dovecot - Dec 2004 - imaps, certificate and authentification

hello,

first sorry for my poor english

I'm doing the migration from UW-imap to Dovecot
I have two question about the authentification in the imaps (port 993) 
process

In dovecot .conf I can enable (or disable) the diff?rent port (pop, 
pops, imap, imaps) and may be restrict the access to the serveur with 
the ip adresse.
Can I configure dovecot in imaps so it permit the access if the 
certificate is knowing by the server?
Actually, this is the process to authenticate in WU-imap on imaps : the 
client connect to the server through a tunnel SSL (stunnel) and only if 
stunnel know the certificate, then the client can connect.

and more, Is it possible when the client (with a certificate) connect to 
the serveur with imaps to authenticate the user without prompting the 
password, so the authentication is throught the certificate ?


These are similar  functionnality in the apache server  with the 
restriction access to location et authentification with certificate.


thanks


-- 
Jean-Noel

On 6.12.2004, at 18:41, jean-No?l Chardron wrote:
> In dovecot .conf I can enable (or disable) the diff?rent port (pop, 
> pops, imap, imaps) and may be restrict the access to the serveur with 
> the ip adresse.
> Can I configure dovecot in imaps so it permit the access if the 
> certificate is knowing by the server?
> Actually, this is the process to authenticate in WU-imap on imaps : 
> the client connect to the server through a tunnel SSL (stunnel) and 
> only if stunnel know the certificate, then the client can connect.
It's possible, but only in 1.0-tests:

ssl_verify_client_cert = yes
ssl_require_client_cert = yes

Are you already using it? I don't think most clients support it at all.
> and more, Is it possible when the client (with a certificate) connect 
> to the serveur with imaps to authenticate the user without prompting 
> the password, so the authentication is throught the certificate ?
Not yet, but I somehow doubt many clients would work with it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20041206/2c7e0f37/attachment-0001.bin>

Timo Sirainen wrote:
> On 6.12.2004, at 18:41, jean-No?l Chardron wrote:
>
>> In dovecot .conf I can enable (or disable) the diff?rent port (pop, 
>> pops, imap, imaps) and may be restrict the access to the serveur with 
>> the ip adresse.
>> Can I configure dovecot in imaps so it permit the access if the 
>> certificate is knowing by the server?
>> Actually, this is the process to authenticate in WU-imap on imaps : 
>> the client connect to the server through a tunnel SSL (stunnel) and 
>> only if stunnel know the certificate, then the client can connect.
>
>
> It's possible, but only in 1.0-tests:
>
> ssl_verify_client_cert = yes
> ssl_require_client_cert = yes
>
> Are you already using it?
the version of dovecot on my system  is 0.99-11 (on a fedora core 3)
We shall go in production this night.
for imaps,... I will be waiting the next release...
> I don't think most clients support it at all.
>
Mozilla and Netscape do it and may be evolution (I have to do test for 
evolution).