On 02 Feb 2016, at 13:09, Haravikk <dove...@haravikk.me> wrote:
>
> So I still haven’t found a way to require client certificates only for port
> 993/IMAPS while leaving unencrypted IMAP open for local, trusted, services.
>
> Is there really no way to do this? I just found out how to do the same thing
> for postfix (turns out it’s fairly easy, just a matter of adding the settings
> in the right parts of master.cf instead of main.cf), allowing me to restrict
> client certificate verification to port 587 (I don’t accept port 465) without
> interfering with incoming mail server connections on port 25.
If you really want to do it, you could do it something like this (not tested -
probably needs some additions/changes):
# no 993 port for this imap-login
service imap-login {
inet_listener imaps {
port = 0
}
}
# create a duplicate 993 service
service imap-login-ssl {
executable = imap-login login-ssl
chroot = login
user = $default_login_user
# add other settings similarly as to service imap-login
inet_listener imaps {
port = 993
}
}
# create a separate auth master process for port 993
service auth-ssl {
executable = auth -o auth_ssl_require_client_cert=yes
# add other settings similarly as to service auth
unix_listener login/login-ssl {
mode = 0666
}
}
