[Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail -> auth_ssl_require_client_cert problem

Christian Felsing hostmaster at taunusstein.net
Sun Mar 31 15:47:35 EEST 2013

Hi Timo,

thank you for that hint.

SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users
WHERE userid = '%u'
does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is:

password_query = SELECT MD5('%w') AS password, userid AS user FROM users
WHERE (userid = '%u') and (('%k' = 'valid')  or ('%r' = ''));

so Dovecot accepts any password provided by user. This solution works
now for users which are directily using imap or pop3 _and_ for users
which are using Horde webmail frontend backed by Dovecot. This is now a
configuration which does not need any passwords stored on server which
provides IMHO more security.

best regards

Am 31.03.2013 10:29, schrieb Timo Sirainen:
>> Is there any way to turn off client certs for specific local or remote
>> IP addresses?
> In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables

More information about the dovecot mailing list