dovecot - Jun 2013 - IMAPS: Disable SSL connection without client certificate

I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. 
It works great.  Dovecot serves IMAPS only, and I'm using Thunderbird 
to access my mail.

I configured Dovecot to allow clients that present a valid certificate 
when establishing SSL connection.  I configure my Thunderbird for 
SSL/TLS connection with normal password.  It works fine.

However, with my config anybody can connect to my server without 
presenting a certificate:
> openssl s_client -connect server:993
> (...)
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS
> ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
Luckily, after connecting without a certificate logging fails:

 > a001 login iszczesniak password
 > a001 NO [ALERT] Client didn't present valid SSL certificate

*QUESTION: Is there a way in Dovecot to disable establishing an SSL 
connection without a client certificate?*

My complete config is :

# dovecot -n
# 2.1.8: /etc/dovecot/dovecot.conf
# OS: OpenBSD 5.2 i386
auth_ssl_require_client_cert = yes
mail_location = maildir:~/archive/mail
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix }
passdb {
   driver = bsdauth
}
protocols = imap
service imap-login {
   inet_listener imap {
     port = 0
   }
}
ssl_ca = </etc/ssl/certs/cacertcrl.pem
ssl_cert = </etc/ssl/cert.pem
ssl_key = </etc/ssl/private/key.pem
ssl_verify_client_cert = yes
userdb {
   driver = passwd
}
verbose_ssl = yes
protocol imap {
   imap_client_workarounds = delay-newmail tb-extra-mailbox-sep 
tb-lsub-flags
}
protocol pop3 {
   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

-- 
Ireneusz (Irek) Szczesniak
http://www.irkos.org

Am 28.06.2013 23:31, schrieb Ireneusz Szcze?niak:
> I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It
works great.  Dovecot serves IMAPS only,
> and I'm using Thunderbird to access my mail.
> 
> I configured Dovecot to allow clients that present a valid certificate when
establishing SSL connection.  I
> configure my Thunderbird for SSL/TLS connection with normal password.  It
works fine.
> 
> However, with my config anybody can connect to my server without presenting
a certificate
google "dovecot ssl client certificate" leads to
http://wiki.dovecot.org/SSL/DovecotConfiguration

well, this is for dovecot 1.x, but have you tried it?

Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate, you'll
need these settings:

ssl_ca_file = /etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth default {
  ssl_require_client_cert = yes
  ..
}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130628/d4630075/attachment.bin>