[Dovecot] Different settings for SSL/non-SSL protocols
Алексей Прокопчук
alexpro at homelan.lg.ua
Wed Dec 4 13:49:46 EET 2013
Greetings
03.12.2013 17:29, Алексей Прокопчук пишет:
> Good time of the day!
>
> It is possible to setup dovecot with different requirements for SSL and
> non-SSL protocols?
> What would I like to do:
>
> pop3/imap non-SSL = allowed plain text authentication.
> pop3/imap with SSL = allowed plain text authentication with required
> valid SSL certificates.
I examined in detail dovecot's behavior with
'auth_ssl_require_client_cert=yes'.
Dovecot misinterprets configuration in case with parameters:
ssl = yes
auth_ssl_require_client_cert = yes
If ssl is not equal 'required', so not necessarily required, then
unencrypted connection permissible.
And case 'ssl = required' processed separately when connection begins.
But dovecot answers to client with unencrypted connection "Client didn't
sent a valid SSL certificate".
This is wrong because with unencrypted connection can't be any
certificates at all.
I use dovecot-2.1.16.
In auth-request-handler.c I found:
if (request->set->ssl_require_client_cert &&
!request->valid_client_cert) {
/* we fail without valid certificate */
auth_request_handler_auth_fail(handler, request,
"Client didn't present valid SSL certificate");
return TRUE;
}
Here is need to check encrypted connection, and if connection not
encrypted, condition should not be triggered.
And as I said above, case with 'ssl = required' processed early and in
this case we don't get to this place in code.
Sources of dovecot is quite complex, and I can't find a way how to
determine encrypted connection or not at this place for a while. Can you
give me the hint how I can determine it?
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
More information about the dovecot
mailing list