Haravikk
2016-Jan-25 12:02 UTC
Disable Client Certificate Authentication for Unencrypted Connections?
I?m using dovecot to provide encrypted IMAP e-mail support for remote clients and it?s working great. However, I also need to set up a webmail front-end (Roundcube), which I?m hoping to have use unencrypted IMAP on port 143 (as only port 993 is available externally). The problem I?m running into is that I want to require client certificate authentication on port 993, but dovecot is apparently requiring a certificate on all connections, which is preventing Roundcube from connecting. Since dovecot is also providing authentication to postfix I?ve already created an exemption from the client certificate requirement for SMTP connections by doing the following: protocol !smtp { ssl_ca = </path/to/ca.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes } However, I?m not sure how to do the same thing for unencrypted IMAP connections. Is there a way that I can enable client certificate support for only IMAP port 993, leaving port 143 to handle regular unencrypted IMAP with a username and password? I?ve already added the local network to the trusted networks list, so that Roundcube can use plaintext authentication, can I limit client certificate support in a similar way? Thanks, Haravikk
Axel Luttgens
2016-Jan-27 21:55 UTC
Disable Client Certificate Authentication for Unencrypted Connections?
> Le 25 janv. 2016 ? 13:02, Haravikk a ?crit : > > [?] > > Since dovecot is also providing authentication to postfix I?ve already created an exemption from the client certificate requirement for SMTP connections by doing the following: > > protocol !smtp { > ssl_ca = </path/to/ca.pem > ssl_verify_client_cert = yes > auth_ssl_require_client_cert = yes > } > > However, I?m not sure how to do the same thing for unencrypted IMAP connections. Is there a way that I can enable client certificate support for only IMAP port 993, leaving port 143 to handle regular unencrypted IMAP with a username and password? I?ve already added the local network to the trusted networks list, so that Roundcube can use plaintext authentication, can I limit client certificate support in a similar way?Hello Haravikk, Perhaps could you try to devise an exception based on one (or more) "remote" section(s), as in: remote ip.of.webmail.server { ssl_verify_client_cert = no [other settings, if needed] } But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings. HTH, Axel
Haravikk
2016-Jan-29 13:00 UTC
Disable Client Certificate Authentication for Unencrypted Connections?
> On 27 Jan 2016, at 21:55, Axel Luttgens <axel.luttgens at skynet.be> wrote: > > Hello Haravikk, > > Perhaps could you try to devise an exception based on one (or more) "remote" section(s), as in: > > remote ip.of.webmail.server { > ssl_verify_client_cert = no > [other settings, if needed] > } > > But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings. > > HTH, > AxelThanks for the suggestion! Unfortunately the problem seems to be auth_ssl_require_client_cert; it can only be added to protocol blocks not to local or remote ones. Turning off ssl_verify_client_cert doesn?t seem to prevent dovecot from requiring a certificate if auth_ssl_require_client_cert is enabled (it may even force ssl_verify_client_cert to on implicitly, I?m not sure). It?s annoying because at present it seems like my only option would be to limit client certificates to POP3 and use that in my mail clients, allowing me to disable client certificates for IMAP to keep it free for Roundcube to use exclusively, but that?s not really an option.