Haravikk
2016-Jan-29 13:00 UTC
Disable Client Certificate Authentication for Unencrypted Connections?
> On 27 Jan 2016, at 21:55, Axel Luttgens <axel.luttgens at skynet.be> wrote: > > Hello Haravikk, > > Perhaps could you try to devise an exception based on one (or more) "remote" section(s), as in: > > remote ip.of.webmail.server { > ssl_verify_client_cert = no > [other settings, if needed] > } > > But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings. > > HTH, > AxelThanks for the suggestion! Unfortunately the problem seems to be auth_ssl_require_client_cert; it can only be added to protocol blocks not to local or remote ones. Turning off ssl_verify_client_cert doesn?t seem to prevent dovecot from requiring a certificate if auth_ssl_require_client_cert is enabled (it may even force ssl_verify_client_cert to on implicitly, I?m not sure). It?s annoying because at present it seems like my only option would be to limit client certificates to POP3 and use that in my mail clients, allowing me to disable client certificates for IMAP to keep it free for Roundcube to use exclusively, but that?s not really an option.
Haravikk
2016-Feb-02 11:09 UTC
Disable Client Certificate Authentication for Unencrypted Connections?
So I still haven?t found a way to require client certificates only for port 993/IMAPS while leaving unencrypted IMAP open for local, trusted, services. Is there really no way to do this? I just found out how to do the same thing for postfix (turns out it?s fairly easy, just a matter of adding the settings in the right parts of master.cf instead of main.cf), allowing me to restrict client certificate verification to port 587 (I don?t accept port 465) without interfering with incoming mail server connections on port 25.> On 29 Jan 2016, at 13:00, Haravikk <dovecot at haravikk.me> wrote: > >> >> On 27 Jan 2016, at 21:55, Axel Luttgens <axel.luttgens at skynet.be> wrote: >> >> Hello Haravikk, >> >> Perhaps could you try to devise an exception based on one (or more) "remote" section(s), as in: >> >> remote ip.of.webmail.server { >> ssl_verify_client_cert = no >> [other settings, if needed] >> } >> >> But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings. >> >> HTH, >> Axel > > Thanks for the suggestion! > > Unfortunately the problem seems to be auth_ssl_require_client_cert; it can only be added to protocol blocks not to local or remote ones. Turning off ssl_verify_client_cert doesn?t seem to prevent dovecot from requiring a certificate if auth_ssl_require_client_cert is enabled (it may even force ssl_verify_client_cert to on implicitly, I?m not sure). > > It?s annoying because at present it seems like my only option would be to limit client certificates to POP3 and use that in my mail clients, allowing me to disable client certificates for IMAP to keep it free for Roundcube to use exclusively, but that?s not really an option.
Timo Sirainen
2016-Feb-02 12:19 UTC
Disable Client Certificate Authentication for Unencrypted Connections?
On 02 Feb 2016, at 13:09, Haravikk <dovecot at haravikk.me> wrote:> > So I still haven?t found a way to require client certificates only for port 993/IMAPS while leaving unencrypted IMAP open for local, trusted, services. > > Is there really no way to do this? I just found out how to do the same thing for postfix (turns out it?s fairly easy, just a matter of adding the settings in the right parts of master.cf instead of main.cf), allowing me to restrict client certificate verification to port 587 (I don?t accept port 465) without interfering with incoming mail server connections on port 25.If you really want to do it, you could do it something like this (not tested - probably needs some additions/changes): # no 993 port for this imap-login service imap-login { inet_listener imaps { port = 0 } } # create a duplicate 993 service service imap-login-ssl { executable = imap-login login-ssl chroot = login user = $default_login_user # add other settings similarly as to service imap-login inet_listener imaps { port = 993 } } # create a separate auth master process for port 993 service auth-ssl { executable = auth -o auth_ssl_require_client_cert=yes # add other settings similarly as to service auth unix_listener login/login-ssl { mode = 0666 } }
Possibly Parallel Threads
- Disable Client Certificate Authentication for Unencrypted Connections?
- Disable Client Certificate Authentication for Unencrypted Connections?
- New log entries with 2.0.19?
- dovecot index errors since 2.1.12
- Dovecot 2.0.9: Thunderbird 3.1.9: Very slow while open sent folder with many (4k>) mails