[Dovecot] Different SSL requirements for connections on different ports?
Hi All,
I'm running dovecot 2.0.19.
I currently have remote users access mail using IMAP over SSL, with their client certificates being both required and verified. I do this using "ssl = required" and "ssl_verify_client_cert = yes".
I would now like to add a webmail front-end (squirrelmail) running on the same server. In order to achieve this I would like to have squirrelmail connecting locally using IMAP, but without the certificate requirement. I'm happy to use the standard IMAP port for this, since that port is firewalled so that only localhost has access.
Do I need to run two separate dovecot instances in order to achieve this, or can I somehow configure different SSL requirements for the two ports? Is there a way to have the ssl directives I mention above active only for a certain port (or for certain hosts, i.e. non-local?)
I've been looking around in the documentation, but I haven't yet worked out how to do this other than by having two separate dovecot instances running, with the different auth configurations. Is that the best approach, or can I get it working with only once instance?
Thanks for any help!
-- Bill Gallafent.
On Tue, 2012-05-29 at 15:09 +0100, William Gallafent wrote:
Hi All,
I'm running dovecot 2.0.19.
I currently have remote users access mail using IMAP over SSL, with their client certificates being both required and verified. I do this using "ssl = required" and "ssl_verify_client_cert = yes".
And I guess you also have auth_ssl_require_client_cert=yes.
I would now like to add a webmail front-end (squirrelmail) running on the same server. In order to achieve this I would like to have squirrelmail connecting locally using IMAP, but without the certificate requirement. I'm happy to use the standard IMAP port for this, since that port is firewalled so that only localhost has access.
Do I need to run two separate dovecot instances in order to achieve this, or can I somehow configure different SSL requirements for the two ports? Is there a way to have the ssl directives I mention above active only for a certain port (or for certain hosts, i.e. non-local?)
You could work around ssl=required by setting the webmail's IP to login_trusted_networks, but it won't get around requiring a valid SSL cert. For that you'd need to put it inside remote <IP> {} block, but unfortunately you can't currently change auth settings for specific IPs. So for now you'd need to run two Dovecot instances.
On 29/05/2012 16:55, Timo Sirainen wrote:
On Tue, 2012-05-29 at 15:09 +0100, William Gallafent wrote:
I would now like to add a webmail front-end (squirrelmail) running on the same server. In order to achieve this I would like to have squirrelmail connecting locally using IMAP, but without the certificate requirement.
Do I need to run two separate dovecot instances in order to achieve this, or can I somehow configure different SSL requirements for the two ports?
for now you'd need to run two Dovecot instances.
[Keen to do the same thing.] I guess those two Dovecot instances could run either on (a) the same machine, or (b) different machines - though using a network-visible mail storage location.
Does this dual-Dovecot solution become problematic if the mail storage location is NFS? I'm aware of the cautions regarding NFS access from two different machines (case (b), here). If these two Dovecot instances were on the same machine (case (a)) but which nevertheless used an NFS mail storage location, would we then also hit the NFS dual-access problem from this single machine running the two instances?
Ron
On 29.5.2012, at 20.17, Ron Leach wrote:
On 29/05/2012 16:55, Timo Sirainen wrote:
On Tue, 2012-05-29 at 15:09 +0100, William Gallafent wrote:
I would now like to add a webmail front-end (squirrelmail) running on the same server. In order to achieve this I would like to have squirrelmail connecting locally using IMAP, but without the certificate requirement.
Do I need to run two separate dovecot instances in order to achieve this, or can I somehow configure different SSL requirements for the two ports?
for now you'd need to run two Dovecot instances.
[Keen to do the same thing.] I guess those two Dovecot instances could run either on (a) the same machine, or (b) different machines - though using a network-visible mail storage location.
Yes.
Does this dual-Dovecot solution become problematic if the mail storage location is NFS? I'm aware of the cautions regarding NFS access from two different machines (case (b), here).
Yes, NFS will cause trouble in that kind of a setup.
If these two Dovecot instances were on the same machine (case (a)) but which nevertheless used an NFS mail storage location, would we then also hit the NFS dual-access problem from this single machine running the two instances?
If there is a single NFS mountpoint used by both Dovecots, there won't be a problem since there is only one kernel accessing and caching it. (I'm not entirely sure if there's a problem with more than one mountpoint, might be.) Dovecot itself doesn't internally have a problem with multiple Dovecot instances accessing the same files, regardless of where they are stored.
participants (3)
-
Ron Leach
-
Timo Sirainen
-
William Gallafent