Hi list, I'm currently looking into ways of making use of client certificates. I want to force external clients (i.e. anything outside the local subnet) to use client certificates. It is my understanding that this in itself can be achieved with the "ssl_require_client_cert" setting. However, I also want local clients (i.e. anything from a specific subnet) to be able to authenticate by the usual means (i.e. password-based). As far as I know dovecot is not able to operate on multiple ports, as stated in the FAQ [1]. The redirect approach, which is also mentioned there, is of no help to me, because in my case I would need a different setup on both ports. Other suggestions [2] won't work in my case either. I probably could get away with using "imaps" for external clients, while using "imap" (without SSL) for internal ones. Having said this, I don't quite like the idea, especially since the traffic might pass through some potentially unsecure networks and I don't want to bother with VPN/SSH tunnels for that purpose. A native SSL/TLS solution would be very much appreciated. Is there a (recommended) way to do this? Thanks in advance. Best regards, Karol Babioch [1]: http://wiki.dovecot.org/QuestionsAndAnswers#Is_it_possible_to_have_Dovecot_imap.2BAC8-pop_daemons_listening_on_multiple_ports.3F [2]: http://www.dovecot.org/list/dovecot/2010-November/054804.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150227/7d86b0d8/attachment.sig>
Quoting Karol Babioch <karol at babioch.de>:> Hi list, > > I'm currently looking into ways of making use of client certificates. I > want to force external clients (i.e. anything outside the local subnet) > to use client certificates. It is my understanding that this in itself > can be achieved with the "ssl_require_client_cert" setting. > > However, I also want local clients (i.e. anything from a specific > subnet) to be able to authenticate by the usual means (i.e. > password-based).How about a second front-end? One dovecot-proxy for external users that requires certs, the other is the 'real' machine accessible directly only for internal users. Rick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 27 Feb 2015, Karol Babioch wrote:> I'm currently looking into ways of making use of client certificates. I > want to force external clients (i.e. anything outside the local subnet) > to use client certificates. It is my understanding that this in itself > can be achieved with the "ssl_require_client_cert" setting. > > However, I also want local clients (i.e. anything from a specific > subnet) to be able to authenticate by the usual means (i.e. password-based).There are local and remote IP blocks in Dovecot, however, I cannot find the Wiki page it is documented on. But see: http://wiki2.dovecot.org/SSL/DovecotConfiguration local means to match the local IP of the connection, remote matches the remote end, aka client IP address. You could try to use ssl_require_client_cert as default and add a remote { } block, in which you disable that feature. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVPQWSXz1H7kL/d9rAQITnQf+PrgqIyf98ZhF1TbL/7MAfEMYBZCHXvF4 iUScUxYyaUbeJ/h2RkeXjpVfrp9ktPXDmM+yge9U1fbDJ8ejQ+7nn0ZnSWqm8Cpm SlhnkYEBfdR1ht5fzGNj1hy9CA3vLZRzCoAtPBL58VZocyFnDDdtcgFpgBg0gKaE Cmf6BYs0AtvP6omUSj4myh4lW5trklebtxClZS2K6Zol+rpATofGTfE16wRrEnBK kt4N8ZKZ70vwt8wCiytcqddegIDm9uiiSfrK0W57o5n377oZtHzN2luCOQ3S4GdF aMh6ybDEN8NeS+3pbTQp/QXa1hm4x2UefEjI1KUJJSkniKGsv6knzA==DmyK -----END PGP SIGNATURE-----