[Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail -> auth_ssl_require_client_cert problem

Timo Sirainen tss at iki.fi
Sun Mar 31 11:29:49 EEST 2013

On 27.3.2013, at 10.49, Christian Felsing <hostmaster at taunusstein.net> wrote:

> I would like to set up a Dovecot based mail system which uses X.509
> Client Certificates for authentication. A webmail system based on Horde5
> should use Dovecot as backend.
> Unfortunately Dovecot does not support different authentication methods
> on different IP addresses or ports. This does not work:
> remote {
>  auth_ssl_require_client_cert = no
>  auth_ssl_username_from_cert = yes
>  disable_plaintext_auth = no
>  ssl = yes
> }
> Result is "doveconf: Fatal: Error in configuration file
> /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth
> settings not supported inside local/remote blocks:
> auth_ssl_require_client_cert"

Right. Would be nice to support at some point, but not that easy to implement.

> Is there any way to turn off client certs for specific local or remote
> IP addresses?

In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables

More information about the dovecot mailing list