On 29 Sep 2008 at 8:40, Rainer Frey (Inxmail GmbH) wrote:
> What is important: you can not self-sign each client certificate, but you > need > a CA with a self-signed root instead. I think you understand that already, > just noting that for completeness. > > Then you simply configure Dovecot as described in > http://wiki.dovecot.org/SSL/DovecotConfiguration Followed those directions, enabled the client side certificate checking, but no go. > Then configure client cert verification as described in the last section of > above mentioned wiki page. > ssl_ca_file is used for client cert verification only, and does not need to > cover the server certificate. Done, I have the following enabled. auth default { # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi mechanisms = plain ssl_require_client_cert = yes ssl_ca_file = /etc/pki/dovecot/certs/dovecot-clientcerts ssl_verify_client_cert = yes verbose_ssl = yes ssl_require_client_cert = yes Logs don't show anything of any interest, on the client side (windows mobile 5 phone running Web IS's Flexmail4. When I asked their tech support about using a client cert, I got this Greetings and thank you for contacting us. It should be using the certs which the PDA has installed. Is the cert installed (in the device settings > System > Certificates We appreciate having the opportunity to help and service you. Please let us know if there is anything more we can do. I've verified that my root ca is installed on the pda and the personal cert is also installed. The following is all I see on the connection attempt from the pda Oct 8 01:00:55 myserver dovecot: Dovecot v1.0.7 starting up Oct 8 01:01:51 myserver dovecot: imap-login: Disconnected: method=PLAIN, rip=10.12.13.14, lip=10.12.13.14, TLS At this point the client device is stuck asking to confirm account credentials -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. [EMAIL PROTECTED] (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
