[Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail -> auth_ssl_require_client_cert problem

Christian Felsing hostmaster at taunusstein.net
Wed Mar 27 10:49:52 EET 2013


I would like to set up a Dovecot based mail system which uses X.509
Client Certificates for authentication. A webmail system based on Horde5
should use Dovecot as backend.

For now Dovecot works with client certificates issued by my CA and Horde
authenticates also with same client certs. Due to protocol it is
impossible to use client certs presented by user to Horde for
authentication at Dovecot, so Horde should be allowed to authenticate
itself without or an arbitrary password to Dovecot. Horde and Dovecot
are running in same protected LAN.

Unfortunately Dovecot does not support different authentication methods
on different IP addresses or ports. This does not work:

remote {
  auth_ssl_require_client_cert = no
  auth_ssl_username_from_cert = yes
  disable_plaintext_auth = no
  ssl = yes


Result is "doveconf: Fatal: Error in configuration file
/opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth
settings not supported inside local/remote blocks:

Replacing "auth_ssl_require_client_cert = no" by "ssl_verify_client_cert =
no" does not yield in an error, but it does nothing, Dovecot still
insists for a client certificate.

I afraid that I am trapped by this problem:

Is there any way to turn off client certs for specific local or remote
IP addresses?

best regards

More information about the dovecot mailing list