dovecot - Sep 2016 - Force SSL/TLS and client certificate checking only for connections from Internet

(Please CC me if possible.)

I have Dovecot 2.2.13 (shipped with Debian 8 "Jessie") serving IMAP
for
a small organization.  It's connected both to the Internet and to that
organization LAN.

I'd like to have Dovecot has rather tight security requirements for
connections made from the Internet and reasonably laxed requirements
for the LAN clients.

Due to Dovecot authenticating users against a LDAP database which is
also used for logging into the users' machines, we have to use
somewhat weak passwords (randomly generated but short) for most users.

Because of this I want to:
* Mandate the usage of TLS for the connections made from Internet;
* Require the clients to present their SSL certificates, and
* Verify the validity of these certificates.

The certificates are issued by our own CA, so it's not a problem to
verify them.

The first iteration was to set

  ssl = required

and

  disable_plaintext_auth = yes

which I then overrode with a "remote" section for LAN connections:

  remote 192.168.0.0/16 {
    disable_plaintext_auth = no
    ssl = yes
  }

The next iteration was to actually enable verification of the client
certificates.

I have set the "ssl_ca" variable appropriately, then

  ssl_require_crl = yes
  ssl_verify_client_cert = yes

and

  auth_ssl_require_client_cert = yes

Then I went on and attempted to override the latter two settings
for the LAN clients by appending them to my special "remote" section
to it read:

  remote 192.168.0.0/16 {
    disable_plaintext_auth = no
    ssl = yes
    ssl_verify_client_cert = no
    auth_ssl_require_client_cert = no
  }

But after restart Dovecot complained that I cannot use the
"auth_ssl_require_client_cert" setting in a "remote"
section.

I have removed it in the hope that still having

  ssl_verify_client_cert = no

there would inhibit SSL certificate checks for the LAN clients
but apparently it did not.

So, to recap:

* I need to have tight TLS settings for the clients connecting
  from the Internet:
  - TLS is required;
  - The client must present a valid certificate (issued by a CA
    we control).

* LAN clients should use relaxed security settings: TLS is okay
  but that's all.

How do I go about setting this?

(On a side note, I can supposedly get away installing stunnel and
making it proxy IMAP and IMAPS connections to Dovecot -- at least from
the documentation, it appears stunnel supports IMAP+STARTTLS, -- but
I would rather have all this handled solely by Dovecot.)