[Dovecot] Different settings for SSL/non-SSL protocols

Алексей Прокопчук alexpro at homelan.lg.ua
Wed Dec 4 13:49:46 EET 2013

03.12.2013 17:29, Алексей Прокопчук пишет:
> Good time of the day!
> It is possible to setup dovecot with different requirements for SSL and
> non-SSL protocols?
> What would I like to do:
> pop3/imap non-SSL = allowed plain text authentication.
> pop3/imap with SSL = allowed plain text authentication with required
> valid SSL certificates.
I examined in detail dovecot's behavior with
Dovecot misinterprets configuration in case with parameters:
ssl = yes
auth_ssl_require_client_cert = yes

If ssl is not equal 'required', so not necessarily required, then
unencrypted connection permissible.
And case 'ssl = required' processed separately when connection begins.
But dovecot answers to client with unencrypted connection "Client didn't
sent a valid SSL certificate".
This is wrong because with unencrypted connection can't be any
certificates at all.

I use dovecot-2.1.16.
In auth-request-handler.c I found:

if (request->set->ssl_require_client_cert &&
            !request->valid_client_cert) {
                /* we fail without valid certificate */
                auth_request_handler_auth_fail(handler, request,
                        "Client didn't present valid SSL certificate");
                return TRUE;

Here is need to check encrypted connection, and if connection not
encrypted, condition should not be triggered.
And as I said above, case with 'ssl = required' processed early and in
this case we don't get to this place in code.

Sources of dovecot is quite complex, and I can't find a way how to
determine encrypted connection or not at this place for a while. Can you
give me the hint how I can determine it?

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)

More information about the dovecot mailing list