Uffe Jakobsen
2011-Jan-19 10:46 UTC
[Dovecot] courier-imap to dovecot-imap migration: missing TLS_TRUSTCERTS feature
Hi, I'm attempting an one-to-one migration from courier-imap to dovecot-imap. current state: Imap-server has a self signed certificate Every client/user has a self signed client certificate that is used for SSL/TLS client authentication. All certificates are self signed "standalone" cerfificates - no CA hierarchy/structure is made. With courier-imap we could just put every client certificate into a trusted cert file (or hashed directory for a larger number of clients) and courier-imap would check that through TLS_TRUSTCERTS. I would like to keep the current appproach and avoid the whole mini CA setup - that way I can also avoid reissuing new certs to all existing users. Question: can a similar setup be achieved with dovecot-imap ? I've already made numerous attempts with no luck. As far as I can see dovecot-imap does not seem to implement the concept of checking trusted (self signed standalone client) certs - even though it is based on openssl like courier-imap is - but I may be wrong here. I'm using dovecot-2.0.7 (from ports) on FreeBSD Thanks in advance. Kind regards Uffe Jakobsen
Timo Sirainen
2011-Feb-10 00:13 UTC
[Dovecot] courier-imap to dovecot-imap migration: missing TLS_TRUSTCERTS feature
On Wed, 2011-01-19 at 11:46 +0100, Uffe Jakobsen wrote:> All certificates are self signed "standalone" cerfificates - no CA > hierarchy/structure is made. > > With courier-imap we could just put every client certificate into a > trusted cert file (or hashed directory for a larger number of clients) > and courier-imap would check that through TLS_TRUSTCERTS. > > I would like to keep the current appproach and avoid the whole mini CA > setup - that way I can also avoid reissuing new certs to all existing users. > > Question: can a similar setup be achieved with dovecot-imap ?Doesn't this work? ssl_ca = </etc/dovecot/all-client-certs.pem