Hello,
does dovecot support tls-on-connect for AF INET based auth-client
sockets?
Rationale behind my question:
Exim can use the Dovecot auth-client socket to delegate the
SMTP-AUTH authentication to Dovecot.
Currently Exim supports the AF UNIX only for this socket. Jeremy makes
progress in extending this to use AF INET sockets too.
While it works with clear text communication already, during testing I
was to setup the auch-client socket as an TLS server (tls-on-connect).
It doesn't seem to work as I'd expect. The socket still offers
clear-text only.
Here my configuration snippets regarding this socket
ssl = yes
ssl_cert = </etc/dovecot/private/server.pem
ssl_key = </etc/dovecot/private/server.pem
service auth {
?
unix_listener auth-client {
group = _exim
mode = 0660
}
inet_listener auth-client {
name = exim
port = 4711
ssl = yes
}
}
SSL connections to :993 work as expected.
Best regards from Dresden/Germany
Viele Gr??e aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200124/4c920f54/attachment.sig>
Hi, I'm resending this message, still hoping for an answer.
Hello,
does dovecot support tls-on-connect for AF INET based auth-client
sockets?
Rationale behind my question:
Exim can use the Dovecot auth-client socket to delegate the
SMTP-AUTH authentication to Dovecot.
Currently Exim supports the AF UNIX only for this socket. Jeremy makes
progress in extending this to use AF INET sockets too.
While it works with clear text communication already, during testing I
was to setup the auch-client socket as an TLS server (tls-on-connect).
It doesn't seem to work as I'd expect. The socket still offers
clear-text only.
Here my configuration snippets regarding this socket
ssl = yes
ssl_cert = </etc/dovecot/private/server.pem
ssl_key = </etc/dovecot/private/server.pem
service auth {
?
unix_listener auth-client {
group = _exim
mode = 0660
}
inet_listener auth-client {
name = exim
port = 4711
ssl = yes
}
}
SSL connections to :993 work as expected.
Best regards from Dresden/Germany
Viele Gr??e aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200204/28c8e055/attachment-0001.sig>
On 4.2.2020 13.46, Heiko Schlittermann wrote:> Hi, I'm resending this message, still hoping for an answer. > > Hello, > > does dovecot support tls-on-connect for AF INET based auth-client > sockets? > > Rationale behind my question: > > Exim can use the Dovecot auth-client socket to delegate the > SMTP-AUTH authentication to Dovecot. > > Currently Exim supports the AF UNIX only for this socket. Jeremy makes > progress in extending this to use AF INET sockets too. > > While it works with clear text communication already, during testing I > was to setup the auch-client socket as an TLS server (tls-on-connect). > It doesn't seem to work as I'd expect. The socket still offers > clear-text only. > > Here my configuration snippets regarding this socket > > ssl = yes > ssl_cert = </etc/dovecot/private/server.pem > ssl_key = </etc/dovecot/private/server.pem > > service auth { > ? > unix_listener auth-client { > group = _exim > mode = 0660 > } > inet_listener auth-client { > name = exim > port = 4711 > ssl = yes > } > } > > SSL connections to :993 work as expected. > > Best regards from Dresden/Germany > Viele Gr??e aus Dresden > Heiko SchlittermannHi! This is not (yet) implemented. You can probably workaround with haproxy / stunnel for now. Aki
Reasonably Related Threads
- Exim still accepting emails to nonexistent users
- Exim still accepting emails to nonexistent users
- Ubuntu package - Was: Re: doveadm-server protocol change?
- TLS communication director -> backend with X.509 cert checks?
- LMTP proxy does not pass RCPT TO: ... 5xx response back