Martin Lambers
2007-Aug-24 21:57 UTC
[Dovecot] Authentication using only TLS client certificates
Hi! I'd like to configure dovecot to use only TLS client certificates for authentication. After the user presented a client certificate and that certificate was verified, no password-based authentication should be necessary anymore. Is this currently possible? Or would this require support for the SASL EXTERNAL mechanism? Regards, Martin
Timo Sirainen
2007-Aug-25 22:41 UTC
[Dovecot] Authentication using only TLS client certificates
On Fri, 2007-08-24 at 23:57 +0200, Martin Lambers wrote:> Hi! > > I'd like to configure dovecot to use only TLS client certificates for > authentication. After the user presented a client certificate and that > certificate was verified, no password-based authentication should be > necessary anymore. > > Is this currently possible? Or would this require support for the SASL > EXTERNAL mechanism?Pretty much all clients still want to send username and password. You could have Dovecot get the username from the certificate (ssl_username_from_cert=yes) and allow it to authenticate with any password. Easiest way to do that would be to use a SQL passdb: password_query = select null as password, 'Y' as nopassword With a SQLite backend it wouldn't need even a server. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070826/54f30db1/attachment-0002.bin>