Greetings 03.12.2013 17:29, Алексей Прокопчук пишет:
Good time of the day!
It is possible to setup dovecot with different requirements for SSL and non-SSL protocols? What would I like to do:
pop3/imap non-SSL = allowed plain text authentication. pop3/imap with SSL = allowed plain text authentication with required valid SSL certificates. I examined in detail dovecot's behavior with 'auth_ssl_require_client_cert=yes'. Dovecot misinterprets configuration in case with parameters: ssl = yes auth_ssl_require_client_cert = yes
If ssl is not equal 'required', so not necessarily required, then unencrypted connection permissible. And case 'ssl = required' processed separately when connection begins. But dovecot answers to client with unencrypted connection "Client didn't sent a valid SSL certificate". This is wrong because with unencrypted connection can't be any certificates at all.
I use dovecot-2.1.16. In auth-request-handler.c I found:
if (request->set->ssl_require_client_cert && !request->valid_client_cert) { /* we fail without valid certificate */ auth_request_handler_auth_fail(handler, request, "Client didn't present valid SSL certificate"); return TRUE; }
Here is need to check encrypted connection, and if connection not encrypted, condition should not be triggered. And as I said above, case with 'ssl = required' processed early and in this case we don't get to this place in code.
Sources of dovecot is quite complex, and I can't find a way how to determine encrypted connection or not at this place for a while. Can you give me the hint how I can determine it?
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)