In a previous post to this list I described a problem I was having validating client certificates on inet_listener lmtp connections.
Subject: "Please Help: Dovecot ssl_ca selection based on remote IP address filtering not working."
The problem there was that Dovecot does not "inspect" the subject name on the client certificate on LMTP connections. As such Any valid certificate will pass. In this context "valid" means the same as OpenSSL SSL_set_verify( ,SSL_VERIFY_PEER, ). I.e. the certificate chain is well formed and can be traced back to a trusted root. It does not say anything about the peer's identity.
I propose here, that the "login_trusted_networks" setting be allowed to take a domain name - possibly with wildcards. Then the name on the client certificate could be checked against login_trusted_networks in much the same way that web browsers work.
If you tell your web browser that you want to connect to www.example.com, the browser will check that the server's certificate matches "www.example.com".
In the present case, if you tell Dovecot (through the login_trusted_networks setting) to allow connections from "smtp.example.com", then Dovecot could check the name on the client's certificate matches "smtp.example.com".
More generally, example.com could issue client certificates with names matching "*.mua.example.com". Then you could tell Dovecot to allow connections from "*.mua.example.com" through the login_trusted_networks setting.
These usages could largely replace the IP host and CIDR subnet usages currently allowed in the login_trusted_networks setting but both could exist side by side.
Of course, more elaborate schemes could be devised involving database lookups, but the outlined proposal would be relatively easy to implement and cover a good majority of use cases.
The alternative is to force the use of application-specific certificate authorities, or just ignore it and hope that no one knows how to spoof network traffic.
That's My two cents...
Sean.
-- This email has been checked for viruses by AVG antivirus software. www.avg.com