dovecot - Aug 2009 - require SSL certs only for encrypted connections?

# 1.1.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.28-14-server x86_64 Ubuntu 9.04

Here's the situation:
I have several local clients (Thunderbird) which do not use TLS at all. 
It's plaintext completely, on port 143, because the connection is local 
and there are no unauthorized users on this network (it's a home 
network). I want to keep it that way to keep things simple.

Tools / Account Settings / Server Settings:
Use Secure Connection: Never
Use Secure Authentication: unchecked

Until now, this has worked very well. No problems so far.

But now I am also setting up IMAPS for remote iPhone clients, with 
client/server certificates. This is how I generated the certs:

http://impetus.us/~rjmooney/projects/misc/clientcertauth.html

On the iPhone I uploaded the client.crt file (couldn't import client.p12 
for some reason). For Dovecot I am using ca.crt, server.crt and server.key.

ssl_listen: *:993
ssl_disable: no
ssl_ca_file: /blah/ca.crt
ssl_cert_file: /blah/server.crt
ssl_key_file: /blah/server.key
ssl_key_password:
ssl_parameters_regenerate: 168
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_cert_username_field: commonName
ssl_verify_client_cert: yes
disable_plaintext_auth: no
auth default:
   mechanisms: plain login
   ssl_require_client_cert: no
   ssl_username_from_cert: no

I analyzed the connection on 993 with Wireshark and apparently all is 
good: it's encrypted, I see the certificate exchanges taking place.

But I am worried about authenticating the connections from the iPhone 
and I would like to configure "ssl_require_client_cert: yes" so that a
valid certificate is always required. But if I do that then Thunderbird 
fails to login because it's required a certificate.

This is puzzling. I thought that setting would only influence SSL 
connections. But apparently it also affects plaintext logins from 
Thunderbird.

Is there a way to require a cert from the iPhone TLS connections on port 
993, but do not require it from clients connecting to port 143?

-- 
Florin Andrei

http://florin.myip.org/

On Thu, 2009-08-20 at 18:30 -0700, Florin Andrei wrote:
> # 1.1.11: /etc/dovecot/dovecot.conf
..
> Is there a way to require a cert from the iPhone TLS connections on port 
> 993, but do not require it from clients connecting to port 143?
Not that easily.. A few possibilities:

a) Run two different Dovecots with two different config files.

b) Upgrade to v1.2 and use SQL passdb and check %c and %k variables.
http://wiki.dovecot.org/Variables

Hmm. Maybe the setting could have a new "with-ssl" option or
something..

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090824/fa9acb59/attachment-0002.bin>

Timo Sirainen wrote:
> 
> Hmm. Maybe the setting could have a new "with-ssl" option or
something..
That would be awesome. If I'm not mistaken, it's a pretty common 
situation to use certs on SSL but not require them on non-SSL. Kind of 
makes sense to me at least.

Any chance to add something like this to the 1.1 series?

-- 
Florin Andrei

http://florin.myip.org/

Timo Sirainen wrote:
> On Thu, 2009-08-20 at 18:30 -0700, Florin Andrei wrote:
>> # 1.1.11: /etc/dovecot/dovecot.conf
> ..
>> Is there a way to require a cert from the iPhone TLS connections on
port
>> 993, but do not require it from clients connecting to port 143?
> 
> Not that easily.. A few possibilities:
> 
> a) Run two different Dovecots with two different config files.
I'll try and figure out this one. Hopefully there's an easy way to do 
it, and hopefully the two instances won't create conflicts.

Ubuntu 9.04 (which is the current latest) comes with v1.1.11 and I want 
to keep the admin effort at a minimum (I manage the system in my spare 
time - which is pretty scarce), so compiling / installing other versions 
is not desirable.

-- 
Florin Andrei

http://florin.myip.org/