[Dovecot] Different settings for SSL/non-SSL protocols

[Алексей Прокопчук]

Greetings
03.12.2013 17:29, Алексей Прокопчук пишет:
> Good time of the day!
>
> It is possible to setup dovecot with different requirements for SSL and
> non-SSL protocols?
> What would I like to do:
>
> pop3/imap non-SSL = allowed plain text authentication.
> pop3/imap with SSL = allowed plain text authentication with required
> valid SSL certificates.
I examined in detail dovecot's behavior with
'auth_ssl_require_client_cert=yes'.
Dovecot misinterprets configuration in case with parameters:
ssl = yes
auth_ssl_require_client_cert = yes

If ssl is not equal 'required', so not necessarily required, then
unencrypted connection permissible.
And case 'ssl = required' processed separately when connection begins.
But dovecot answers to client with unencrypted connection "Client didn't
sent a valid SSL certificate".
This is wrong because with unencrypted connection can't be any
certificates at all.

I use dovecot-2.1.16.
In auth-request-handler.c I found:

if (request->set->ssl_require_client_cert &&
            !request->valid_client_cert) {
                /* we fail without valid certificate */
                auth_request_handler_auth_fail(handler, request,
                        "Client didn't present valid SSL certificate");
                return TRUE;
        }

Here is need to check encrypted connection, and if connection not
encrypted, condition should not be triggered.
And as I said above, case with 'ssl = required' processed early and in
this case we don't get to this place in code.

Sources of dovecot is quite complex, and I can't find a way how to
determine encrypted connection or not at this place for a while. Can you
give me the hint how I can determine it?

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)