[Dovecot] X.509 certificate based IMAP login

dovecotlist at encambio.com dovecotlist at encambio.com
Tue Nov 3 20:59:33 EET 2009


Hello Timo,

On Tues., Nov 03, 2009, Timo SIRAINEN wrote:
>On Mon, 2009-11-02 at 14:22 +0100, dovecotlist at encambio.com wrote:
>> We would like to make it possible for users with a X.509 client
>> certificate to log in without providing LDAP or any other
>> credentials. 
>
>Well.. These get you a bit further:
>
>ssl_ca_file = /pfx/etc/dovecot/dovecot-caroots.pem
>ssl_verify_client_cert = yes
>auth_ssl_username_from_cert = yes
>
We've got that as well as:

  ssl_cert_username_field = emailAddress

>but to disable password check the passdb also needs to check if %k
>variable's value is "valid". With SQL this would be easy. With LDAP, I
>guess it doesn't really work now. Unless you used e.g. checkpassword
>script to do both checks.
>
Thanks Timo, I'll check out the checkpassword script feature which I
think is new to Dovecot since a few months. We're not using SQL at
atll, so hopefully it will work with LDAP and checkpassword.

Regards,
Brian


More information about the dovecot mailing list