[Dovecot] Question about Client Certificates

William Gallafent william at gallaf.net
Tue Oct 19 01:17:40 EEST 2010


Hi,

I have a simple dovecot installation, version 1.2.12 of ubuntu 10.10.
I also have a straightforward newbie question! I've hunted in the wiki
and on the wider web, but not yet found a solution.

Current status: I have successfully configured imap with tls, accessed
on port 993, and for security require a valid client certificate to be
presented, using ssl_require_client_cert and ssl_verify_client_cert.
This is all working fine!

Now I want to add a SquirrelMail service to the same server. This will
connect using IMAP over port 143, without TLS. My question is: how do
I achieve this!

At the moment, I simply get the following in the logs:

Aborted login (cert required, client didn't start TLS): method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, secured

If I comment out the "ssl_require_client_cert = yes" in the auth
default section, SquirrelMail then works fine … but I can also connect
remotely without presenting a valid certificate, which is no good!

At the moment I have a single auth section in dovecot.conf, the "auth
default { ... }" section. I wondered if I need a second section, which
does not have the ssl requirement inside it. Is that right? If so, how
do I link one auth section to the imaps service, and the other to the
imap service (listening only on localhost)?

In other words, I want "ssl_require_client_cert = yes" for remote
connections (on port 993), but "ssl_require_client_cert = no" for
local connections using non-tls imap on port 143. Is this possible?

Hope that late-night explanation makes sense, and hope somebody can
point me in the right direction, thanks in advance!

-- 
Bill Gallafent.


More information about the dovecot mailing list