[Dovecot] mixed client ssl certs and non cert
Timo Sirainen
tss at iki.fi
Thu Oct 23 20:39:29 EEST 2008
On Thu, 2008-10-23 at 09:54 -0700, Harondel J. Sibble wrote:
> How do I setup mixed authentication so that I can have say a couple of
> machines on my lan only use ssl without client certs, but have all the other
> machines connecting from remotely required to have ssl certs to connect to
> imap?
So:
a) If client sent a valid SSL client cert, let it log in.
b) If client didn't send a valid SSL client cert, but it's from a
specific network, let it log in.
Right? It's not possible with v1.1, but I just added code to v1.2 tree
that would make it possible:
http://hg.dovecot.org/dovecot-1.2/rev/d49aa6720fb2
This would allow you to check the client cert status using %k variable.
Then if you used SQL passdb you could construct a query based on it,
e.g. with MySQL:
password_query = select user, password, \
if('%k' = 'valid', NULL, '192.168.0.0/24') as allow_nets \
from users where ...
So allow_nets would be set only if a valid client cert hadn't been sent.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081023/9256120b/attachment.bin
More information about the dovecot
mailing list