Wishlist: add a variable %{x509} expanding to the client cert in Dovecot-auth

Guilhem Moulin guilhem at fripost.org
Mon Jun 23 21:03:02 UTC 2014

Hi there,

As of Dovecot 2.2.9, it's possible to enable passwordless authentication 
using client certificates [1]:

    ssl_ca = </etc/ssl/ca.pem
    ssl_verify_client_cert = yes
    auth_ssl_username_from_cert = yes

(Password checking can be bypassed by returning the extra fields
‘password= nopassword’ in the passdb when the variable ‘%k’ expands to

However this requires the server admin to set up a PKI.  Having 
a variable %{x509} expanding to the X.509 client cert in Dovecot-auth 
would remove such hassle and instead provide a way to manage authorized 
clients in the fashion of OpenSSH's ‘authorized_keys’.

Postfix has a similar configuration option: relay_clientcerts [2].
There, the keys for the lookup table can be either client cert
fingerprints or public key fingerprints (the digest algorithm can be
configured with smtpd_tls_fingerprint_digest).  I can't see why %{x509}
should digest the certificate and not merely PEM-encode it, but having
another %{pubkey} variable expanding to the (PEM-encoded) cert's
SubjectPublicKeyInfo block would surely be useful :-)

I wonder if there are other folks interested in having the client cert
available in the passdb.


[1] http://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2BAC8-authentication
[2] http://www.postfix.org/postconf.5.html#relay_clientcerts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140623/021befa6/attachment.sig>

More information about the dovecot mailing list