search for: ssl_verify_client_cert

...e_locks = fcntl passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster at crawford.emu.id.au ssl = required ssl_ca = </etc/pki/CA/cacert.pem ssl_cert = </etc/pki/tls/certs/dovecot.crt ssl_key = </etc/pki/tls/private/dovecot.key ssl_verify_client_cert = yes userdb { driver = passwd } protocol pop3 { pop3_uidl_format = %v.%u } remote 203.16.204.0/24/24 { auth_ssl_require_client_cert = no disable_plaintext_auth = no ssl = no ssl_verify_client_cert = no } remote fdd2:7aad:d478:1::/64/64 { auth_ssl_require_client_cert = no disable_pl...

...icate on all connections, which is preventing Roundcube from connecting. Since dovecot is also providing authentication to postfix I?ve already created an exemption from the client certificate requirement for SMTP connections by doing the following: protocol !smtp { ssl_ca = </path/to/ca.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes } However, I?m not sure how to do the same thing for unencrypted IMAP connections. Is there a way that I can enable client certificate support for only IMAP port 993, leaving port 143 to handle regular unencrypted IMAP with a username and password? I?ve al...

> On 27 Jan 2016, at 21:55, Axel Luttgens <axel.luttgens at skynet.be> wrote: > > Hello Haravikk, > > Perhaps could you try to devise an exception based on one (or more) "remote" section(s), as in: > > remote ip.of.webmail.server { > ssl_verify_client_cert = no > [other settings, if needed] > } > > But I guess you would need to combine this with inner protocol blocks, and probably to replace the "protocol !smtp" block with less general settings. > > HTH, > Axel Thanks for the suggestion! Unfortunately the problem...

...->cert_broken = TRUE; + i_warning("BAD CERT %s: %s",X509_verify_cert_error_string(ctx->error),buf); + } + else + { i_warning("CERT: %s",buf); } /* logging */ - return 1; + return preverify_ok; + /* HJHJ */ + } static int @@ -666,10 +684,20 @@ if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | - SSL_VERIFY_CLIENT_ONCE, + SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_client_cert); } + /* HJHJ */ +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + X509_STORE *store; + if( (store=SSL_CTX_get_cert_store(ssl_...

...ed, 18 insertions(+), 1 deletion(-) --- a/src/config/all-settings.c +++ b/src/config/all-settings.c @@ -308,6 +308,7 @@ struct master_service_ssl_settings { const char *ssl_cert_username_field; const char *ssl_crypto_device; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -26,6 +26,7 @@ static const struct setting_define maste DEF(SET_STR, ssl_protocols), DEF(SET_STR, ssl_cert_username_field), DEF(SET_STR, ssl_crypto_device), + DEF(...

...arting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no #...

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird). My...

Config has ssl_verify_client_cert = no What options might have the client auth turned on? TYIA On 5/24/20 6:40 PM, Felipe Gasper wrote: > From what I can tell, ?SSL alert number 42? means that you?ve configured Dovecot to require client authentication. > > Otherwise, your Let?s Encrypt certificate (with its authority c...

...PAM: Lowercase the PAM service name when calling with "args = *". Linux PAM did this internally already, but at least BSD didn't. If your PAM file used to be in /etc/pam.d/IMAP or POP3 file you'll need to lowercase it now. + Send list of CA names to client when using ssl_verify_client_cert=yes. - IMAP: If message body started with line feed, it wasn't counted in BODY and BODYSTRUCTURE replies' line count field. - deliver didn't load plugins before chrooting -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: applic...

...PAM: Lowercase the PAM service name when calling with "args = *". Linux PAM did this internally already, but at least BSD didn't. If your PAM file used to be in /etc/pam.d/IMAP or POP3 file you'll need to lowercase it now. + Send list of CA names to client when using ssl_verify_client_cert=yes. - IMAP: If message body started with line feed, it wasn't counted in BODY and BODYSTRUCTURE replies' line count field. - deliver didn't load plugins before chrooting -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: applic...

...g snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian. Thank you, On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote: > > On 2020-05-25 02:54, hanasaki at gmail.com wrote: > > Config has > > ssl_verify_client_cert = no > > What options might have the client auth turned on? > > why does gmail attacht empty vcard info ? > > without any config snippes its hard to say what config error is local > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > is it auth_ssl_require_client_c...

...gt; } > service pop3 { > executable = /opt/dovecot_2/libexec/dovecot/rawlog /opt/dovecot_2/libexec/dovecot/pop3 > } > ssl_ca = </opt/dovecot_2/conf/dovecot/ca-c.pem > ssl_cert = </opt/dovecot_2/conf/dovecot/ns-c.pem > ssl_key = </opt/dovecot_2/conf/dovecot/ns-p.pem > ssl_verify_client_cert = yes > userdb { > args = blocking=yes > driver = passwd > } > protocol imap { > imap_logout_format = bytes=%i/%o > imap_max_line_length = 64 k > mail_max_userip_connections = 10 > mail_plugins = > } > protocol lda { > hostname = mailsv.sklc.co.jp &...

...is pretty much the default config from Debian. >> >> Thank you, >> >> On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote: >>> >>> On 2020-05-25 02:54, hanasaki at gmail.com wrote: >>>> Config has >>>> ssl_verify_client_cert = no >>>> What options might have the client auth turned on? >>> >>> why does gmail attacht empty vcard info ? >>> >>> without any config snippes its hard to say what config error is local >>> >>> https://wiki.dovecot.org/SSL/Dovecot...

...2651 (0.0000) S>C TCP FIN 1 0.2675 (0.0024) C>S TCP FIN [root at inchoate src]# /tools/dovecot/sbin/dovecot -n # 1.1.2: /tools/dovecot-1.1.2/etc/dovecot.conf ssl_ca_file: /etc/mail/certs/cacert_plus_crl.pem ssl_cert_file: /etc/mail/certs/cert.pem ssl_key_file: /etc/mail/certs/key.pem ssl_verify_client_cert: yes login_dir: /tools/dovecot-1.1.2/var/run/dovecot/login login_executable: /tools/dovecot-1.1.2/libexec/dovecot/imap-login auth default: verbose: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd

I am trying to get Dovecot IMAP and Outlook to talk to each other with SSL and client certificates enabled. In Dovecot, I have the following options enabled: ssl_ca = ... ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes when I try to connect with Outlook, I get: May 12 08:07:50 mail dovecot: imap-login: Disconnected (client didn't send a cert): user=<>, method=PLAIN, rip=192.168.1.245, lip=192.168.2.5, TLS: Disconnected,...

...routines:PEM_do_header:bad password read My dovecot.conf has the following set. # Uncomment these if using SSL ssl_cert_file = /etc/ssl/mailserver/mail.mydomain.tld.crt ssl_key_file = /etc/ssl/mailserver/mail.mydomain.tld.key #ssl_key_password = #ssl_ca_file = /etc/ssl/mailserver/ca/mydomain.pem #ssl_verify_client_cert = yes ssl_parameters_regenerate = 168 verbose_ssl = no I have been playing about with it all for about 3 hours now and would greatly appreciate any help ;) Regards Adam -------------------------------------------------------------------- myhosting.com - Premium Microsoft? Windows? and Linux web...

Hello list, The dovecot version is 1.2.6 running on Solaris x86 11 (nv-b91). The relevant configuration lines are: passdb ldap { # LDAP database (doc/wiki/AuthDatabase.LDAP.txt.) args = /pfx/etc/dovecot/dovecot-ldap.conf } The file dovecot-ldap.conf is correct and LDAP authentication is working well. We would like to make it possible for users with a X.509 client certificate to log in

How do I configure dovecot-2.0.x to present a client SSL certificate when proxying? If dovecot on server1.example.com has: passdb { driver = static args = proxy=y host=server2.example.com nopassword=y ssl=yes } and dovecot on server2.example.com has: ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes then when a client connects to server1 and authenticates, a connection is established to server2 but the SSL handshake fails because server1 doesn't present a client certificate. I don't see where ssl_client_ctx is tied to a client certificate in s...

Hi All, I'm running dovecot 2.0.19. I currently have remote users access mail using IMAP over SSL, with their client certificates being both required and verified. I do this using "ssl = required" and "ssl_verify_client_cert = yes". I would now like to add a webmail front-end (squirrelmail) running on the same server. In order to achieve this I would like to have squirrelmail connecting locally using IMAP, but without the certificate requirement. I'm happy to use the standard IMAP port for this, since that po...

...erd thing is, at no time am I asking for ssl, and in my conf file I have it hashed out. mail:~# cat /etc/dovecot/dovecot.conf | grep ssl # --with-ssldir=/etc/ssl #ssl_listen = #ssl_disable = no #ssl_cert_file = /etc/ssl/certs/dovecot.pem #ssl_key_file = /etc/ssl/private/dovecot.pem #ssl_ca_file = #ssl_verify_client_cert = no #ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat #ssl_parameters_regenerate = 24 #ssl_cipher_list = all:!LOW #verbose_ssl = no #ssl_require_client_cert = no mail:~# I tried on the command line # dovecot -F -c dovecot.conf my version is: mail:~# dovecot --version 1.0.alpha3 mail...