[Dovecot] Problem with requiring client certificates for external connections
Frank Crawford
frank at crawford.emu.id.au
Wed Dec 29 05:56:12 EET 2010
Oh well, since I didn't get a response to this query, I might try a
related one.
What is the definition for the "remote" command, where should it be used
and what commands can be used within it?
Is it documented anywhere?
This is for dovecot 2.0.8, with a configuration as listed below.
Thanks
Frank
On Sun, 2010-12-19 at 13:12 +1100, Frank Crawford wrote:
> Folks,
> I'm trying to configure my dovecot installation to require client
> certificates for external/Internet connections, while still allowing my
> local network to not need certificates.
>
> This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've
> tried to use the "remote" block to give different definitions for my
> local network vs the defaults. While most options seem to be set fine,
> if I set "auth_ssl_require_client_cert" to yes as the default, and reset
> it to no for my local network, dovecot still requests a client
> certificate and fails as one is not supplied.
>
> Am I correct that it can be reset in a "remote" block, or is it treated
> differently to other options? In fact do I have the configuration
> correct, as there doesn't really seem to be anything documenting
> "remote" or "remote_ip" or related items for Dovecot 2.
>
> Related to this, much of the documentation states that the variable is
> "ssl_require_client_cert", seems to be accepted by ignored, vs
> "auth_ssl_require_client_cert" which does have some effects.
>
> Also, in the configuration dump, it duplicates the netmask.
>
> The configuration is below, as generated with "dovecot -n".
>
> Regards
> Frank
>
> # 2.0.8: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.36.1 x86_64 Fedora release 14 (Laughlin) ext4
> auth_ssl_require_client_cert = yes
> mail_location = maildir:/var/spool/maildir/%u
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date
> mbox_write_locks = fcntl
> passdb {
> driver = pam
> }
> plugin {
> sieve = ~/.dovecot.sieve
> sieve_dir = ~/sieve
> }
> postmaster_address = postmaster at crawford.emu.id.au
> ssl = required
> ssl_ca = </etc/pki/CA/cacert.pem
> ssl_cert = </etc/pki/tls/certs/dovecot.crt
> ssl_key = </etc/pki/tls/private/dovecot.key
> ssl_verify_client_cert = yes
> userdb {
> driver = passwd
> }
> protocol pop3 {
> pop3_uidl_format = %v.%u
> }
> remote 203.16.204.0/24/24 {
> auth_ssl_require_client_cert = no
> disable_plaintext_auth = no
> ssl = no
> ssl_verify_client_cert = no
> }
> remote fdd2:7aad:d478:1::/64/64 {
> auth_ssl_require_client_cert = no
> disable_plaintext_auth = no
> ssl = no
> ssl_verify_client_cert = no
> }
> remote 2001:44b8:62:140::/64/64 {
> auth_ssl_require_client_cert = no
> disable_plaintext_auth = no
> ssl = no
> ssl_verify_client_cert = no
> }
>
More information about the dovecot
mailing list