On Fri, 2007-08-24 at 23:57 +0200, Martin Lambers wrote:

Hi!

I'd like to configure dovecot to use only TLS client certificates for authentication. After the user presented a client certificate and that certificate was verified, no password-based authentication should be necessary anymore.

Is this currently possible? Or would this require support for the SASL EXTERNAL mechanism?

Pretty much all clients still want to send username and password. You could have Dovecot get the username from the certificate (ssl_username_from_cert=yes) and allow it to authenticate with any password. Easiest way to do that would be to use a SQL passdb:

password_query = select null as password, 'Y' as nopassword

With a SQLite backend it wouldn't need even a server.