On Thu, 2008-10-23 at 09:54 -0700, Harondel J. Sibble wrote: > How do I setup mixed authentication so that I can have say a couple of > machines on my lan only use ssl without client certs, but have all the other > machines connecting from remotely required to have ssl certs to connect to > imap?
So: a) If client sent a valid SSL client cert, let it log in. b) If client didn't send a valid SSL client cert, but it's from a specific network, let it log in. Right? It's not possible with v1.1, but I just added code to v1.2 tree that would make it possible: http://hg.dovecot.org/dovecot-1.2/rev/d49aa6720fb2 This would allow you to check the client cert status using %k variable. Then if you used SQL passdb you could construct a query based on it, e.g. with MySQL: password_query = select user, password, \ if('%k' = 'valid', NULL, '192.168.0.0/24') as allow_nets \ from users where ... So allow_nets would be set only if a valid client cert hadn't been sent.
signature.asc
Description: This is a digitally signed message part