dovecot - Jul 2020 - Multiple authentication instances (GSSAPI _or_ Client Certificate)

Hi there,

I am trying to make a paranoid IMAPS/Submission server. I'm running
Ubuntu 20.04 with Dovecot 2.3.7.2 (3c910f64b).

I mostly use my mail-server from the LAN/Realm where I have GSSAPI
working well for both IMAPS and Submission and most other services
But... I would like to be able to configure Dovecot to require mobile
("external") devices to authenticate using client certificates (with
different SSL cert superset) instead of 'plain' fallback (if there is
no valid Kerberos token/infrastructure).

I have one SSL-certificate for the LAN-solution, but would like to have
my self-signed PKI-stuff for the other solution where client
certificates are used to authenticate.

So. First of all. Is this a possible scenario?

I'm struggling with the configuration and it seems Dovecot-configs are
not accepting different authentication methods for different local
listeners for different IPs etc. The only way i can think of getting
this up and running is having two separate Dovecot instances (somehow)
listening to different ports or even on different server hosts.

What would be neat is if it would be possible to have like:

auth_mechanisms = gssapi ssl :D

But i know that's not how things work. I hope I'm not too unspecific.

Is there any other clever ideas on how to get this use-case configured
with the current version of Dovecot?

I am thinking i _might_ be able to do something with stunnel to
terminate the PKI authentication and still require normal plain user
authentication with login/pass to get the extra security. But it does
not feel clean enough.

All good ideas are welcome! 

Stay safe!

Kind regards,
Joakim Ekblad