[Dovecot] Dovecot and SSL certificates
M.-A. Lemburg
mal at egenix.com
Mon Jul 31 13:11:31 EEST 2006
Hello,
we're running RC2 and seeing a problem with the way SSL certs
are handled by Dovecot.
We've set ssl_verify_client_cert=yes and ssl_require_valid_client_cert=no.
Using this setup we get (rather interesting) log entries like these:
Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <user cert>
Jul 31 11:21:23 dev dovecot: imap-login: Invalid certificate: <CA cert>
Jul 31 11:21:23 dev dovecot: imap-login: Valid certificate: <CA cert>
Jul 31 11:21:23 dev dovecot: imap-login: Valid certificate: <user cert>
Jul 31 11:21:23 dev dovecot: imap-login: Login: user=...
When setting ssl_require_valid_client_cert=yes, logins always
fail with:
Jul 31 11:57:54 dev dovecot: auth(default): PLAIN(?,...): Client didn't present
valid SSL certificate
Are we doing something wrong, or is dovecot mixing up something
while checking the certificates.
Note that the certificates are all valid and have not expired.
The <user cert> is signed by the <CA cert> and we set
ssl_ca_file to the CA certificate PEM file.
Ideally, we'd like to only accept login requests from users which
have a valid certificate signed by our CA. Even better would be
an approach such as the one taken by Postfix where you have
to provide a list of valid MD5 hash sums for the users you'd
like to accept.
Thanks,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Jul 31 2006)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::
More information about the dovecot
mailing list