Enforce LMTP auth with client certs
Hello,
I'm trying to get TLS client cert authentication to work on the LMTP socket via TCP port 24 with Dovecot 2.4. I was already able to get TLS working on the LMTP socket, but if I connect to it via 'openssl s_client' from another machine, and type in a few LMTP commands, Dovecot accepts all mail without requesting a client cert from me. The server running Dovecot is behind a firewall, so LMTP connections should only be possible from the SMTP server in the same local network, not from the whole internet. However I want to guard against possible firewall misconfigs by enforcing client certs between the incoming SMTP server and Dovecot for mail delivery.
Is there a way to do this in Dovecot?
My /etc/dovecot/conf.d/20-lmtp.conf effectively looks like this:
lmtp_save_to_detail_mailbox = yes lmtp_add_received_header = yes protocol lmtp { mail_plugins { sieve = yes } ssl = required ssl_server_ca_file = /etc/lmtp-ca/ca.crt ssl_server_cert_file = /etc/lmtp-ca/local.crt ssl_server_key_file = /etc/lmtp-ca/private/local.key ssl_server_request_client_cert = yes
TODO: this should enforce client certs, but it does not work...
auth_ssl_require_client_cert = yes ssl_server_require_crl = no log_debug = category=ssl OR category=auth }
… and /etc/dovecot/conf.d/10-master.conf has:
service lmtp { #unix_listener lmtp {
mode = 0666
#} inet_listener lmtp { # Accept connections from anywhere, but 20-lmtp.conf configures LMTP to require client certs listen = * :: port = 24 inet_listener_ssl = yes # TODO: this should enforce client certs, but it does not work... auth_ssl_require_client_cert = yes } }
I also tried enabling ssl_server_request_client_cert = yes and auth_ssl_require_client_cert = yes globally, but this did not make a difference.
I already tried looking at the Dovecot source code, but didn't find anything yet. I'm happy for any pointers in the right direction. Thanks,
- Roland
rhi--- via dovecot skrev den 2025-09-29 01:21:
# TODO: this should enforce client certs, but it does not work... auth_ssl_require_client_cert = yes
why should dovecot need an auth server ?, if dovecot have this its not dovecot that use it as client, eq outside clients can use it
as i read it you want mta to do the lmtp auth client ?
https://brokkr.net/2019/10/31/lets-do-dovecot-slowly-and-properly-part-3-lmt...
should be basicly, take attention on address
Hi,
Benny Pedersen:
why should dovecot need an auth server ?, if dovecot have this its not dovecot that use it as client, eq outside clients can use it
I'm not sure I understand what you're trying to say…
as i read it you want mta to do the lmtp auth client ?
The MTA (Postfix) should authenticate itself with a TLS client certificate when it connects to Dovecot via LMTP. Dovecot (the LMTP server part) should verify the client cert against a CA certificate before allowing a client to deliver mail via LMTP.
According to <https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_ssl_require_client_cert>:
If yes, authentication fails when a valid SSL client certificate is not provided.
… but in my case it doesn't fail, although it should.
https://brokkr.net/2019/10/31/lets-do-dovecot-slowly-and-properly-part-3-lmt... should be basicly, take attention on address
Nothing in there says anything about SSL, TLS, or client certificates, so I don't know what point you're trying to make here.
- Roland
participants (2)
-
Benny Pedersen
-
rhi@pengutronix.de