I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month.
It works great. Dovecot serves IMAPS only, and I'm using Thunderbird
to access my mail.
I configured Dovecot to allow clients that present a valid certificate
when establishing SSL connection. I configure my Thunderbird for
SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without
presenting a certificate:
openssl s_client -connect server:993
(...)
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS
ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
Luckily, after connecting without a certificate logging fails:
> a001 login iszczesniak password
> a001 NO [ALERT] Client didn't present valid SSL certificate
*QUESTION: Is there a way in Dovecot to disable establishing an SSL
connection without a client certificate?*
My complete config is :
# dovecot -n
# 2.1.8: /etc/dovecot/dovecot.conf
# OS: OpenBSD 5.2 i386
auth_ssl_require_client_cert = yes
mail_location = maildir:~/archive/mail
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Sent {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = bsdauth
}
protocols = imap
service imap-login {
inet_listener imap {
port = 0
}
}
ssl_ca = </etc/ssl/certs/cacertcrl.pem
ssl_cert = </etc/ssl/cert.pem
ssl_key = </etc/ssl/private/key.pem
ssl_verify_client_cert = yes
userdb {
driver = passwd
}
verbose_ssl = yes
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
tb-lsub-flags
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
--
Ireneusz (Irek) Szczesniak
http://www.irkos.org
