On 27.3.2013, at 10.49, Christian Felsing hostmaster@taunusstein.net wrote:
I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend. .. Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes
}
Result is "doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert"
Right. Would be nice to support at some point, but not that easy to implement.
Is there any way to turn off client certs for specific local or remote IP addresses?
In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables