Disable Client Certificate Authentication for Unencrypted Connections?
Haravikk
dovecot at haravikk.me
Fri Jan 29 13:00:57 UTC 2016
> On 27 Jan 2016, at 21:55, Axel Luttgens <axel.luttgens at skynet.be> wrote:
>
> Hello Haravikk,
>
> Perhaps could you try to devise an exception based on one (or more) "remote" section(s), as in:
>
> remote ip.of.webmail.server {
> ssl_verify_client_cert = no
> [other settings, if needed]
> }
>
> But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings.
>
> HTH,
> Axel
Thanks for the suggestion!
Unfortunately the problem seems to be auth_ssl_require_client_cert; it can only be added to protocol blocks not to local or remote ones. Turning off ssl_verify_client_cert doesn’t seem to prevent dovecot from requiring a certificate if auth_ssl_require_client_cert is enabled (it may even force ssl_verify_client_cert to on implicitly, I’m not sure).
It’s annoying because at present it seems like my only option would be to limit client certificates to POP3 and use that in my mail clients, allowing me to disable client certificates for IMAP to keep it free for Roundcube to use exclusively, but that’s not really an option.
More information about the dovecot
mailing list