Require certificate for external clients
Hi list,
I'm currently looking into ways of making use of client certificates. I want to force external clients (i.e. anything outside the local subnet) to use client certificates. It is my understanding that this in itself can be achieved with the "ssl_require_client_cert" setting.
However, I also want local clients (i.e. anything from a specific subnet) to be able to authenticate by the usual means (i.e. password-based).
As far as I know dovecot is not able to operate on multiple ports, as stated in the FAQ 1. The redirect approach, which is also mentioned there, is of no help to me, because in my case I would need a different setup on both ports. Other suggestions 2 won't work in my case either.
I probably could get away with using "imaps" for external clients, while using "imap" (without SSL) for internal ones. Having said this, I don't quite like the idea, especially since the traffic might pass through some potentially unsecure networks and I don't want to bother with VPN/SSH tunnels for that purpose. A native SSL/TLS solution would be very much appreciated.
Is there a (recommended) way to do this?
Thanks in advance.
Best regards, Karol Babioch
Quoting Karol Babioch <karol@babioch.de>:
Hi list,
I'm currently looking into ways of making use of client certificates. I want to force external clients (i.e. anything outside the local subnet) to use client certificates. It is my understanding that this in itself can be achieved with the "ssl_require_client_cert" setting.
However, I also want local clients (i.e. anything from a specific subnet) to be able to authenticate by the usual means (i.e. password-based).
How about a second front-end? One dovecot-proxy for external users that requires certs, the other is the 'real' machine accessible directly only for internal users.
Rick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 27 Feb 2015, Karol Babioch wrote:
I'm currently looking into ways of making use of client certificates. I want to force external clients (i.e. anything outside the local subnet) to use client certificates. It is my understanding that this in itself can be achieved with the "ssl_require_client_cert" setting.
However, I also want local clients (i.e. anything from a specific subnet) to be able to authenticate by the usual means (i.e. password-based).
There are local and remote IP blocks in Dovecot, however, I cannot find the Wiki page it is documented on. But see: http://wiki2.dovecot.org/SSL/DovecotConfiguration local means to match the local IP of the connection, remote matches the remote end, aka client IP address.
You could try to use ssl_require_client_cert as default and add a remote { } block, in which you disable that feature.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVPQWSXz1H7kL/d9rAQITnQf+PrgqIyf98ZhF1TbL/7MAfEMYBZCHXvF4 iUScUxYyaUbeJ/h2RkeXjpVfrp9ktPXDmM+yge9U1fbDJ8ejQ+7nn0ZnSWqm8Cpm SlhnkYEBfdR1ht5fzGNj1hy9CA3vLZRzCoAtPBL58VZocyFnDDdtcgFpgBg0gKaE Cmf6BYs0AtvP6omUSj4myh4lW5trklebtxClZS2K6Zol+rpATofGTfE16wRrEnBK kt4N8ZKZ70vwt8wCiytcqddegIDm9uiiSfrK0W57o5n377oZtHzN2luCOQ3S4GdF aMh6ybDEN8NeS+3pbTQp/QXa1hm4x2UefEjI1KUJJSkniKGsv6knzA== =DmyK -----END PGP SIGNATURE-----
participants (3)
-
Karol Babioch
-
Rick Romero
-
Steffen Kaiser