[Dovecot] Different settings for SSL/non-SSL protocols
alexpro at homelan.lg.ua
Wed Dec 4 13:49:46 EET 2013
03.12.2013 17:29, Алексей Прокопчук пишет:
> Good time of the day!
> It is possible to setup dovecot with different requirements for SSL and
> non-SSL protocols?
> What would I like to do:
> pop3/imap non-SSL = allowed plain text authentication.
> pop3/imap with SSL = allowed plain text authentication with required
> valid SSL certificates.
I examined in detail dovecot's behavior with
Dovecot misinterprets configuration in case with parameters:
ssl = yes
auth_ssl_require_client_cert = yes
If ssl is not equal 'required', so not necessarily required, then
unencrypted connection permissible.
And case 'ssl = required' processed separately when connection begins.
But dovecot answers to client with unencrypted connection "Client didn't
sent a valid SSL certificate".
This is wrong because with unencrypted connection can't be any
certificates at all.
I use dovecot-2.1.16.
In auth-request-handler.c I found:
if (request->set->ssl_require_client_cert &&
/* we fail without valid certificate */
"Client didn't present valid SSL certificate");
Here is need to check encrypted connection, and if connection not
encrypted, condition should not be triggered.
And as I said above, case with 'ssl = required' processed early and in
this case we don't get to this place in code.
Sources of dovecot is quite complex, and I can't find a way how to
determine encrypted connection or not at this place for a while. Can you
give me the hint how I can determine it?
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
More information about the dovecot