Disable Client Certificate Authentication for Unencrypted Connections?

[Haravikk]

I’m using dovecot to provide encrypted IMAP e-mail support for remote clients and it’s working great. However, I also need to set up a webmail front-end (Roundcube), which I’m hoping to have use unencrypted IMAP on port 143 (as only port 993 is available externally).

The problem I’m running into is that I want to require client certificate authentication on port 993, but dovecot is apparently requiring a certificate on all connections, which is preventing Roundcube from connecting.

Since dovecot is also providing authentication to postfix I’ve already created an exemption from the client certificate requirement for SMTP connections by doing the following:

protocol !smtp {
	ssl_ca = </path/to/ca.pem
	ssl_verify_client_cert = yes
	auth_ssl_require_client_cert = yes
}

However, I’m not sure how to do the same thing for unencrypted IMAP connections. Is there a way that I can enable client certificate support for only IMAP port 993, leaving port 143 to handle regular unencrypted IMAP with a username and password? I’ve already added the local network to the trusted networks list, so that Roundcube can use plaintext authentication, can I limit client certificate support in a similar way?

Thanks,
Haravikk