[Dovecot] SSL Client Certificate Support

Andreas Jaekel jaekel at webgods.de
Wed Oct 1 15:32:48 EEST 2003 

At 14:23 01/10/2003 +0200, Bert Koelewijn wrote:
>Bert Koelewijn wrote:
>
>>Andreas Jaekel wrote:
>>
>>>Aloha!
>>>
>>>
>>>At 12:37 01/10/2003 +0200, Bert Koelewijn wrote:
>>>
>>>>Dear Timo,
>>>>
>>>>most modern enterprises make use of a Public Key Infrastructure. It 
>>>>would be nice to have dovecot check a client certificate instead of a 
>>>>password. This makes life much easier and more secure.
>>>>Mail clients like Mozilla and MS Outlook do support this. What do you 
>>>>think of the following feature request:
>>>>
>>>>- Client authenticates with a certificate via SSL. (Like stunnel can)
>>>>- Dovecot looks the username up in a table with (public key, username)
>>>>- The mailclient gives a name and password, but dovecot ignores them
>>>>- Dovecot gives the client access by the username found in the table
>>>>
>>>>This way existing mail clients can use this system and you can save 
>>>>your username with an empty password.
>>>
>>>
>>>
>>>
>>>Wouldn't it be much better to take the list of valid usernames from X.509
>>>extension fields instead of a lookup table?  That way the usernames are also
>>>verified and trusted information.
>>>
>>>dovecot-auth would then allow the client to log in with any of the certified
>>>usernames using any arbitrary password, or to additional usernames using
>>>the correct password.
>>>
>>>Of course, one could also use attribute certificates... :)
>>>
>>>Anyway, one thing to remember might be that a ceritifcate usually identifies
>>>a person, not an account, so if a lookup table is used it should allow
>>>the person to have more than one account, and dovecot should allow that
>>>person into any one of them.  Which one the person wants would be indicated
>>>by the username given to LOGIN.
>>>
>>>Regards,
>>>   Andy
>>>
>>Yep, you're totally right. In our company everybody has 1 mailbox, then 
>>one could use X.509 extensions.
>>Thanks!
>>Bert
>>
>If you don't use a lookup table, you HAVE to implement CRL's! You can make 
>a script to download a new CRL and set it in your cron tabs.
>
>Regards,
>
>Bert
>
Wouldn't it be CA- and config specific how to implement revocation lists?
Maybe dovecot wants to do real time checks via LDAP and use an internal cache
with weekly updates. A cron job would be easiest, thought, and the fastest
way to get there.

I imagine the cert code from Apache could be used to verify certs and
extract X.509 extensions.


Regards,
   Andy

More information about the dovecot mailing list