unsubscribe
On Wed, Mar 27, 2013 at 1:49 AM, Christian Felsing < hostmaster@taunusstein.net> wrote:
Hello,
I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend.
For now Dovecot works with client certificates issued by my CA and Horde authenticates also with same client certs. Due to protocol it is impossible to use client certs presented by user to Horde for authentication at Dovecot, so Horde should be allowed to authenticate itself without or an arbitrary password to Dovecot. Horde and Dovecot are running in same protected LAN.
Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes
}
Result is "doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert"
Replacing "auth_ssl_require_client_cert = no" by "ssl_verify_client_cert = no" does not yield in an error, but it does nothing, Dovecot still insists for a client certificate.
I afraid that I am trapped by this problem:
http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certifica...
Is there any way to turn off client certs for specific local or remote IP addresses?
best regards Christian