[Dovecot] IMAPS: Disable SSL connection without client certificate
Ireneusz Szcześniak
irek.szczesniak at gmail.com
Sat Jun 29 23:39:42 EEST 2013
With my config, Dovecot disallows logging in when the SSL connection
was established by a client without a certificate. In this case the
client gets to talk to Dovecot. The client could exploit potential
Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the
client doesn't authenticate with a certificate, and so the client
doesn't get to talk with Dovecot. This is safer, because the client
is dropped by the well-tested OpenSSL.
On 29.06.2013 22:03, Reindl Harald wrote:
> Am 29.06.2013 21:54, schrieb Ireneusz Szcześniak:
>> Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem. I have got the
>> SSL working with the config presented in my first post. The problem is that I'm surprised that Dovecot lets
>> clients establish an SSL connection even when the client doesn't present a certificate. I don't want clients
>> without a valid certificate even establish an SSL connection.
>
> what the hell - you can reject them after not present a cert
> but how do you imagine technically to smell this fact before connect?
>
>> On 28.06.2013 23:34, Reindl Harald wrote:
>>
>>> Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
>>>> I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only,
>>>> and I'm using Thunderbird to access my mail.
>>>>
>>>> I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I
>>>> configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
>>>>
>>>> However, with my config anybody can connect to my server without presenting a certificate
>>>
>>> google "dovecot ssl client certificate" leads to
>>> http://wiki.dovecot.org/SSL/DovecotConfiguration
>>>
>>> well, this is for dovecot 1.x, but have you tried it?
>>>
>>> Client certificate verification/authentication
>>> If you want to require clients to present a valid SSL certificate, you'll need these settings
>
--
Ireneusz (Irek) Szczesniak
http://www.irkos.org
More information about the dovecot
mailing list