[Dovecot] proxying, SSL, and client certificate
Timo Sirainen
tss at iki.fi
Thu Dec 29 15:23:12 EET 2011
On 23.12.2011, at 1.10, Mike Abbott wrote:
> How do I configure dovecot-2.0.x to present a client SSL certificate when proxying?
Set ssl_client_cert and ssl_client_key settings in dovecot.conf. Requires hg version, since these were added after v2.0.16.
> If dovecot on server1.example.com has:
> passdb {
> driver = static
> args = proxy=y host=server2.example.com nopassword=y ssl=yes
> }
>
> and dovecot on server2.example.com has:
> ssl_verify_client_cert = yes
> auth_ssl_require_client_cert = yes
>
> then when a client connects to server1 and authenticates, a connection is established to server2 but the SSL handshake fails because server1 doesn't present a client certificate. I don't see where ssl_client_ctx is tied to a client certificate in ssl-proxy-openssl.c.
If you want some kind of automatic client certificate forwarding, I don't think that's possible even in theory since the private key is needed.
More information about the dovecot
mailing list