Hi there,

As of Dovecot 2.2.9, it's possible to enable passwordless authentication using client certificates [1]:

ssl_ca = </etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth_ssl_username_from_cert = yes

(Password checking can be bypassed by returning the extra fields ‘password= nopassword’ in the passdb when the variable ‘%k’ expands to "valid".)

However this requires the server admin to set up a PKI. Having a variable %{x509} expanding to the X.509 client cert in Dovecot-auth would remove such hassle and instead provide a way to manage authorized clients in the fashion of OpenSSH's ‘authorized_keys’.

Postfix has a similar configuration option: relay_clientcerts [2]. There, the keys for the lookup table can be either client cert fingerprints or public key fingerprints (the digest algorithm can be configured with smtpd_tls_fingerprint_digest). I can't see why %{x509} should digest the certificate and not merely PEM-encode it, but having another %{pubkey} variable expanding to the (PEM-encoded) cert's SubjectPublicKeyInfo block would surely be useful :-)

I wonder if there are other folks interested in having the client cert available in the passdb.

Thanks, cheers,

Guilhem.

[1] http://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verific... [2] http://www.postfix.org/postconf.5.html#relay_clientcerts