[Dovecot] client certs with godaddy ssl cert

Harondel J. Sibble help at pdscc.com
Wed Oct 8 11:05:44 EEST 2008 


On 29 Sep 2008 at 8:40, Rainer Frey (Inxmail GmbH) wrote:

> What is important: you can not self-sign each client certificate, but you
> need 
> a CA with a self-signed root instead. I think you understand that already,
> just noting that for completeness.
> 
> Then you simply configure Dovecot as described in 
> http://wiki.dovecot.org/SSL/DovecotConfiguration

Followed those directions, enabled the client side certificate checking, but 
no go.
 
> Then configure client cert verification as described in the last section of
> above mentioned wiki page.
> ssl_ca_file is used for client cert verification only, and does not need to
> cover the server certificate. 

Done, I have the following enabled.

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
  mechanisms = plain
  ssl_require_client_cert = yes

ssl_ca_file = /etc/pki/dovecot/certs/dovecot-clientcerts
ssl_verify_client_cert = yes
verbose_ssl = yes
ssl_require_client_cert = yes

Logs don't show anything of any interest, on the client side (windows mobile 
5 phone running Web IS's Flexmail4.

When I asked their tech support about using a client cert, I got this

    Greetings and thank you for contacting us.

    It should be using the certs which the PDA has installed.  Is the cert
    installed (in the device settings > System > Certificates

    We appreciate having the opportunity to help and service you. Please let
    us know if there is anything more we can do.

I've verified that my root ca is installed on the pda and the personal cert 
is also installed.

The following is all I see on the connection attempt from the pda

Oct  8 01:00:55 myserver dovecot: Dovecot v1.0.7 starting up
Oct  8 01:01:51 myserver dovecot: imap-login: Disconnected: method=PLAIN, 
rip=10.12.13.14, lip=10.12.13.14, TLS

At this point the client device is stuck asking to confirm account 
credentials

-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

More information about the dovecot mailing list