Folks, I'm trying to configure my dovecot installation to require client certificates for external/Internet connections, while still allowing my local network to not need certificates.
This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I'vetried to use the "remote" block to give different definitions for my local network vs the defaults. While most options seem to be set fine, if I set "auth_ssl_require_client_cert" to yes as the default, and reset it to no for my local network, dovecot still requests a client certificate and fails as one is not supplied.
Am I correct that it can be reset in a "remote" block, or is it treateddifferently to other options? In fact do I have the configuration correct, as there doesn't really seem to be anything documenting "remote" or "remote_ip" or related items for Dovecot 2.
Related to this, much of the documentation states that the variable is"ssl_require_client_cert", seems to be accepted by ignored, vs "auth_ssl_require_client_cert" which does have some effects.
Also, in the configuration dump, it duplicates the netmask.
The configuration is below, as generated with "dovecot -n".Regards Frank
# 2.0.8: /etc/dovecot/dovecot.conf # OS: Linux 2.6.36.1 x86_64 Fedora release 14 (Laughlin) ext4 auth_ssl_require_client_cert = yes mail_location = maildir:/var/spool/maildir/%u managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@crawford.emu.id.au ssl = required ssl_ca = </etc/pki/CA/cacert.pem ssl_cert = </etc/pki/tls/certs/dovecot.crt ssl_key = </etc/pki/tls/private/dovecot.key ssl_verify_client_cert = yes userdb { driver = passwd } protocol pop3 { pop3_uidl_format = %v.%u } remote 203.16.204.0/24/24 { auth_ssl_require_client_cert = no disable_plaintext_auth = no ssl = no ssl_verify_client_cert = no } remote fdd2:7aad:d478:1::/64/64 { auth_ssl_require_client_cert = no disable_plaintext_auth = no ssl = no ssl_verify_client_cert = no } remote 2001:44b8:62:140::/64/64 { auth_ssl_require_client_cert = no disable_plaintext_auth = no ssl = no ssl_verify_client_cert = no }