search for: ssl_require_client_cert

Hi, I have a working mail system with postfix 2.7 and dovecot 1.2.15. I use secure connections for imap and smtp. When I try to use client certificate authorisation I have some problems. As soon as I enable the dovecot feature ssl_require_client_cert I have to present a valid certificate to receive or send email. Receiving emails works fine, but I can not send emails any more. The only way I could get this to work was to disable smtpd_sasl_auth_enable so postfix did not tries to get authorisation from dovecot. This way I can not have sasl aut...

Hi, is there any way to get dovecot to use "ssl_require_client_cert = yes" for encrypted connections only? For unencrypted connections there can't be any client certificate, and I can't disable unencrypted connections altogether (I limit them by firewall to our own network). Rainer Frey -- Software Development -------------------------------------...

...buntu 10.10. I also have a straightforward newbie question! I've hunted in the wiki and on the wider web, but not yet found a solution. Current status: I have successfully configured imap with tls, accessed on port 993, and for security require a valid client certificate to be presented, using ssl_require_client_cert and ssl_verify_client_cert. This is all working fine! Now I want to add a SquirrelMail service to the same server. This will connect using IMAP over port 143, without TLS. My question is: how do I achieve this! At the moment, I simply get the following in the logs: Aborted login (cert required,...

Dear List I looked into docs but couldn't see any where that says of this incompatibility. Anywhere this is confirmed in the doc? Thanks mr.wu

Hi list, I'm currently looking into ways of making use of client certificates. I want to force external clients (i.e. anything outside the local subnet) to use client certificates. It is my understanding that this in itself can be achieved with the "ssl_require_client_cert" setting. However, I also want local clients (i.e. anything from a specific subnet) to be able to authenticate by the usual means (i.e. password-based). As far as I know dovecot is not able to operate on multiple ports, as stated in the FAQ [1]. The redirect approach, which is also mentioned...

Dear List, I have a few questions regarding dovecot sasl authentication that are somewhat related to each other. I have a working dovecot config with ---------- ssl_verify_client_cert = yes .. . ssl_require_client_cert = yes ssl_username_from_cert = yes --------------- (With this set up I need not set a correct user name in my mail client so long as I have it correctly in cert.) It turns out that I cannot export client socket to postfix to do smtp authentication unless I comment out ssl_require_client_cert=yes...

...s: imaps pop3s ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(pop3): *:995 ssl_ca_file: /etc/openvpn/easy-rsa/keys/combined-ca-and-crl.crt ssl_cert_file: /etc/pki/dovecot/certs/dovecot-chained.cert ssl_key_file: /etc/pki/tls/private/server.myserver.net.key ssl_verify_client_cert: yes ssl_require_client_cert = yes verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=~/mail/.imap...

..._file: /etc/mail/certs/cacert_plus_crl.pem ssl_cert_file: /etc/mail/certs/cert.pem ssl_key_file: /etc/mail/certs/key.pem ssl_verify_client_cert: yes login_dir: /tools/dovecot-1.1.2/var/run/dovecot/login login_executable: /tools/dovecot-1.1.2/libexec/dovecot/imap-login auth default: verbose: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd

Dear List I've successfully installed/configured dovecot 1.2.10 with "require client cert" on centos 5.4 and ubuntu server 9.10 I also need to install on centos 4.8 and after the following the exact same procedure I can only get it working if I commented out ssl_require_client_cert =yes and ssl_username_from_cert = yes from the working config file. This is even after compiling dovecot with openssl 0.9.8l on centos 4.8 If I copy the same "client_ca.crt" from centos 4.8 to centos 5.4 then centos 5.4 does not problem in verifying client cert. That file contain CRL a...

...isten = #ssl_disable = no #ssl_cert_file = /etc/ssl/certs/dovecot.pem #ssl_key_file = /etc/ssl/private/dovecot.pem #ssl_ca_file = #ssl_verify_client_cert = no #ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat #ssl_parameters_regenerate = 24 #ssl_cipher_list = all:!LOW #verbose_ssl = no #ssl_require_client_cert = no mail:~# I tried on the command line # dovecot -F -c dovecot.conf my version is: mail:~# dovecot --version 1.0.alpha3 mail:~# Would anyone perhaps know why I cant get the daemon started. Kind Regards Brent Clark

hello, first sorry for my poor english I'm doing the migration from UW-imap to Dovecot I have two question about the authentification in the imaps (port 993) process In dovecot .conf I can enable (or disable) the diff?rent port (pop, pops, imap, imaps) and may be restrict the access to the serveur with the ip adresse. Can I configure dovecot in imaps so it permit the access if the

...cket mechanism to send mail. I use imaps with dovecot for managing my maildir. I have added ssl parameters to the configuration file (see below) and I required certificate from the client (to avoid man in the middle attack and to get access only for client with user certificate). To get this "ssl_require_client_cert" is set to yes. Ok, now imaps works perfectly. But since a certificate is required webmail authentication (localhost) and SASL (postfix auth trough dovecot socket mechanism) don't work. Webmail => dovecot: imap-login: Disconnected (cert required, client didn't start TLS): method=PL...

..._file: /blah/ca.crt ssl_cert_file: /blah/server.crt ssl_key_file: /blah/server.key ssl_key_password: ssl_parameters_regenerate: 168 ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_cert_username_field: commonName ssl_verify_client_cert: yes disable_plaintext_auth: no auth default: mechanisms: plain login ssl_require_client_cert: no ssl_username_from_cert: no I analyzed the connection on 993 with Wireshark and apparently all is good: it's encrypted, I see the certificate exchanges taking place. But I am worried about authenticating the connections from the iPhone and I would like to configure "ssl_require_c...

Hello there, I have been trying to make the patch work for libwrap(TCP Wrappers) posted on http://dovecot.org/patches <http://dovecot.org/patches%20Patch%20of%201.1> Patch of 1.1 but could not get it work. Any help will be highly appreciated. After compiling and running it I get error "Error: login_tcp_wrappers can't be used because Dovecot wasn't built with

Hi, Is there any way to use something like OPIE (one-time passwords in everything, S/KEY) with dovecot? Here's what I want to do ultimately: * have an AUTH=XYZ method that relies on S/KEY as provided by the libpam-opie module (well, maybe not through pam) * have dovecot advertise authentication as follows: - local : PLAIN, XYZ - remote (encrypted) : EXTERNAL, and

...ill allowing my local network to not need certificates. This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've tried to use the "remote" block to give different definitions for my local network vs the defaults. While most options seem to be set fine, if I set "auth_ssl_require_client_cert" to yes as the default, and reset it to no for my local network, dovecot still requests a client certificate and fails as one is not supplied. Am I correct that it can be reset in a "remote" block, or is it treated differently to other options? In fact do I have the configuration...

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My bad? Please advise. Q2) The next step, if dovecot blocks

...O; +int deny_severity = LOG_WARNING; +# include "str.h" +#endif + bool disable_plaintext_auth, process_per_connection, greeting_capability; -bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug; +bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug, tcp_wrappers; bool ssl_require_client_cert; const char *greeting, *log_format; const char *const *log_format_elements; @@ -75,6 +83,45 @@ io_loop_stop(ioloop); } +static void access_check(int fd, const struct ip_addr *ip, bool ssl) +{ +#ifdef HAVE_LIBWRAP + struct request_info req; + char *daemon; + string_t *process_name_ssl; + + if...

...zABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ username_translation: username_format: master_user_separator: anonymous_username: anonymous krb5_keytab: gssapi_hostname: winbind_helper_path: /usr/bin/ntlm_auth failure_delay: 2 verbose: no debug: no debug_passwords: no ssl_require_client_cert: no ssl_username_from_cert: no use_winbind: no count: 1 worker_max_count: 30 process_size: 256 passdb: driver: pam args: deny: no pass: no master: no userdb: driver: passwd args: -----8<----- Please let me know if you need more. Thank you...

Hi anyone. Can dovecot be configured to authenticate user using only SSL Certificates only and not ask for a password. So far I've got it taking the username from the common name of the certificate but I like it to use the certificate in place of the password. Is this possible and how? -- Regards Stephen. -------------- next part -------------- A non-text attachment was scrubbed...