[Dovecot] Question about Client Certificates

William Gallafent william at gallaf.net
Tue Oct 19 12:59:30 EEST 2010


On 18 October 2010 23:52, Jerry <dovecot.user at seibercom.net> wrote:
> On Mon, 18 Oct 2010 23:17:40 +0100
> William Gallafent <william at gallaf.net> articulated:
>
>> Current status: I have successfully configured imap with tls, accessed
>> on port 993, and for security require a valid client certificate to be
>> presented, using ssl_require_client_cert and ssl_verify_client_cert.
>> This is all working fine!
>
> Out of curiosity, why are you forcing port 993 if you are using TLS? I
> have basically the same setup; however, I use port 143 instead. It helps
> to eliminate the potential problem with an end user failing to change
> the port number.

I keep port 143 firewalled, closed to all except localhost! The
original plan was that that port would accept only unencrypted
connections, 993 only encrypted. But you're right, as I gradually
understand things better, I see that I can just use 143 for both
classes of connection (once I work out how to configure it!) would be
fine.

- if localhost allow any type of connection
- if not localhost require TLS with a valid client cert

In fact, that restates the problem very succintly! The part that seems
to break is that when I _require_ a valid client cert, I can no longer
make unencrypted connections from localhost. I'm sure there must be a
straightforward way to do this!

-- 
Bill Gallafent.


More information about the dovecot mailing list