[Dovecot] IMAPS: Disable SSL connection without client certificate
Charles Marcus
CMarcus at Media-Brokers.com
Sat Jun 29 16:54:02 EEST 2013
Please do not top-post in an inline thread...
On 2013-06-29 2:38 AM, Ireneusz Szcześniak <irek.szczesniak at gmail.com>
wrote:
> On 28.06.2013 23:34, Reindl Harald wrote:
>>
>> Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
>>> I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month.
>>> It works great. Dovecot serves IMAPS only,
>>> and I'm using Thunderbird to access my mail.
>>>
>>> I configured Dovecot to allow clients that present a valid
>>> certificate when establishing SSL connection. I
>>> configure my Thunderbird for SSL/TLS connection with normal
>>> password. It works fine.
>>>
>>> However, with my config anybody can connect to my server without
>>> presenting a certificate
>>
>> google "dovecot ssl client certificate" leads to
>> http://wiki.dovecot.org/SSL/DovecotConfiguration
>>
>> well, this is for dovecot 1.x, but have you tried it?
>>
>> Client certificate verification/authentication
>> If you want to require clients to present a valid SSL certificate,
>> you'll need these settings:
>>
>> ssl_ca_file = /etc/ssl/ca.pem
>> ssl_verify_client_cert = yes
>> auth default {
>> ssl_require_client_cert = yes
>> ..
>> }
> Thanks for your email. Yes, I looked before at that website before.
> I'm using these options with Dovecot 2.1.8, among others:
>
> auth_ssl_require_client_cert = yes
> ssl_verify_client_cert = yes
> ssl_ca = </etc/ssl/certs/cacertcrl.pem
I'm not sure why Reindl pointed you to the 1.x docs when you are using
2.x...
The setting has apparently changed in 2.x (note the addition of 'auth_'
to the 'require' setting):
From the wiki2 page:
"Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate,
you'll need these settings:
ssl_ca = </etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
#ssl_username_from_cert = yes"
Linked: http://wiki2.dovecot.org/SSL/DovecotConfiguration
--
Best regards,
Charles
More information about the dovecot
mailing list