On 29 Sep 2008 at 8:40, Rainer Frey (Inxmail GmbH) wrote:
What is important: you can not self-sign each client certificate, but you need a CA with a self-signed root instead. I think you understand that already, just noting that for completeness.
Then you simply configure Dovecot as described in http://wiki.dovecot.org/SSL/DovecotConfiguration
Followed those directions, enabled the client side certificate checking, but no go.
Then configure client cert verification as described in the last section of above mentioned wiki page. ssl_ca_file is used for client cert verification only, and does not need to cover the server certificate.
Done, I have the following enabled.
auth default { # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi mechanisms = plain ssl_require_client_cert = yes
ssl_ca_file = /etc/pki/dovecot/certs/dovecot-clientcerts ssl_verify_client_cert = yes verbose_ssl = yes ssl_require_client_cert = yes
Logs don't show anything of any interest, on the client side (windows mobile 5 phone running Web IS's Flexmail4.
When I asked their tech support about using a client cert, I got this
Greetings and thank you for contacting us.
It should be using the certs which the PDA has installed. Is the cert
installed (in the device settings > System > Certificates
We appreciate having the opportunity to help and service you. Please let
us know if there is anything more we can do.I've verified that my root ca is installed on the pda and the personal cert is also installed.
The following is all I see on the connection attempt from the pda
Oct 8 01:00:55 myserver dovecot: Dovecot v1.0.7 starting up Oct 8 01:01:51 myserver dovecot: imap-login: Disconnected: method=PLAIN, rip=10.12.13.14, lip=10.12.13.14, TLS
At this point the client device is stuck asking to confirm account credentials
-- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)