Hello,
I'm trying to get TLS client cert authentication to work on the LMTP socket via TCP port 24 with Dovecot 2.4. I was already able to get TLS working on the LMTP socket, but if I connect to it via 'openssl s_client' from another machine, and type in a few LMTP commands, Dovecot accepts all mail without requesting a client cert from me. The server running Dovecot is behind a firewall, so LMTP connections should only be possible from the SMTP server in the same local network, not from the whole internet. However I want to guard against possible firewall misconfigs by enforcing client certs between the incoming SMTP server and Dovecot for mail delivery.
Is there a way to do this in Dovecot?
My /etc/dovecot/conf.d/20-lmtp.conf effectively looks like this:
lmtp_save_to_detail_mailbox = yes lmtp_add_received_header = yes protocol lmtp { mail_plugins { sieve = yes } ssl = required ssl_server_ca_file = /etc/lmtp-ca/ca.crt ssl_server_cert_file = /etc/lmtp-ca/local.crt ssl_server_key_file = /etc/lmtp-ca/private/local.key ssl_server_request_client_cert = yes
TODO: this should enforce client certs, but it does not work...
auth_ssl_require_client_cert = yes ssl_server_require_crl = no log_debug = category=ssl OR category=auth }
… and /etc/dovecot/conf.d/10-master.conf has:
service lmtp { #unix_listener lmtp {
mode = 0666
#} inet_listener lmtp { # Accept connections from anywhere, but 20-lmtp.conf configures LMTP to require client certs listen = * :: port = 24 inet_listener_ssl = yes # TODO: this should enforce client certs, but it does not work... auth_ssl_require_client_cert = yes } }
I also tried enabling ssl_server_request_client_cert = yes and auth_ssl_require_client_cert = yes globally, but this did not make a difference.
I already tried looking at the Dovecot source code, but didn't find anything yet. I'm happy for any pointers in the right direction. Thanks,
- Roland