auth-client via SSL?
Hello,
does dovecot support tls-on-connect for AF INET based auth-client sockets?
Rationale behind my question:
Exim can use the Dovecot auth-client socket to delegate the SMTP-AUTH authentication to Dovecot.
Currently Exim supports the AF UNIX only for this socket. Jeremy makes progress in extending this to use AF INET sockets too.
While it works with clear text communication already, during testing I was to setup the auch-client socket as an TLS server (tls-on-connect). It doesn't seem to work as I'd expect. The socket still offers clear-text only.
Here my configuration snippets regarding this socket
ssl = yes ssl_cert = </etc/dovecot/private/server.pem ssl_key = </etc/dovecot/private/server.pem
service auth {
…
unix_listener auth-client {
group = _exim
mode = 0660
}
inet_listener auth-client {
name = exim
port = 4711
ssl = yes
}
}
SSL connections to :993 work as expected.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Hi, I'm resending this message, still hoping for an answer.
Hello,
does dovecot support tls-on-connect for AF INET based auth-client sockets?
Rationale behind my question:
Exim can use the Dovecot auth-client socket to delegate the SMTP-AUTH authentication to Dovecot.
Currently Exim supports the AF UNIX only for this socket. Jeremy makes progress in extending this to use AF INET sockets too.
While it works with clear text communication already, during testing I was to setup the auch-client socket as an TLS server (tls-on-connect). It doesn't seem to work as I'd expect. The socket still offers clear-text only.
Here my configuration snippets regarding this socket
ssl = yes ssl_cert = </etc/dovecot/private/server.pem ssl_key = </etc/dovecot/private/server.pem
service auth {
…
unix_listener auth-client {
group = _exim
mode = 0660
}
inet_listener auth-client {
name = exim
port = 4711
ssl = yes
}
}
SSL connections to :993 work as expected.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
On 4.2.2020 13.46, Heiko Schlittermann wrote:
Hi, I'm resending this message, still hoping for an answer.
Hello,
does dovecot support tls-on-connect for AF INET based auth-client sockets?
Rationale behind my question:
Exim can use the Dovecot auth-client socket to delegate the SMTP-AUTH authentication to Dovecot.
Currently Exim supports the AF UNIX only for this socket. Jeremy makes progress in extending this to use AF INET sockets too.
While it works with clear text communication already, during testing I was to setup the auch-client socket as an TLS server (tls-on-connect). It doesn't seem to work as I'd expect. The socket still offers clear-text only.
Here my configuration snippets regarding this socket
ssl = yes ssl_cert = </etc/dovecot/private/server.pem ssl_key = </etc/dovecot/private/server.pem
service auth { … unix_listener auth-client { group = _exim mode = 0660 } inet_listener auth-client { name = exim port = 4711 ssl = yes } }
SSL connections to :993 work as expected.
Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann
Hi!
This is not (yet) implemented. You can probably workaround with haproxy / stunnel for now.
Aki
Hi Aki,
thank you for answering.
Aki Tuomi <aki.tuomi@open-xchange.com> (Mi 05 Feb 2020 07:59:55 CET):
does dovecot support tls-on-connect for AF INET based auth-client sockets? inet_listener auth-client { name = exim port = 4711 ssl = yes } }
Interestingly enough, dovecot didn't complain about an unknown option or about ssl not being supported here.
This is not (yet) implemented. You can probably workaround with haproxy / stunnel for now.
So I did, yes. I used to use socat.
-- Heiko
participants (2)
-
Aki Tuomi
-
Heiko Schlittermann