Disable Client Certificate Authentication for Unencrypted Connections?

Timo Sirainen tss at iki.fi
Tue Feb 2 12:19:37 UTC 2016


On 02 Feb 2016, at 13:09, Haravikk <dovecot at haravikk.me> wrote:
> 
> So I still haven’t found a way to require client certificates only for port 993/IMAPS while leaving unencrypted IMAP open for local, trusted, services.
> 
> Is there really no way to do this? I just found out how to do the same thing for postfix (turns out it’s fairly easy, just a matter of adding the settings in the right parts of master.cf instead of main.cf), allowing me to restrict client certificate verification to port 587 (I don’t accept port 465) without interfering with incoming mail server connections on port 25.

If you really want to do it, you could do it something like this (not tested - probably needs some additions/changes):

# no 993 port for this imap-login
service imap-login {
  inet_listener imaps {
    port = 0
  }
}

# create a duplicate 993 service
service imap-login-ssl {
  executable = imap-login login-ssl
  chroot = login
  user = $default_login_user
  # add other settings similarly as to service imap-login
  inet_listener imaps {
    port = 993
  }
}

# create a separate auth master process for port 993
service auth-ssl {
  executable = auth -o auth_ssl_require_client_cert=yes
  # add other settings similarly as to service auth
  unix_listener login/login-ssl {
    mode = 0666
  }
}



More information about the dovecot mailing list