clientcerts and it just checks the 
> fingerprints
> of the certs. It find it far more convenient than using something like 
> pam
> and authorising with user accounts. Postfix can use this features also 
> in
> combination with normal sasl methods.

I've been thinking about doing this lately as well. Shouldn't really be 
much of a job. Just tell OpenSSL library to require a valid client 
certificate. Optionally also force the cert's common name to be 
client's login name.

I think it would still be a good idea to use passwords as well. Wasn't 
the one OpenSSL hole a year ago exploitable only with servers requiring 
client certificates?..

Maybe the passwordless authentication would work just by keeping 
password fields empty in password database? Or maybe I'll just create a 
new "nocheck" passdb. EXTERNAL SASL mechanism would also be useful for 
this.

> < Using OpenSSL for authentication brings
>> in tons of more code that has to be relied on.
> Your port 22 is closed or does not rely on the the OpenSSL lib ?

Closed except from a few IPs :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040510/eba83ff4/PGP.pgp


More information about the dovecot mailing list