On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:



On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote:


Set

ssl_client_ca_file=/path/to/cacert.pem to validate the certificate 

Can this be the Lets Encrypt cert that we already have? In other words we have:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

Can those be used?

Set it to *CA* cert. You can also use

ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos) 

or

ssl_client_ca_dir=/etc/ssl/certs (on debian based)
Are you using haproxy or something in front of dovecot?

No. Just Squirrelmail webmail with sendmail.

Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?
---
Aki Tuomi
Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with 

`doveconf auth_policy_request_attributes`
---
Aki Tuomi