[Dovecot] Problem with requiring client certificates for external connections

Frank Crawford frank at crawford.emu.id.au
Sun Dec 19 04:12:31 EET 2010


Folks,
	I'm trying to configure my dovecot installation to require client
certificates for external/Internet connections, while still allowing my
local network to not need certificates.

	This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've
tried to use the "remote" block to give different definitions for my
local network vs the defaults.  While most options seem to be set fine,
if I set "auth_ssl_require_client_cert" to yes as the default, and reset
it to no for my local network, dovecot still requests a client
certificate and fails as one is not supplied.

	Am I correct that it can be reset in a "remote" block, or is it treated
differently to other options?  In fact do I have the configuration
correct, as there doesn't really seem to be anything documenting
"remote" or "remote_ip" or related items for Dovecot 2.

	Related to this, much of the documentation states that the variable is
"ssl_require_client_cert", seems to be accepted by ignored, vs
"auth_ssl_require_client_cert" which does have some effects.

	Also, in the configuration dump, it duplicates the netmask.

	The configuration is below, as generated with "dovecot -n".

Regards
Frank

# 2.0.8: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.36.1 x86_64 Fedora release 14 (Laughlin) ext4
auth_ssl_require_client_cert = yes
mail_location = maildir:/var/spool/maildir/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster at crawford.emu.id.au
ssl = required
ssl_ca = </etc/pki/CA/cacert.pem
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
ssl_verify_client_cert = yes
userdb {
  driver = passwd
}
protocol pop3 {
  pop3_uidl_format = %v.%u
}
remote 203.16.204.0/24/24 {
  auth_ssl_require_client_cert = no
  disable_plaintext_auth = no
  ssl = no
  ssl_verify_client_cert = no
}
remote fdd2:7aad:d478:1::/64/64 {
  auth_ssl_require_client_cert = no
  disable_plaintext_auth = no
  ssl = no
  ssl_verify_client_cert = no
}
remote 2001:44b8:62:140::/64/64 {
  auth_ssl_require_client_cert = no
  disable_plaintext_auth = no
  ssl = no
  ssl_verify_client_cert = no
}



More information about the dovecot mailing list