Hi All,

  I hope this is the correct place to post this. If not, apologies.

   I am in the process of updating my company's email servers and am trying to put Dovecot into an Alpine Linux container, hosted on ProxMox.

In my setup, local mail deliveries via LMTP can come from the MSA (for intra-company mail) and an MTA (for inbound mail).

The LMTP data is sent over IPv4 and is protected by TLS. Client certificates are used to authenticate sources.

I wanted to prevent Dovecot from accepting LMTP from any other source and the method I came up with to do this was to use filtering on the "remote" address.

I would create a "Fake" CA that had never signed a certificate and use that to evaluate the certificate presented by incoming connections from addresses other than the two legitimate sources.

This would cause all connections from "bad" addresses to be rejected. This seemed simple enough on paper but Dovecot just isn't playing along.


It seems that no matter what I do, I cannot get "remote" filtering to switch the "ssl_ca" parameter. I have put together a test bed to demonstrate.

I then use openssl s_client to attempt to connect to the test bed container.

I've attached the instructions to build the test bed from scratch.

In all cases s_client reports "Acceptable client certificate CA names"
"CN = Fake CA"

I.e. it want's a certificate from the CA that has never signed a certificate and never will.


Why not do the obvious thing?

I use LDAP to authenticate individual users and the user name will be reported over LMTP.

So to use the normal authentication mechanisms to authenticate the connection source, I would need to do two LDAP lookups, one for the connecting machine and one for the mail recipient.

It is not clear if this is possible from the documentation..


Questions:

Is config file filtering broken or am I doing it wrong?

Is it possible to provide a different "ssl_ca" based on the remote IP address?

Is there an easier way to restrict LMTP connections to specific remote IP addresses?


p.s.

Filtering just doesn't work like it's supposed to. Someone should look at that (especially multi-level) ..

See this: https://dovecot.org/pipermail/dovecot/2016-June/104770.html

   Any help would be greatly appreciated. I am at my wits' end with this.



Virus-free.www.avg.com