Require certificate for external clients

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Mon Mar 2 07:50:33 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 27 Feb 2015, Karol Babioch wrote:

> I'm currently looking into ways of making use of client certificates. I
> want to force external clients (i.e. anything outside the local subnet)
> to use client certificates. It is my understanding that this in itself
> can be achieved with the "ssl_require_client_cert" setting.
>
> However, I also want local clients (i.e. anything from a specific
> subnet) to be able to authenticate by the usual means (i.e. password-based).

There are local and remote IP blocks in Dovecot, however, I cannot find 
the Wiki page it is documented on. But see: 
http://wiki2.dovecot.org/SSL/DovecotConfiguration
local means to match the local IP of the connection, remote matches the 
remote end, aka client IP address.

You could try to use ssl_require_client_cert as default and add a remote { 
} block, in which you disable that feature.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVPQWSXz1H7kL/d9rAQITnQf+PrgqIyf98ZhF1TbL/7MAfEMYBZCHXvF4
iUScUxYyaUbeJ/h2RkeXjpVfrp9ktPXDmM+yge9U1fbDJ8ejQ+7nn0ZnSWqm8Cpm
SlhnkYEBfdR1ht5fzGNj1hy9CA3vLZRzCoAtPBL58VZocyFnDDdtcgFpgBg0gKaE
Cmf6BYs0AtvP6omUSj4myh4lW5trklebtxClZS2K6Zol+rpATofGTfE16wRrEnBK
kt4N8ZKZ70vwt8wCiytcqddegIDm9uiiSfrK0W57o5n377oZtHzN2luCOQ3S4GdF
aMh6ybDEN8NeS+3pbTQp/QXa1hm4x2UefEjI1KUJJSkniKGsv6knzA==
=DmyK
-----END PGP SIGNATURE-----


More information about the dovecot mailing list