[Dovecot] SSL Client Certificate Support

Bert Koelewijn bert at rosanneke.com
Wed Oct 1 15:03:53 EEST 2003


Andreas Jaekel wrote:
> Aloha!
> 
> 
> At 12:37 01/10/2003 +0200, Bert Koelewijn wrote:
> 
>> Dear Timo,
>>
>> most modern enterprises make use of a Public Key Infrastructure. It 
>> would be nice to have dovecot check a client certificate instead of a 
>> password. This makes life much easier and more secure.
>> Mail clients like Mozilla and MS Outlook do support this. What do you 
>> think of the following feature request:
>>
>> - Client authenticates with a certificate via SSL. (Like stunnel can)
>> - Dovecot looks the username up in a table with (public key, username)
>> - The mailclient gives a name and password, but dovecot ignores them
>> - Dovecot gives the client access by the username found in the table
>>
>> This way existing mail clients can use this system and you can save 
>> your username with an empty password.
> 
> 
> 
> Wouldn't it be much better to take the list of valid usernames from X.509
> extension fields instead of a lookup table?  That way the usernames are 
> also
> verified and trusted information.
> 
> dovecot-auth would then allow the client to log in with any of the 
> certified
> usernames using any arbitrary password, or to additional usernames using
> the correct password.
> 
> Of course, one could also use attribute certificates... :)
> 
> Anyway, one thing to remember might be that a ceritifcate usually 
> identifies
> a person, not an account, so if a lookup table is used it should allow
> the person to have more than one account, and dovecot should allow that
> person into any one of them.  Which one the person wants would be indicated
> by the username given to LOGIN.
> 
> Regards,
>   Andy
> 
>

Yep, you're totally right. In our company everybody has 1 mailbox, then 
one could use X.509 extensions.

Thanks!

Bert





More information about the dovecot mailing list