dovecot - Oct 2008 - mixed client ssl certs and non cert

How do I setup mixed authentication so that I can have say a couple of 
machines on my lan only use ssl without client certs, but have all the other 
machines connecting from remotely required to have ssl certs to connect to 
imap?

This is with Dovecot 1.1.4 on CentOS 5.2
-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

On Thu, 2008-10-23 at 09:54 -0700, Harondel J. Sibble
wrote:
> How do I setup mixed authentication so that I can have say a couple of 
> machines on my lan only use ssl without client certs, but have all the
other
> machines connecting from remotely required to have ssl certs to connect to 
> imap?
So:

a) If client sent a valid SSL client cert, let it log in.

b) If client didn't send a valid SSL client cert, but it's from a
specific network, let it log in.

Right? It's not possible with v1.1, but I just added code to v1.2 tree
that would make it possible:
http://hg.dovecot.org/dovecot-1.2/rev/d49aa6720fb2

This would allow you to check the client cert status using %k variable.
Then if you used SQL passdb you could construct a query based on it,
e.g. with MySQL:

password_query = select user, password, \
  if('%k' = 'valid', NULL, '192.168.0.0/24') as
allow_nets \
  from users where ...

So allow_nets would be set only if a valid client cert hadn't been sent.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20081023/9256120b/attachment-0002.bin>