[Dovecot] auth, partially resolved

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Fri Jan 8 10:55:38 EET 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 7 Jan 2010, Spyros Tsiolis wrote:

>> signed certificate:
>>>          
>> /C=GR/ST=Kerkyra/L=Kerkyra/O=Tourist Enterprizes/OU=IMAP
>>>          
>> server/CN=webmail.domain.gr/emailAddress=postmaster at webmail.domain.gr
>>
>> You access the cert of webmail.domain.gr via a host named
>> localhost.
>> If Horde runs on the same host, just disable SSL :-)
>
> . . .because SSL is for remote hosts (clients) on the network anyway
> right ?

Well, there might be scenarios, when a local user other than root may 
sniff the connection on localhost, but I think you have no such one. So to 
encrypt a connection from localhost to localhost is a waste of ressources. 
In case of Dovecot you'll need one extra file descriptior (and depending 
on your settings one extra process as well), plus the CPU time to actually 
do the encryption.

> Yeah. The certificate is there. Under "/etc/ssl/certs".
> I was thinking that maybe because the system (and the certificate
> issuer, horde and dovecot are on the same box. You ask me somewhere
> about that) is all-in-one, I need to import the certificate somewhere ?

see above for the reason.

> The dovecot wiki says that importing the certificate is only applicable
> to the client-side (evolution, thunderbird and so on).

The webmail-frontend _is_ your client in the view of Dovecot. But since
the cert is in /etc/ssl/certs, it should work, but if you validate the
cert, the webmail may bark, because you access the SSL-cert with the CN
"webmail.domain.gr" by another name "localhost". This is a sign of a
man-in-the-middle attack, actually.

BTW: Do your SSL IMAP/POP clients also use the name "webmail.domain.gr"? 
Otherwise they will get a warning as well, maybe each time they connect.

Regards,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBS0bzDb+Vh58GPL/cAQJx9Af/egq1HW/M92tmivrAcBFCvyO6pL6cZcwr
PDVfWTsQsHAhWOYNTfAuAe0kouFTnjCpGcTXKPAA3VCWvRWR37/RGseeAmKfRmEW
BYfKPrkf6ltq+hfREi81rHIme0xIry5UG1oB2/1WfPHmWTckVWNRL0aRIZGM+ZR5
v40MuesoaMyY0EngEnaIfDbswG+vNWF60XZ71knAfVtl12LOe+twzLDEJ3M13SaV
zw7qOGj4iUtZgML4LC042dGuF22yKAXElwp26oZVhk522J1VtdMuhi9Bma7YnVfU
CfhUWqa3q+jL60fAKhWCP8IoRxxYJ/vsrWFjZaEamjCMCLx3FgeebQ==
=IS0t
-----END PGP SIGNATURE-----

More information about the dovecot mailing list