[Dovecot] require SSL certs only for encrypted connections?
# 1.1.11: /etc/dovecot/dovecot.conf # OS: Linux 2.6.28-14-server x86_64 Ubuntu 9.04
Here's the situation: I have several local clients (Thunderbird) which do not use TLS at all. It's plaintext completely, on port 143, because the connection is local and there are no unauthorized users on this network (it's a home network). I want to keep it that way to keep things simple.
Tools / Account Settings / Server Settings: Use Secure Connection: Never Use Secure Authentication: unchecked
Until now, this has worked very well. No problems so far.
But now I am also setting up IMAPS for remote iPhone clients, with client/server certificates. This is how I generated the certs:
http://impetus.us/~rjmooney/projects/misc/clientcertauth.html
On the iPhone I uploaded the client.crt file (couldn't import client.p12 for some reason). For Dovecot I am using ca.crt, server.crt and server.key.
ssl_listen: *:993 ssl_disable: no ssl_ca_file: /blah/ca.crt ssl_cert_file: /blah/server.crt ssl_key_file: /blah/server.key ssl_key_password: ssl_parameters_regenerate: 168 ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_cert_username_field: commonName ssl_verify_client_cert: yes disable_plaintext_auth: no auth default: mechanisms: plain login ssl_require_client_cert: no ssl_username_from_cert: no
I analyzed the connection on 993 with Wireshark and apparently all is good: it's encrypted, I see the certificate exchanges taking place.
But I am worried about authenticating the connections from the iPhone and I would like to configure "ssl_require_client_cert: yes" so that a valid certificate is always required. But if I do that then Thunderbird fails to login because it's required a certificate.
This is puzzling. I thought that setting would only influence SSL connections. But apparently it also affects plaintext logins from Thunderbird.
Is there a way to require a cert from the iPhone TLS connections on port 993, but do not require it from clients connecting to port 143?
-- Florin Andrei
On Thu, 2009-08-20 at 18:30 -0700, Florin Andrei wrote:
# 1.1.11: /etc/dovecot/dovecot.conf .. Is there a way to require a cert from the iPhone TLS connections on port 993, but do not require it from clients connecting to port 143?
Not that easily.. A few possibilities:
a) Run two different Dovecots with two different config files.
b) Upgrade to v1.2 and use SQL passdb and check %c and %k variables. http://wiki.dovecot.org/Variables
Hmm. Maybe the setting could have a new "with-ssl" option or something..
Timo Sirainen wrote:
Hmm. Maybe the setting could have a new "with-ssl" option or something..
That would be awesome. If I'm not mistaken, it's a pretty common situation to use certs on SSL but not require them on non-SSL. Kind of makes sense to me at least.
Any chance to add something like this to the 1.1 series?
-- Florin Andrei
On Thu, 2009-08-27 at 14:30 -0700, Florin Andrei wrote:
Timo Sirainen wrote:
Hmm. Maybe the setting could have a new "with-ssl" option or something..
That would be awesome. If I'm not mistaken, it's a pretty common situation to use certs on SSL but not require them on non-SSL. Kind of makes sense to me at least.
Actually I don't really think this is useful. Even in your use case you don't really want to require it with SSL connections, you want to require it for connections outside from your intranet. A better way would be to just do something like:
ssl_require_client_cert = yes remote_ip 192.168.0.0/16 { ssl_require_client_cert = no }
That's almost possible in v2.0.
Timo Sirainen wrote:
On Thu, 2009-08-27 at 14:30 -0700, Florin Andrei wrote:
Timo Sirainen wrote:
Hmm. Maybe the setting could have a new "with-ssl" option or something.. That would be awesome. If I'm not mistaken, it's a pretty common situation to use certs on SSL but not require them on non-SSL. Kind of makes sense to me at least.
Actually I don't really think this is useful. Even in your use case you don't really want to require it with SSL connections, you want to require it for connections outside from your intranet. A better way would be to just do something like:
ssl_require_client_cert = yes remote_ip 192.168.0.0/16 { ssl_require_client_cert = no }
That's almost possible in v2.0.
"Almost"? :-)
I would go through the trouble of packaging up Dovecot 2.0 for Ubuntu and upgrading it on my server, if it truly worked.
-- Florin Andrei
On Tue, 2009-09-22 at 10:02 -0700, Florin Andrei wrote:
ssl_require_client_cert = yes remote_ip 192.168.0.0/16 { ssl_require_client_cert = no }
That's almost possible in v2.0.
"Almost"? :-)
Well, the problem is that this setting is checked by both auth process and login process. Login process can handle it, auth process can't. Hmm. A few possibilities:
Remove the check from auth process. It's probably not that useful. Then again it adds an extra layer of security. Hmm.
Implement per-IP settings for auth process. Some day.. :)
You can probably already kludge around it:
ssl_require_client_cert = no protocol imap { ssl_require_client_cert = yes remote_ip 192.168.0.0/16 { ssl_require_client_cert = no } }
Timo Sirainen wrote:
On Thu, 2009-08-20 at 18:30 -0700, Florin Andrei wrote:
# 1.1.11: /etc/dovecot/dovecot.conf .. Is there a way to require a cert from the iPhone TLS connections on port 993, but do not require it from clients connecting to port 143?
Not that easily.. A few possibilities:
a) Run two different Dovecots with two different config files.
I'll try and figure out this one. Hopefully there's an easy way to do it, and hopefully the two instances won't create conflicts.
Ubuntu 9.04 (which is the current latest) comes with v1.1.11 and I want to keep the admin effort at a minimum (I manage the system in my spare time - which is pretty scarce), so compiling / installing other versions is not desirable.
-- Florin Andrei
participants (2)
-
Florin Andrei
-
Timo Sirainen