<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi All,</p>
<p> I hope this is the correct place to post this. If not,
apologies.<br>
</p>
<p> I am in the process of updating my company's email servers and
am trying to put Dovecot into an Alpine Linux container, hosted on
ProxMox.</p>
<p>In my setup, local mail deliveries via LMTP can come from the MSA
(for intra-company mail) and an MTA (for inbound mail).</p>
<p>The LMTP data is sent over IPv4 and is protected by TLS. Client
certificates are used to authenticate sources.<br>
</p>
<p>I wanted to prevent Dovecot from accepting LMTP from any other
source and the method I came up with to do this was to use
filtering on the "remote" address.</p>
<p>I would create a "Fake" CA that had never signed a certificate
and use that to evaluate the certificate presented by incoming
connections from addresses other than the two legitimate sources.</p>
<p>This would cause all connections from "bad" addresses to be
rejected. This seemed simple enough on paper but Dovecot just
isn't playing along. <br>
</p>
<p><br>
</p>
<p>It seems that no matter what I do, I cannot get "remote"
filtering to switch the "ssl_ca" parameter. I have put together a
test bed to demonstrate.</p>
<p>I then use openssl s_client to attempt to connect to the test bed
container.</p>
<p>I've attached the instructions to build the test bed from
scratch. </p>
<p>In all cases s_client reports "Acceptable client certificate CA
names"<br>
"CN = Fake CA"</p>
<p>I.e. it want's a certificate from the CA that has never signed a
certificate and never will.</p>
<p><br>
</p>
<h3>Why not do the obvious thing?<br>
</h3>
<p>I use LDAP to authenticate individual users and the user name
will be reported over LMTP. <br>
</p>
<p>So to use the normal authentication mechanisms to authenticate
the connection source, I would need to do two LDAP lookups, one
for the connecting machine and one for the mail recipient.</p>
<p>It is not clear if this is possible from the documentation..</p>
<br>
<p></p>
<h1><b>Questions:</b></h1>
<p>Is config file filtering broken or am I doing it wrong?</p>
<p>Is it possible to provide a different "ssl_ca" based on the
remote IP address?<br>
</p>
<p>Is there an easier way to restrict LMTP connections to specific
remote IP addresses?</p>
<p><br>
</p>
<p>p.s.</p>
<p>Filtering just doesn't work like it's supposed to. Someone should
look at that (especially multi-level) ..</p>
<p>See this:
<a class="moz-txt-link-freetext" href="https://dovecot.org/pipermail/dovecot/2016-June/104770.html">https://dovecot.org/pipermail/dovecot/2016-June/104770.html</a></p>
<p> Any help would be greatly appreciated. I am at my wits' end
with this.</p>
<p><br>
</p>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /><table style="border-top: 1px solid #D3D4DE;"><tr><td style="width: 55px; padding-top: 13px;"><a href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://s-install.avcdn.net/ipm/preview/icons/icon-envelope-tick-green-avg-v1.png" alt="" width="46" height="29" style="width: 46px; height: 29px;"/></a></td><td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free.<a href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank" style="color: #4453ea;">www.avg.com</a></td></tr></table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>