[Dovecot] client certs with godaddy ssl cert
Bill Cole
dovecot-20061108 at billmail.scconsult.com
Mon Sep 29 17:43:14 EEST 2008
Harondel J. Sibble wrote:
>
> On 27 Sep 2008 at 13:22, mouss wrote:
>
>> if you have a commercial cert, you don't need a self signed cert. self
>> signed certs are for people who don't want to get a cert signed by a 3d
>> party (commercial or other). For email, you generally don't need a
>> commercial certificate because your users know you and you know them,
>> and because users don't connect to thousand imap servers.
>
> Huh? I am looking to implement client side certificates which have to be
> installed on the end user device before they are able to connect to my
> mailserver.
Right. You need to keep track of what client certs you trust, so you really
should be *at least* the immediate issuer (signer) of the client certs. The
only reasons you would want your signing cert for those client certs to have
a commercial issuer would be:
1. You want the client certs to be generally usable with those devices and
servers other than your own.
2. The devices do not support the addition of new "root" certificates (i.e.
your signing cert.)
> I already have a commercial cert on the mailserver so that's a moot point.
It is also likely to be irrelevant. The signature chain of a server's cert
does not influence what signing chain a client cert needs to have.
> Secondly a client cert allows me to verify that the device connecting is
> allowed, this is secondary to any login info the user may have, ie 2 factor
> authentication, something you know (uid/password) and something you have
> (certificate).
That is only true if you are using a dependable mechanism to assure that
users will actually be required to enter a password live rather than have
their mail client save it
More information about the dovecot
mailing list