Set

ssl_client_ca_file=/path/to/cacert.pem to validate the certificate 

Can this be the Lets Encrypt cert that we already have? In other words we have:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

Can those be used?

Set it to *CA* cert. You can also use

ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos) 

OK did that.

ssl_client_ca_dir=/etc/ssl/certs (on debian based)
Are you using haproxy or something in front of dovecot?

No. Just Squirrelmail webmail with sendmail.

Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?

I see some options in http://squirrelmail.org/docs/admin/admin-5.html#ss5.3. Would it be a plugin?

Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with 

`doveconf auth_policy_request_attributes`

Yes I’ve confirmed it matches. Still getting the URL or IP of the webmail address as well as errors like SSL handshake to ex.ter.na.lip:8084 failed: Connection closed

Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: Timeout (now: 2019-03-28 16:13:36.300)
Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: Absolute timeout expired for request [Req10: POST https://ourdomain:8084/?command=allow] (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST https://ourdomain:8084/?command=allow]: Error: 9008 Absolute request timeout expired (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: Dropping request [Req10: POST https://ourdomain:8084/?command=allow]
Mar 28 16:13:36 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server HTTP error: Absolute request timeout expired (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST https://ourdomain:8084/?command=allow]: Destroy (requests left=1)
Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST https://ourdomain:8084/?command=allow]: Free (requests left=0)
Mar 28 16:13:36 auth-worker(32249): Debug: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): lookup service=dovecot
Mar 28 16:13:36 auth-worker(32249): Debug: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): #1/1 style=1 msg=Password: 
Mar 28 16:13:38 auth-worker(32249): Info: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): unknown user
Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy request https://ourdomain:8084/?command=report
Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server request JSON: {"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}
Mar 28 16:13:38 auth: Debug: http-client[1]: queue https://ourdomain:8084: Set request timeout to 2019-03-28 16:13:40.625 (now: 2019-03-28 16:13:38.625)
Mar 28 16:13:38 auth: Debug: http-client: peer ex.ter.na.lip:8084 (shared): Peer reused
Mar 28 16:13:38 auth: Debug: http-client[1]: queue https://ourdomain:8084: Setting up connection to ex.ter.na.lip:8084 (SSL=ourdomain) (1 requests pending)
Mar 28 16:13:38 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Submitted (requests left=1)
Mar 28 16:13:38 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0)
Mar 28 16:13:40 auth: Debug: client passdb out: FAIL 1 user=abc
Mar 28 16:13:40 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 secs): user=<abc>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<5aBSMC2FROF/AAAB>
Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: Timeout (now: 2019-03-28 16:13:40.626)
Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: Absolute timeout expired for request [Req11: POST https://ourdomain:8084/?command=report] (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Error: 9008 Absolute request timeout expired (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: Dropping request [Req11: POST https://ourdomain:8084/?command=report]
Mar 28 16:13:40 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server HTTP error: Absolute request timeout expired (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Destroy (requests left=1)
Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Free (requests left=0)


Mar 28 16:13:59 auth: Debug: http-client: peer ex.ter.na.lip:8084 (shared): Backoff timer expired
Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Making new connection 1 of 1 (0 connections exist, 0 pending)
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: HTTPS connection created (1 parallel connections exist)
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connected
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Starting SSL handshake
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: SSL handshake to ex.ter.na.lip:8084 failed: Connection closed
Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Connection failed (1 connections exist, 0 pending)
Mar 28 16:13:59 auth: Debug: http-client: peer ex.ter.na.lip:8084: Failed to make connection (1 connections exist, 0 pending)
Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Failed to establish any connection within our peer pool: SSL handshake to ex.ter.na.lip:8084 failed: Connection closed (1 connections exist, 0 pending)
Mar 28 16:13:59 auth: Debug: http-client[1]: queue https://ourdomain:8084: Failed to set up connection to ex.ter.na.lip:8084 (SSL=ourdomain): SSL handshake to ex.ter.na.lip:8084 failed: Connection closed (1 peers pending, 0 requests pending)
Mar 28 16:13:59 auth: Debug: http-client[1]: queue https://ourdomain:8084: Failed to set up any connection; failing all queued requests
Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Unlinked queue https://ourdomain:8084 (0 queues linked)
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection close
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection disconnect
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Detached peer
Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection destroy