dovecot - May 2012 - Different SSL requirements for connections on different ports?

Hi All,

I'm running dovecot 2.0.19.

I currently have remote users access mail using IMAP over SSL, with
their client certificates being both required and verified. I do this
using "ssl = required" and "ssl_verify_client_cert = yes".

I would now like to add a webmail front-end (squirrelmail) running on
the same server. In order to achieve this I would like to have
squirrelmail connecting locally using IMAP, but without the
certificate requirement. I'm happy to use the standard IMAP port for
this, since that port is firewalled so that only localhost has access.

Do I need to run two separate dovecot instances in order to achieve
this, or can I somehow configure different SSL requirements for the
two ports? Is there a way to have the ssl directives I mention above
active only for a certain port (or for certain hosts, i.e. non-local?)

I've been looking around in the documentation, but I haven't yet
worked out how to do this other than by having two separate dovecot
instances running, with the different auth configurations. Is that the
best approach, or can I get it working with only once instance?

Thanks for any help!

-- 
Bill Gallafent.

On Tue, 2012-05-29 at 15:09 +0100, William Gallafent
wrote:
> Hi All,
> 
> I'm running dovecot 2.0.19.
> 
> I currently have remote users access mail using IMAP over SSL, with
> their client certificates being both required and verified. I do this
> using "ssl = required" and "ssl_verify_client_cert =
yes".
And I guess you also have auth_ssl_require_client_cert=yes.
> I would now like to add a webmail front-end (squirrelmail) running on
> the same server. In order to achieve this I would like to have
> squirrelmail connecting locally using IMAP, but without the
> certificate requirement. I'm happy to use the standard IMAP port for
> this, since that port is firewalled so that only localhost has access.
> 
> Do I need to run two separate dovecot instances in order to achieve
> this, or can I somehow configure different SSL requirements for the
> two ports? Is there a way to have the ssl directives I mention above
> active only for a certain port (or for certain hosts, i.e. non-local?)
You could work around ssl=required by setting the webmail's IP to
login_trusted_networks, but it won't get around requiring a valid SSL
cert. For that you'd need to put it inside remote <IP> {} block, but
unfortunately you can't currently change auth settings for specific IPs.
So for now you'd need to run two Dovecot instances.