Thank you, Timo, for your detailed and authoritative response.
Now I know that my config is fine, and that I didn't miss some option.
Thanks again!
On 29.06.2013 23:25, Timo Sirainen wrote:
On 29.6.2013, at 23.39, Ireneusz Szcześniak<irek.szczesniak@gmail.com> wrote:
With my config, Dovecot disallows logging in when the SSL connection was established by a client without a certificate. In this case the client gets to talk to Dovecot. The client could exploit potential Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the client doesn't authenticate with a certificate, and so the client doesn't get to talk with Dovecot.
OpenSSL can't really drop the connection. Dovecot could do it earlier, but that would complicate the code. I'm not planning on adding such extra code, since the current way works as well.
This is safer, because the client is dropped by the well-tested OpenSSL.
One of the main reasons for Dovecot's pre-login and post-login privilege separation was so that OpenSSL could be separated into Dovecot's untrusted pre-login sandboxed process :) OpenSSL is a highly complex piece of software compared to what Dovecot has to do.
The one thing I have been considering is that Dovecot's pre-login process would present the client's SSL certificate to Dovecot's auth process, which would independently verify that it's correct. That could be useful I think, although it would also present an additional attack layer to the auth process in case there are OpenSSL vulnerabilities (and auth process may run with more privileges than login process).
-- Ireneusz (Irek) Szczesniak http://www.irkos.org