(Please CC me if possible.)
I have Dovecot 2.2.13 (shipped with Debian 8 "Jessie") serving IMAP for a small organization. It's connected both to the Internet and to that organization LAN.
I'd like to have Dovecot has rather tight security requirements for connections made from the Internet and reasonably laxed requirements for the LAN clients.
Due to Dovecot authenticating users against a LDAP database which is also used for logging into the users' machines, we have to use somewhat weak passwords (randomly generated but short) for most users.
Because of this I want to:
- Mandate the usage of TLS for the connections made from Internet;
- Require the clients to present their SSL certificates, and
- Verify the validity of these certificates.
The certificates are issued by our own CA, so it's not a problem to verify them.
The first iteration was to set
ssl = required
and
disable_plaintext_auth = yes
which I then overrode with a "remote" section for LAN connections:
remote 192.168.0.0/16 { disable_plaintext_auth = no ssl = yes }
The next iteration was to actually enable verification of the client certificates.
I have set the "ssl_ca" variable appropriately, then
ssl_require_crl = yes ssl_verify_client_cert = yes
and
auth_ssl_require_client_cert = yes
Then I went on and attempted to override the latter two settings for the LAN clients by appending them to my special "remote" section to it read:
remote 192.168.0.0/16 { disable_plaintext_auth = no ssl = yes ssl_verify_client_cert = no auth_ssl_require_client_cert = no }
But after restart Dovecot complained that I cannot use the "auth_ssl_require_client_cert" setting in a "remote" section.
I have removed it in the hope that still having
ssl_verify_client_cert = no
there would inhibit SSL certificate checks for the LAN clients but apparently it did not.
So, to recap:
I need to have tight TLS settings for the clients connecting from the Internet:
- TLS is required;
- The client must present a valid certificate (issued by a CA we control).
LAN clients should use relaxed security settings: TLS is okay but that's all.
How do I go about setting this?
(On a side note, I can supposedly get away installing stunnel and making it proxy IMAP and IMAPS connections to Dovecot -- at least from the documentation, it appears stunnel supports IMAP+STARTTLS, -- but I would rather have all this handled solely by Dovecot.)