Hi there,

I am trying to make a paranoid IMAPS/Submission server. I'm running Ubuntu 20.04 with Dovecot 2.3.7.2 (3c910f64b).

I mostly use my mail-server from the LAN/Realm where I have GSSAPI working well for both IMAPS and Submission and most other services But... I would like to be able to configure Dovecot to require mobile ("external") devices to authenticate using client certificates (with different SSL cert superset) instead of 'plain' fallback (if there is no valid Kerberos token/infrastructure).

I have one SSL-certificate for the LAN-solution, but would like to have my self-signed PKI-stuff for the other solution where client certificates are used to authenticate.

So. First of all. Is this a possible scenario?

I'm struggling with the configuration and it seems Dovecot-configs are not accepting different authentication methods for different local listeners for different IPs etc. The only way i can think of getting this up and running is having two separate Dovecot instances (somehow) listening to different ports or even on different server hosts.

What would be neat is if it would be possible to have like:

auth_mechanisms = gssapi ssl :D

But i know that's not how things work. I hope I'm not too unspecific.

Is there any other clever ideas on how to get this use-case configured with the current version of Dovecot?

I am thinking i _might_ be able to do something with stunnel to terminate the PKI authentication and still require normal plain user authentication with login/pass to get the extra security. But it does not feel clean enough.

All good ideas are welcome!

Stay safe!

Kind regards, Joakim Ekblad