Frank Crawford <frank <at> crawford.emu.id.au> writes:

I'm trying to configure my dovecot installation to require client certificates for external/Internet connections, while still allowing my local network to not need certificates.

Exactly the same problem here on exactly the same platform (F-14), although I used a slightly different config directives (local <remoteIP>).

First, the docs for dovecot 2 don't mention auth_ssl_require_client_cert at all. However, it seems to be important.

Second, if I set the above three for external IP, one can still log in (after being prompted for the client cert) by cancelling on the client side. It just goes straight through, no cert required.

On the other hand, if I put those three in the global section but then turn them off in local <localIP>, then local clients get asked for cert no matter what. Any client that doesn't have a valid client cert will fail.

So, this part of dovecot 2 is buggy. I tried downgrading back to 2.0.1. Same result.

With dovecot 1 in F-13 I could at least run two daemons side by side easily. Not possible any more, it seems (pid location hardcoded).

-- Bojan

Oh well, since I didn't get a response to this query, I might try a related one.

What is the definition for the "remote" command, where should it be used and what commands can be used within it?

Is it documented anywhere?

This is for dovecot 2.0.8, with a configuration as listed below.

Thanks Frank

On Sun, 2010-12-19 at 13:12 +1100, Frank Crawford wrote:

Folks, I'm trying to configure my dovecot installation to require client certificates for external/Internet connections, while still allowing my local network to not need certificates.

This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've tried to use the "remote" block to give different definitions for my local network vs the defaults. While most options seem to be set fine, if I set "auth_ssl_require_client_cert" to yes as the default, and reset it to no for my local network, dovecot still requests a client certificate and fails as one is not supplied.

Am I correct that it can be reset in a "remote" block, or is it treated differently to other options? In fact do I have the configuration correct, as there doesn't really seem to be anything documenting "remote" or "remote_ip" or related items for Dovecot 2.

Related to this, much of the documentation states that the variable is "ssl_require_client_cert", seems to be accepted by ignored, vs "auth_ssl_require_client_cert" which does have some effects.

Also, in the configuration dump, it duplicates the netmask.

The configuration is below, as generated with "dovecot -n".

Regards Frank

# 2.0.8: /etc/dovecot/dovecot.conf # OS: Linux 2.6.36.1 x86_64 Fedora release 14 (Laughlin) ext4 auth_ssl_require_client_cert = yes mail_location = maildir:/var/spool/maildir/%u managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@crawford.emu.id.au ssl = required ssl_ca = </etc/pki/CA/cacert.pem ssl_cert = </etc/pki/tls/certs/dovecot.crt ssl_key = </etc/pki/tls/private/dovecot.key ssl_verify_client_cert = yes userdb { driver = passwd } protocol pop3 { pop3_uidl_format = %v.%u } remote 203.16.204.0/24/24 { auth_ssl_require_client_cert = no disable_plaintext_auth = no ssl = no ssl_verify_client_cert = no } remote fdd2:7aad:d478:1::/64/64 { auth_ssl_require_client_cert = no disable_plaintext_auth = no ssl = no ssl_verify_client_cert = no } remote 2001:44b8:62:140::/64/64 { auth_ssl_require_client_cert = no disable_plaintext_auth = no ssl = no ssl_verify_client_cert = no }