[Dovecot] IMAPS: Disable SSL connection without client certificate

Ireneusz Szcześniak irek.szczesniak at gmail.com
Sat Jun 29 23:39:42 EEST 2013

With my config, Dovecot disallows logging in when the SSL connection 
was established by a client without a certificate.  In this case the 
client gets to talk to Dovecot.  The client could exploit potential 
Dovecot vulnerabilities.

Instead, I want the SSL connection to be dropped by OpenSSL when the 
client doesn't authenticate with a certificate, and so the client 
doesn't get to talk with Dovecot.  This is safer, because the client 
is dropped by the well-tested OpenSSL.

On 29.06.2013 22:03, Reindl Harald wrote:

> Am 29.06.2013 21:54, schrieb Ireneusz Szcześniak:
>> Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem.  I have got the
>> SSL working with the config presented in my first post.  The problem is that I'm surprised that Dovecot lets
>> clients establish an SSL connection even when the client doesn't present a certificate.  I don't want clients
>> without a valid certificate even establish an SSL connection.
> what the hell - you can reject them after not present a cert
> but how do you imagine technically to smell this fact before connect?
>> On 28.06.2013 23:34, Reindl Harald wrote:
>>> Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
>>>> I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great.  Dovecot serves IMAPS only,
>>>> and I'm using Thunderbird to access my mail.
>>>> I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection.  I
>>>> configure my Thunderbird for SSL/TLS connection with normal password.  It works fine.
>>>> However, with my config anybody can connect to my server without presenting a certificate
>>> google "dovecot ssl client certificate" leads to
>>> http://wiki.dovecot.org/SSL/DovecotConfiguration
>>> well, this is for dovecot 1.x, but have you tried it?
>>> Client certificate verification/authentication
>>> If you want to require clients to present a valid SSL certificate, you'll need these settings

Ireneusz (Irek) Szczesniak

More information about the dovecot mailing list