[Dovecot] 1.0rc26: ssl_verify_client=yes ?

Timo Sirainen tss at iki.fi
Thu Mar 8 15:43:54 EET 2007


On Thu, 2007-03-08 at 13:51 +0100, Leroy van Logchem wrote:
> Q1)
> I can't get ssl_verify_client_cert=yes working.
> The ssl key and cert are signed using our CA.
> Also the ssl_ca_file has a CRL appended (no revokes yet).
> 
> Expected behavior:
> Stop the SSL (the client doesn't have a cert installed)
> 
> Current behavior:
> Mail clients accepts SSL and login succeeds.
> (both Evolution and Thunderbird).
> 
> My bad? Please advise.

You'll also need to set ssl_require_client_cert=yes in auth section. I
added that now to ssl_verify_client_cert's comments.

> Q2)
> The next step, if dovecot blocks the client because
> of the verify_client_cert, how to create certs for OE,
> Evolution and Thunderbird?

I don't think most clients support SSL client certificates at all,
although I know some people are using them with some clients.. Maybe
someone could add a list of the clients supporting them into wiki.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070308/c04dd08f/attachment.pgp 


More information about the dovecot mailing list