With my config, Dovecot disallows logging in when the SSL connection
was established by a client without a certificate. In this case the
client gets to talk to Dovecot. The client could exploit potential
Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the
client doesn't authenticate with a certificate, and so the client
doesn't get to talk with Dovecot. This is safer, because the client
is dropped by the well-tested OpenSSL.
On 29.06.2013 22:03, Reindl Harald wrote:
Am 29.06.2013 21:54, schrieb Ireneusz Szcześniak:
Reindl, thanks again for your email, but now I realize that perhaps you
misunderstood my problem. I have got the
SSL working with the config presented in my first post. The problem is that
I'm surprised that Dovecot lets
clients establish an SSL connection even when the client doesn't present a
certificate. I don't want clients
without a valid certificate even establish an SSL connection.
what the hell - you can reject them after not present a cert
but how do you imagine technically to smell this fact before connect?
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works
great. Dovecot serves IMAPS only,
and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when
establishing SSL connection. I
configure my Thunderbird for SSL/TLS connection with normal password. It works
fine.
However, with my config anybody can connect to my server without presenting a
certificate
google "dovecot ssl client certificate" leads to
http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate, you'll need
these settings
--
Ireneusz (Irek) Szczesniak
http://www.irkos.org
