-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 27 Feb 2015, Karol Babioch wrote:
I'm currently looking into ways of making use of client certificates. I want to force external clients (i.e. anything outside the local subnet) to use client certificates. It is my understanding that this in itself can be achieved with the "ssl_require_client_cert" setting.
However, I also want local clients (i.e. anything from a specific subnet) to be able to authenticate by the usual means (i.e. password-based).
There are local and remote IP blocks in Dovecot, however, I cannot find the Wiki page it is documented on. But see: http://wiki2.dovecot.org/SSL/DovecotConfiguration local means to match the local IP of the connection, remote matches the remote end, aka client IP address.
You could try to use ssl_require_client_cert as default and add a remote { } block, in which you disable that feature.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVPQWSXz1H7kL/d9rAQITnQf+PrgqIyf98ZhF1TbL/7MAfEMYBZCHXvF4 iUScUxYyaUbeJ/h2RkeXjpVfrp9ktPXDmM+yge9U1fbDJ8ejQ+7nn0ZnSWqm8Cpm SlhnkYEBfdR1ht5fzGNj1hy9CA3vLZRzCoAtPBL58VZocyFnDDdtcgFpgBg0gKaE Cmf6BYs0AtvP6omUSj4myh4lW5trklebtxClZS2K6Zol+rpATofGTfE16wRrEnBK kt4N8ZKZ70vwt8wCiytcqddegIDm9uiiSfrK0W57o5n377oZtHzN2luCOQ3S4GdF aMh6ybDEN8NeS+3pbTQp/QXa1hm4x2UefEjI1KUJJSkniKGsv6knzA== =DmyK -----END PGP SIGNATURE-----