Hello,
I'm trying to get TLS client cert authentication to work on the LMTP socket via
TCP port 24 with Dovecot 2.4. I was already able to get TLS working on the LMTP
socket, but if I connect to it via 'openssl s_client' from another machine,
and type in a few LMTP commands, Dovecot accepts all mail without requesting a
client cert from me. The server running Dovecot is behind a firewall, so LMTP
connections should only be possible from the SMTP server in the same local
network, not from the whole internet. However I want to guard against possible
firewall misconfigs by enforcing client certs between the incoming SMTP server
and Dovecot for mail delivery.
Is there a way to do this in Dovecot?
My /etc/dovecot/conf.d/20-lmtp.conf effectively looks like this:
lmtp_save_to_detail_mailbox = yes
lmtp_add_received_header = yes
protocol lmtp {
mail_plugins {
sieve = yes
}
ssl = required
ssl_server_ca_file = /etc/lmtp-ca/ca.crt
ssl_server_cert_file = /etc/lmtp-ca/local.crt
ssl_server_key_file = /etc/lmtp-ca/private/local.key
ssl_server_request_client_cert = yes
# TODO: this should enforce client certs, but it does not work...
auth_ssl_require_client_cert = yes
ssl_server_require_crl = no
log_debug = category=ssl OR category=auth
}
… and /etc/dovecot/conf.d/10-master.conf has:
service lmtp {
#unix_listener lmtp {
# mode = 0666
#}
inet_listener lmtp {
# Accept connections from anywhere, but 20-lmtp.conf configures LMTP to
require client certs
listen = * ::
port = 24
inet_listener_ssl = yes
# TODO: this should enforce client certs, but it does not work...
auth_ssl_require_client_cert = yes
}
}
I also tried enabling ssl_server_request_client_cert = yes and
auth_ssl_require_client_cert = yes globally, but this did not make a difference.
I already tried looking at the Dovecot source code, but didn't find anything
yet. I'm happy for any pointers in the right direction.
Thanks,
- Roland
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
