dovecot - Dec 2013 - Different settings for SSL/non-SSL protocols

Good time of the day!

It is possible to setup dovecot with different requirements for SSL and
non-SSL protocols?
What would I like to do:

pop3/imap non-SSL = allowed plain text authentication.
pop3/imap with SSL = allowed plain text authentication with required
valid SSL certificates.

I need to allow access from any IP address for first group of users,
which have valid SSL certificates. And allow access from only local IP
addresses for second group of users which doesn't have SSL certificates
at all.

I tried to setup dovecot for such task. SSL and non-SSL pop3/imap works
together fine, but without require valid SSL certificates. If I set
auth_ssl_require_client_cert = yes, non-SSL pop3/imap refuses
authentication without valid SSL certificate. I tried to use different
sections for protocol pop3 {} and protocol pop3s {} (and imap/imaps) but
this seems doesn't work. Is there any way to solve this?

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)

Greetings
03.12.2013 17:29, ??????? ????????? ?????:
> Good time of the day!
>
> It is possible to setup dovecot with different requirements for SSL and
> non-SSL protocols?
> What would I like to do:
>
> pop3/imap non-SSL = allowed plain text authentication.
> pop3/imap with SSL = allowed plain text authentication with required
> valid SSL certificates.
I examined in detail dovecot's behavior with
'auth_ssl_require_client_cert=yes'.
Dovecot misinterprets configuration in case with parameters:
ssl = yes
auth_ssl_require_client_cert = yes

If ssl is not equal 'required', so not necessarily required, then
unencrypted connection permissible.
And case 'ssl = required' processed separately when connection begins.
But dovecot answers to client with unencrypted connection "Client
didn't
sent a valid SSL certificate".
This is wrong because with unencrypted connection can't be any
certificates at all.

I use dovecot-2.1.16.
In auth-request-handler.c I found:

if (request->set->ssl_require_client_cert &&
            !request->valid_client_cert) {
                /* we fail without valid certificate */
                auth_request_handler_auth_fail(handler, request,
                        "Client didn't present valid SSL
certificate");
                return TRUE;
        }

Here is need to check encrypted connection, and if connection not
encrypted, condition should not be triggered.
And as I said above, case with 'ssl = required' processed early and in
this case we don't get to this place in code.

Sources of dovecot is quite complex, and I can't find a way how to
determine encrypted connection or not at this place for a while. Can you
give me the hint how I can determine it?

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)