search for: auth_ssl_require_client_cert

...le still allowing my local network to not need certificates. This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've tried to use the "remote" block to give different definitions for my local network vs the defaults. While most options seem to be set fine, if I set "auth_ssl_require_client_cert" to yes as the default, and reset it to no for my local network, dovecot still requests a client certificate and fails as one is not supplied. Am I correct that it can be reset in a "remote" block, or is it treated differently to other options? In fact do I have the configuration...

>From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry. Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian. Thank you, On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote: > > On 2020-05-25 02:54, hana...

...[other settings, if needed] > } > > But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings. > > HTH, > Axel Thanks for the suggestion! Unfortunately the problem seems to be auth_ssl_require_client_cert; it can only be added to protocol blocks not to local or remote ones. Turning off ssl_verify_client_cert doesn?t seem to prevent dovecot from requiring a certificate if auth_ssl_require_client_cert is enabled (it may even force ssl_verify_client_cert to on implicitly, I?m not sure). It?s annoying...

...ert you should configure > > ssl_cert=</etc/letsencrypt/live/domain/fullchain.pem > ssl_key=</etc/letsencrypt/live/domain/privkey.pem > > Aki > >> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: >> >> >> From the config : auth_ssl_require_client_cert = no >> GMail empty vcard ... I have no ideas . so sorry. >> >> Coding snippets. What can I provide for you that will help? >> NOTE: it is pretty much the default config from Debian. >> >> Thank you, >> >> On Sun, May 24, 2020 at 9:29 PM Benny Pede...

...t/live/domain/fullchain.pem >>> ssl_key=</etc/letsencrypt/live/domain/privkey.pem >>> >>> Aki >>> >>>> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: >>>> >>>> >>>> From the config : auth_ssl_require_client_cert = no >>>> GMail empty vcard ... I have no ideas . so sorry. >>>> >>>> Coding snippets. What can I provide for you that will help? >>>> NOTE: it is pretty much the default config from Debian. >>>> >>>> Thank you, >>>...

...h is preventing Roundcube from connecting. Since dovecot is also providing authentication to postfix I?ve already created an exemption from the client certificate requirement for SMTP connections by doing the following: protocol !smtp { ssl_ca = </path/to/ca.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes } However, I?m not sure how to do the same thing for unencrypted IMAP connections. Is there a way that I can enable client certificate support for only IMAP port 993, leaving port 143 to handle regular unencrypted IMAP with a username and password? I?ve already added the local network to the...

Config has ssl_verify_client_cert = no What options might have the client auth turned on? TYIA On 5/24/20 6:40 PM, Felipe Gasper wrote: > From what I can tell, ?SSL alert number 42? means that you?ve configured Dovecot to require client authentication. > > Otherwise, your Let?s Encrypt certificate (with its authority chain) should suffice. > > -FG > >> On May 24,

...rs, which have valid SSL certificates. And allow access from only local IP addresses for second group of users which doesn't have SSL certificates at all. I tried to setup dovecot for such task. SSL and non-SSL pop3/imap works together fine, but without require valid SSL certificates. If I set auth_ssl_require_client_cert = yes, non-SSL pop3/imap refuses authentication without valid SSL certificate. I tried to use different sections for protocol pop3 {} and protocol pop3s {} (and imap/imaps) but this seems doesn't work. Is there any way to solve this? Thanks for attention, with best regards, Alexey Prokopchuk (...

Hello, I would like to set up an authentication using certificate with Dovecot: A user sends mail to Postfix and Dovecot authentication is valid only if certificate is trusted. So, I enable the parameter auth_ssl_require_client_cert in dovecot configuration but it is not running. Here are the postfix logs: Aug 16 09:51:48 myserver dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Aug 16 09:51:48 myserver dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Aug 16 09:51:48...

...e imap-login-ssl { executable = imap-login login-ssl chroot = login user = $default_login_user # add other settings similarly as to service imap-login inet_listener imaps { port = 993 } } # create a separate auth master process for port 993 service auth-ssl { executable = auth -o auth_ssl_require_client_cert=yes # add other settings similarly as to service auth unix_listener login/login-ssl { mode = 0666 } }

Is there any way to make Dovecot 2.2.22 not require a client SSL certificate for a local IMAP connection, but require it for any remote IMAP connection? My server is configured to require client certificates: ssl = required ... auth_ssl_require_client_cert = yes I tried adding the following to create an exception for localhost: remote 127.0.0.1 { ? ssl = no ? auth_ssl_require_client_cert = no ? disable_plaintext_auth = no } But Dovecot fails to start with: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 81: Auth set...

I am trying to get Dovecot IMAP and Outlook to talk to each other with SSL and client certificates enabled. In Dovecot, I have the following options enabled: ssl_ca = ... ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes when I try to connect with Outlook, I get: May 12 08:07:50 mail dovecot: imap-login: Disconnected (client didn't send a cert): user=<>, method=PLAIN, rip=192.168.1.245, lip=192.168.2.5, TLS: Disconnected, session=<is7gpa+Im97AqAH1>...

...erver* client untrusted. If you are using LE cert you should configure ssl_cert=</etc/letsencrypt/live/domain/fullchain.pem ssl_key=</etc/letsencrypt/live/domain/privkey.pem Aki > On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: > > > From the config : auth_ssl_require_client_cert = no > GMail empty vcard ... I have no ideas . so sorry. > > Coding snippets. What can I provide for you that will help? > NOTE: it is pretty much the default config from Debian. > > Thank you, > > On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wr...

...cert=</etc/letsencrypt/live/domain/fullchain.pem > > ssl_key=</etc/letsencrypt/live/domain/privkey.pem > > > > Aki > > > >> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: > >> > >> > >> From the config : auth_ssl_require_client_cert = no > >> GMail empty vcard ... I have no ideas . so sorry. > >> > >> Coding snippets. What can I provide for you that will help? > >> NOTE: it is pretty much the default config from Debian. > >> > >> Thank you, > >> > >> On...

...;> ssl_key=</etc/letsencrypt/live/domain/privkey.pem > >>> > >>> Aki > >>> > >>>> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: > >>>> > >>>> > >>>> From the config : auth_ssl_require_client_cert = no > >>>> GMail empty vcard ... I have no ideas . so sorry. > >>>> > >>>> Coding snippets. What can I provide for you that will help? > >>>> NOTE: it is pretty much the default config from Debian. > >>>> > >>&g...

How do I configure dovecot-2.0.x to present a client SSL certificate when proxying? If dovecot on server1.example.com has: passdb { driver = static args = proxy=y host=server2.example.com nopassword=y ssl=yes } and dovecot on server2.example.com has: ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes then when a client connects to server1 and authenticates, a connection is established to server2 but the SSL handshake fails because server1 doesn't present a client certificate. I don't see where ssl_client_ctx is tied to a client certificate in ssl-proxy-openssl.c. Thanks.

...ultaneously. For SSL connections client must submit a valid SSL certificate. Now SSL part of dovecot.conf looks like this: ----------------- ssl = yes ssl_cert = </etc/ssl/dovecot/dovecot.pem ssl_key = </etc/ssl/dovecot/dovecot.pem ssl_ca = </etc/ssl/ca/ca.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes protocol !smtp { auth_ssl_require_client_cert = yes } ----------------- All works fine with valid certificates. But if I submit revoked certificate, dovecot doesn't send error or success messages to mail client, process 'imap-login' eats 100% CPU and completely hangs. Only S...

...empts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7> My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { ? inbox = yes ? location = ? mailbox Drafts { ? ? spec...

...iling the authentication. However, the earlier versions will take the username from the user provided authentication fields (e.g. LOGIN command). If there is no additional password verification, this allows the attacker to login as anyone else in the system. This affects only installations using: auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes Attacker must also have access to a valid trusted certificate without the ssl_cert_username_field in it. The default is commonName, which almost certainly exists in all certificates. This could happen for example if ssl_cert_username_field is a field that no...

...line ("user=<>") suggests that Dovecot does not try to use the commonName from the client certificate as the username even though (I think) I have configured Dovecot to do so. The relevant lines in the Dovecot configuration are: <config> auth_mechanisms = plain auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes disable_plaintext_auth = yes protocols = imap ssl = yes ssl_ca = </etc/dovecot/ssl/ca.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_cert_username_field =...