[Dovecot] Different settings for SSL/non-SSL protocols
Good time of the day!
It is possible to setup dovecot with different requirements for SSL and non-SSL protocols? What would I like to do:
pop3/imap non-SSL = allowed plain text authentication. pop3/imap with SSL = allowed plain text authentication with required valid SSL certificates.
I need to allow access from any IP address for first group of users, which have valid SSL certificates. And allow access from only local IP addresses for second group of users which doesn't have SSL certificates at all.
I tried to setup dovecot for such task. SSL and non-SSL pop3/imap works together fine, but without require valid SSL certificates. If I set auth_ssl_require_client_cert = yes, non-SSL pop3/imap refuses authentication without valid SSL certificate. I tried to use different sections for protocol pop3 {} and protocol pop3s {} (and imap/imaps) but this seems doesn't work. Is there any way to solve this?
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
Greetings 03.12.2013 17:29, Алексей Прокопчук пишет:
Good time of the day!
It is possible to setup dovecot with different requirements for SSL and non-SSL protocols? What would I like to do:
pop3/imap non-SSL = allowed plain text authentication. pop3/imap with SSL = allowed plain text authentication with required valid SSL certificates. I examined in detail dovecot's behavior with 'auth_ssl_require_client_cert=yes'. Dovecot misinterprets configuration in case with parameters: ssl = yes auth_ssl_require_client_cert = yes
If ssl is not equal 'required', so not necessarily required, then unencrypted connection permissible. And case 'ssl = required' processed separately when connection begins. But dovecot answers to client with unencrypted connection "Client didn't sent a valid SSL certificate". This is wrong because with unencrypted connection can't be any certificates at all.
I use dovecot-2.1.16. In auth-request-handler.c I found:
if (request->set->ssl_require_client_cert && !request->valid_client_cert) { /* we fail without valid certificate */ auth_request_handler_auth_fail(handler, request, "Client didn't present valid SSL certificate"); return TRUE; }
Here is need to check encrypted connection, and if connection not encrypted, condition should not be triggered. And as I said above, case with 'ssl = required' processed early and in this case we don't get to this place in code.
Sources of dovecot is quite complex, and I can't find a way how to determine encrypted connection or not at this place for a while. Can you give me the hint how I can determine it?
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
Greetings 04.12.2013 13:49, Алексей Прокопчук пишет:
I examined in detail dovecot's behavior with 'auth_ssl_require_client_cert=yes'. Dovecot misinterprets configuration in case with parameters: ssl = yes auth_ssl_require_client_cert = yes
If ssl is not equal 'required', so not necessarily required, then unencrypted connection permissible. And case 'ssl = required' processed separately when connection begins. But dovecot answers to client with unencrypted connection "Client didn't sent a valid SSL certificate". This is wrong because with unencrypted connection can't be any certificates at all.
I use dovecot-2.1.16. In auth-request-handler.c I found:
if (request->set->ssl_require_client_cert && !request->valid_client_cert) { /* we fail without valid certificate */ auth_request_handler_auth_fail(handler, request, "Client didn't present valid SSL certificate"); return TRUE; }
Here is need to check encrypted connection, and if connection not encrypted, condition should not be triggered. And as I said above, case with 'ssl = required' processed early and in this case we don't get to this place in code. Finally, I found everything that is needed. I patched auth-request-handler.c and now:
case1: ssl = yes, auth_ssl_require_client_cert = yes. If we trying to authenticate via pop3 or imap with SSL enabled, and valid certificate present, and password is correct, result is success. If we trying to authenticate via pop3 or imap with SSL enabled, and no valid certificate present - result is error. If we trying to authenticate via pop3 or imap without SSL, and password is correct - result is success.
case2: ssl = required, auth_ssl_require_client_cert = yes If we trying to authenticate via pop3 or imap with SSL enabled, and valid certificate present, and password is correct, result is success. If we trying to authenticate via pop3 or imap with SSL enabled, and no valid certificate present - result is error. If we trying to authenticate via pop3 or imap without SSL - result is error (SSL connection required).
Patch for dovecot-2.1.16 is attached to this message.
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
participants (1)
-
Алексей Прокопчук