Thank you, Timo, for your detailed and authoritative response.
Now I know that my config is fine, and that I didn't miss some option.
Thanks again!
On 29.06.2013 23:25, Timo Sirainen wrote:
On 29.6.2013, at 23.39, Ireneusz Szcześniak<irek.szczesn...@gmail.com> wrote:
With my config, Dovecot disallows logging in when the SSL connection was
established by a client without a certificate. In this case the client gets to
talk to Dovecot. The client could exploit potential Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the client
doesn't authenticate with a certificate, and so the client doesn't get to talk
with Dovecot.
OpenSSL can't really drop the connection. Dovecot could do it earlier, but that
would complicate the code. I'm not planning on adding such extra code, since
the current way works as well.
This is safer, because the client is dropped by the well-tested OpenSSL.
One of the main reasons for Dovecot's pre-login and post-login privilege
separation was so that OpenSSL could be separated into Dovecot's untrusted
pre-login sandboxed process :) OpenSSL is a highly complex piece of software
compared to what Dovecot has to do.
The one thing I have been considering is that Dovecot's pre-login process would
present the client's SSL certificate to Dovecot's auth process, which would
independently verify that it's correct. That could be useful I think, although
it would also present an additional attack layer to the auth process in case
there are OpenSSL vulnerabilities (and auth process may run with more
privileges than login process).
--
Ireneusz (Irek) Szczesniak
http://www.irkos.org
