Алексей Прокопчук
2013-Dec-03 15:29 UTC
[Dovecot] Different settings for SSL/non-SSL protocols
Good time of the day! It is possible to setup dovecot with different requirements for SSL and non-SSL protocols? What would I like to do: pop3/imap non-SSL = allowed plain text authentication. pop3/imap with SSL = allowed plain text authentication with required valid SSL certificates. I need to allow access from any IP address for first group of users, which have valid SSL certificates. And allow access from only local IP addresses for second group of users which doesn't have SSL certificates at all. I tried to setup dovecot for such task. SSL and non-SSL pop3/imap works together fine, but without require valid SSL certificates. If I set auth_ssl_require_client_cert = yes, non-SSL pop3/imap refuses authentication without valid SSL certificate. I tried to use different sections for protocol pop3 {} and protocol pop3s {} (and imap/imaps) but this seems doesn't work. Is there any way to solve this? Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
Алексей Прокопчук
2013-Dec-04 11:49 UTC
[Dovecot] Different settings for SSL/non-SSL protocols
Greetings 03.12.2013 17:29, ??????? ????????? ?????:> Good time of the day! > > It is possible to setup dovecot with different requirements for SSL and > non-SSL protocols? > What would I like to do: > > pop3/imap non-SSL = allowed plain text authentication. > pop3/imap with SSL = allowed plain text authentication with required > valid SSL certificates.I examined in detail dovecot's behavior with 'auth_ssl_require_client_cert=yes'. Dovecot misinterprets configuration in case with parameters: ssl = yes auth_ssl_require_client_cert = yes If ssl is not equal 'required', so not necessarily required, then unencrypted connection permissible. And case 'ssl = required' processed separately when connection begins. But dovecot answers to client with unencrypted connection "Client didn't sent a valid SSL certificate". This is wrong because with unencrypted connection can't be any certificates at all. I use dovecot-2.1.16. In auth-request-handler.c I found: if (request->set->ssl_require_client_cert && !request->valid_client_cert) { /* we fail without valid certificate */ auth_request_handler_auth_fail(handler, request, "Client didn't present valid SSL certificate"); return TRUE; } Here is need to check encrypted connection, and if connection not encrypted, condition should not be triggered. And as I said above, case with 'ssl = required' processed early and in this case we don't get to this place in code. Sources of dovecot is quite complex, and I can't find a way how to determine encrypted connection or not at this place for a while. Can you give me the hint how I can determine it? Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
Seemingly Similar Threads
- imap-login hangs after receiving revoked SSL certificate
- Selecting several columns/rows of a dataframe?
- Problem with requiring client certificates for external connections
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird