Disable Client Certificate Authentication for Unencrypted Connections?

Axel Luttgens axel.luttgens at skynet.be
Wed Jan 27 21:55:01 UTC 2016


> Le 25 janv. 2016 à 13:02, Haravikk a écrit :
> 
> […]
> 
> Since dovecot is also providing authentication to postfix I’ve already created an exemption from the client certificate requirement for SMTP connections by doing the following:
> 
> protocol !smtp {
> 	ssl_ca = </path/to/ca.pem
> 	ssl_verify_client_cert = yes
> 	auth_ssl_require_client_cert = yes
> }
> 
> However, I’m not sure how to do the same thing for unencrypted IMAP connections. Is there a way that I can enable client certificate support for only IMAP port 993, leaving port 143 to handle regular unencrypted IMAP with a username and password? I’ve already added the local network to the trusted networks list, so that Roundcube can use plaintext authentication, can I limit client certificate support in a similar way?

Hello Haravikk,

Perhaps could you try to devise an exception based on one (or more) "remote" section(s), as in:

	remote ip.of.webmail.server {
		ssl_verify_client_cert = no
		[other settings, if needed]
	}

But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings.

HTH,
Axel



More information about the dovecot mailing list