Feature Request: login_trusted_networks to take FQDN

Sean Gallagher sean at teletech.com.au
Wed Feb 15 09:31:48 UTC 2023

In a previous post to this list I described a problem I was having 
validating client certificates on inet_listener lmtp connections.

Subject: "Please Help: Dovecot ssl_ca selection based on remote IP 
address filtering not working."

The problem there was that Dovecot does not "inspect" the subject name 
on the client certificate on LMTP connections. As such Any valid 
certificate will pass. In this context "valid" means the same as OpenSSL 
SSL_set_verify( ,SSL_VERIFY_PEER, ). I.e. the certificate chain is well 
formed and can be traced back to a trusted root. It does not say 
anything about the peer's identity.

I propose here, that the "login_trusted_networks" setting be allowed to 
take a domain name - possibly with wildcards. Then the name on the 
client certificate could be checked against login_trusted_networks in 
much the same way that web browsers work.

If you tell your web browser that you want to connect to 
www.example.com, the browser will check that the server's certificate 
matches "www.example.com".

In the present case, if you tell Dovecot (through the 
login_trusted_networks setting) to allow connections from 
"smtp.example.com", then Dovecot could check the name on the client's 
certificate matches "smtp.example.com".

More generally, example.com could issue client certificates with names 
matching "*.mua.example.com". Then you could tell Dovecot to allow 
connections from "*.mua.example.com" through the login_trusted_networks 

These usages could largely replace the IP host and CIDR subnet usages 
currently allowed in the login_trusted_networks setting but both could 
exist side by side.

Of course, more elaborate schemes could be devised involving database 
lookups, but the outlined proposal would be relatively easy to implement 
and cover a good majority of use cases.

The alternative is to force the use of application-specific certificate 
authorities, or just ignore it and hope that no one knows how to spoof 
network traffic.

   That's My two cents...


This email has been checked for viruses by AVG antivirus software.

More information about the dovecot mailing list