On Thu, 2008-10-23 at 09:54 -0700, Harondel J. Sibble wrote:
How do I setup mixed authentication so that I can have say a couple of machines on my lan only use ssl without client certs, but have all the other machines connecting from remotely required to have ssl certs to connect to imap?
So:
a) If client sent a valid SSL client cert, let it log in.
b) If client didn't send a valid SSL client cert, but it's from a specific network, let it log in.
Right? It's not possible with v1.1, but I just added code to v1.2 tree that would make it possible: http://hg.dovecot.org/dovecot-1.2/rev/d49aa6720fb2
This would allow you to check the client cert status using %k variable. Then if you used SQL passdb you could construct a query based on it, e.g. with MySQL:
password_query = select user, password,
if('%k' = 'valid', NULL, '192.168.0.0/24') as allow_nets
from users where ...
So allow_nets would be set only if a valid client cert hadn't been sent.