On 18 October 2010 23:52, Jerry dovecot.user@seibercom.net wrote:
On Mon, 18 Oct 2010 23:17:40 +0100 William Gallafent william@gallaf.net articulated:
Current status: I have successfully configured imap with tls, accessed on port 993, and for security require a valid client certificate to be presented, using ssl_require_client_cert and ssl_verify_client_cert. This is all working fine!
Out of curiosity, why are you forcing port 993 if you are using TLS? I have basically the same setup; however, I use port 143 instead. It helps to eliminate the potential problem with an end user failing to change the port number.
I keep port 143 firewalled, closed to all except localhost! The original plan was that that port would accept only unencrypted connections, 993 only encrypted. But you're right, as I gradually understand things better, I see that I can just use 143 for both classes of connection (once I work out how to configure it!) would be fine.
- if localhost allow any type of connection
- if not localhost require TLS with a valid client cert
In fact, that restates the problem very succintly! The part that seems to break is that when I _require_ a valid client cert, I can no longer make unencrypted connections from localhost. I'm sure there must be a straightforward way to do this!
-- Bill Gallafent.