On 19/05/2023 05:54 EEST Sean Gallagher sean@teletech.com.au wrote:
We are indeed listening. And Dovecot actually can check the name on the certificate, if you ask it to do so.
https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_c...
I've been studying the code, looking for any way the "auth_ssl_username_from_cert" setting could be used by the LMTP server and have been unable to find any. Could someone at least confirm that Dovecot, in it's present form, CAN NOT in fact check the name on a client certificate presented to the LMTP server. If nothing else, this misleading post needs to be corrected.
Somehow my mind didn't register that we are talking about LMTP. No, LMTP has no client side cert *name* validation, because LMTP has no authentication either.
What is your use-case for validation here? Did you mean submission? It has actual authentication and can do client cert name validation with auth_ssl_username_from_cert.
Aki