Hello, does dovecot support tls-on-connect for AF INET based auth-client sockets? Rationale behind my question: Exim can use the Dovecot auth-client socket to delegate the SMTP-AUTH authentication to Dovecot. Currently Exim supports the AF UNIX only for this socket. Jeremy makes progress in extending this to use AF INET sockets too. While it works with clear text communication already, during testing I was to setup the auch-client socket as an TLS server (tls-on-connect). It doesn't seem to work as I'd expect. The socket still offers clear-text only. Here my configuration snippets regarding this socket ssl = yes ssl_cert = </etc/dovecot/private/server.pem ssl_key = </etc/dovecot/private/server.pem service auth { ? unix_listener auth-client { group = _exim mode = 0660 } inet_listener auth-client { name = exim port = 4711 ssl = yes } } SSL connections to :993 work as expected. Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20200124/4c920f54/attachment.sig>
Hi, I'm resending this message, still hoping for an answer. Hello, does dovecot support tls-on-connect for AF INET based auth-client sockets? Rationale behind my question: Exim can use the Dovecot auth-client socket to delegate the SMTP-AUTH authentication to Dovecot. Currently Exim supports the AF UNIX only for this socket. Jeremy makes progress in extending this to use AF INET sockets too. While it works with clear text communication already, during testing I was to setup the auch-client socket as an TLS server (tls-on-connect). It doesn't seem to work as I'd expect. The socket still offers clear-text only. Here my configuration snippets regarding this socket ssl = yes ssl_cert = </etc/dovecot/private/server.pem ssl_key = </etc/dovecot/private/server.pem service auth { ? unix_listener auth-client { group = _exim mode = 0660 } inet_listener auth-client { name = exim port = 4711 ssl = yes } } SSL connections to :993 work as expected. Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20200204/28c8e055/attachment-0001.sig>
On 4.2.2020 13.46, Heiko Schlittermann wrote:> Hi, I'm resending this message, still hoping for an answer. > > Hello, > > does dovecot support tls-on-connect for AF INET based auth-client > sockets? > > Rationale behind my question: > > Exim can use the Dovecot auth-client socket to delegate the > SMTP-AUTH authentication to Dovecot. > > Currently Exim supports the AF UNIX only for this socket. Jeremy makes > progress in extending this to use AF INET sockets too. > > While it works with clear text communication already, during testing I > was to setup the auch-client socket as an TLS server (tls-on-connect). > It doesn't seem to work as I'd expect. The socket still offers > clear-text only. > > Here my configuration snippets regarding this socket > > ssl = yes > ssl_cert = </etc/dovecot/private/server.pem > ssl_key = </etc/dovecot/private/server.pem > > service auth { > ? > unix_listener auth-client { > group = _exim > mode = 0660 > } > inet_listener auth-client { > name = exim > port = 4711 > ssl = yes > } > } > > SSL connections to :993 work as expected. > > Best regards from Dresden/Germany > Viele Gr??e aus Dresden > Heiko SchlittermannHi! This is not (yet) implemented. You can probably workaround with haproxy / stunnel for now. Aki