On 27.3.2013, at 10.49, Christian Felsing <hostmas...@taunusstein.net> wrote:
> I would like to set up a Dovecot based mail system which uses X.509 > Client Certificates for authentication. A webmail system based on Horde5 > should use Dovecot as backend. .. > Unfortunately Dovecot does not support different authentication methods > on different IP addresses or ports. This does not work: > > remote 192.168.116.28/32 { > auth_ssl_require_client_cert = no > auth_ssl_username_from_cert = yes > disable_plaintext_auth = no > ssl = yes > > } > > Result is "doveconf: Fatal: Error in configuration file > /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth > settings not supported inside local/remote blocks: > auth_ssl_require_client_cert" Right. Would be nice to support at some point, but not that easy to implement. > Is there any way to turn off client certs for specific local or remote > IP addresses? In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables