[Dovecot] IMAPS: Disable SSL connection without client certificate

Reindl Harald h.reindl at thelounge.net
Sat Jun 29 23:46:00 EEST 2013


why are you refusing to understand that this is technical *nonsense*

how do you imagine that "and so the client doesn't get to talk with Dovecot"
by respect the dovecot configuration? damned inform you about network basics
and do not demand impossible things like "the daemon listens to a port but
the client must not talk to the daemon by magic without before
authenticate against magic"

Am 29.06.2013 22:39, schrieb Ireneusz Szcześniak:
> With my config, Dovecot disallows logging in when the SSL connection was established by a client without a
> certificate.  In this case the client gets to talk to Dovecot.  The client could exploit potential Dovecot
> vulnerabilities.
> 
> Instead, I want the SSL connection to be dropped by OpenSSL when the client doesn't authenticate with a
> certificate, and so the client doesn't get to talk with Dovecot.  This is safer, because the client is dropped by
> the well-tested OpenSSL.
> 
> On 29.06.2013 22:03, Reindl Harald wrote:
> 
>> Am 29.06.2013 21:54, schrieb Ireneusz Szcześniak:
>>> Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem.  I have got the
>>> SSL working with the config presented in my first post.  The problem is that I'm surprised that Dovecot lets
>>> clients establish an SSL connection even when the client doesn't present a certificate.  I don't want clients
>>> without a valid certificate even establish an SSL connection.
>>
>> what the hell - you can reject them after not present a cert
>> but how do you imagine technically to smell this fact before connect?
>>
>>> On 28.06.2013 23:34, Reindl Harald wrote:
>>>
>>>> Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
>>>>> I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great.  Dovecot serves IMAPS only,
>>>>> and I'm using Thunderbird to access my mail.
>>>>>
>>>>> I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection.  I
>>>>> configure my Thunderbird for SSL/TLS connection with normal password.  It works fine.
>>>>>
>>>>> However, with my config anybody can connect to my server without presenting a certificate
>>>>
>>>> google "dovecot ssl client certificate" leads to
>>>> http://wiki.dovecot.org/SSL/DovecotConfiguration
>>>>
>>>> well, this is for dovecot 1.x, but have you tried it?
>>>>
>>>> Client certificate verification/authentication
>>>> If you want to require clients to present a valid SSL certificate, you'll need these settings

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130629/687d2205/attachment.bin>


More information about the dovecot mailing list