[Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail -> auth_ssl_require_client_cert problem

Jake Johnson jakej1978 at gmail.com
Sun Mar 31 19:46:38 EEST 2013


unsubscribe


On Wed, Mar 27, 2013 at 1:49 AM, Christian Felsing <
hostmaster at taunusstein.net> wrote:

> Hello,
>
> I would like to set up a Dovecot based mail system which uses X.509
> Client Certificates for authentication. A webmail system based on Horde5
> should use Dovecot as backend.
>
> For now Dovecot works with client certificates issued by my CA and Horde
> authenticates also with same client certs. Due to protocol it is
> impossible to use client certs presented by user to Horde for
> authentication at Dovecot, so Horde should be allowed to authenticate
> itself without or an arbitrary password to Dovecot. Horde and Dovecot
> are running in same protected LAN.
>
> Unfortunately Dovecot does not support different authentication methods
> on different IP addresses or ports. This does not work:
>
> remote 192.168.116.28/32 {
>   auth_ssl_require_client_cert = no
>   auth_ssl_username_from_cert = yes
>   disable_plaintext_auth = no
>   ssl = yes
>
> }
>
> Result is "doveconf: Fatal: Error in configuration file
> /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth
> settings not supported inside local/remote blocks:
> auth_ssl_require_client_cert"
>
> Replacing "auth_ssl_require_client_cert = no" by "ssl_verify_client_cert =
> no" does not yield in an error, but it does nothing, Dovecot still
> insists for a client certificate.
>
> I afraid that I am trapped by this problem:
>
> http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certificates-for-external-connections-tp475.html
>
> Is there any way to turn off client certs for specific local or remote
> IP addresses?
>
> best regards
> Christian
>


More information about the dovecot mailing list