I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate:
openssl s_client -connect server:993 (...)
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
Luckily, after connecting without a certificate logging fails:
a001 login iszczesniak password a001 NO [ALERT] Client didn't present valid SSL certificate
*QUESTION: Is there a way in Dovecot to disable establishing an SSL connection without a client certificate?*
My complete config is :
# dovecot -n # 2.1.8: /etc/dovecot/dovecot.conf # OS: OpenBSD 5.2 i386 auth_ssl_require_client_cert = yes mail_location = maildir:~/archive/mail mbox_write_locks = fcntl mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Sent { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = bsdauth } protocols = imap service imap-login { inet_listener imap { port = 0 } } ssl_ca = </etc/ssl/certs/cacertcrl.pem ssl_cert = </etc/ssl/cert.pem ssl_key = </etc/ssl/private/key.pem ssl_verify_client_cert = yes userdb { driver = passwd } verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh }
-- Ireneusz (Irek) Szczesniak http://www.irkos.org