Hi All,
I hope this is the correct place to post this. If not, apologies.
I am in the process of updating my company's email servers and am
trying to put Dovecot into an Alpine Linux container, hosted on ProxMox.
In my setup, local mail deliveries via LMTP can come from the MSA (for
int
To follow up on my previous email,
It seems the lmtp deamon does NOT support ssl_ca selection based on
remote IP. It also does NOT seem to support authorization.
The solution I arrived at was to create a separate CA, used solely for
the purpose of authorizing LDAP clients.
openssl genpkey-alg
In a previous post to this list I described a problem I was having
validating client certificates on inet_listener lmtp connections.
Subject: "Please Help: Dovecot ssl_ca selection based on remote IP
address filtering not working."
The problem there was that Dovecot does not "inspect" the sub
postfix can use LDAP for authentication (i.e. SASL) and for
validation("ldap" table).
As best I can tell, postfix cannot use dovecot to validate addresses, if
you want that you will need postfix to talk directly to ldap. GOTCHA:
use the "postconf -m" command to check that the "ldap" table is
it beyond it's existence so I'll leave others to speak to it's merits. I
chose the "decoupled" configuration personally.
On 9/05/2023 6:51 pm, Sean Gallagher wrote:
postfix can use LDAP for authentication (i.e. SASL) and for
validation("ldap" table).
As best
It gets worse! If you request a client certificate, Dovecot will not
check the name on the certificate, only that it is signed by a known CA.
I raised this issue on this list some time ago and got no response. I'm
not sure anyone is listening.
On 16/05/2023 7:54 pm, Serg via dovecot wrote:
I w
A new thread so as not to hijack Serg's request.
In my config, I forward deliveries to Dovecot over LMTPS. The machine
(there is just one for now) forwarding the mail has a certificate from a
well known and trusted CA. How can I configure Dovecot to accept mail
deliveries from that one machine
Jochen Bern wrote:
On 16.05.23 14:27, Sean Gallagher wrote:
I have a created a CA for the sole purpose of signing the certificate
of the LMTPS client. I regard this as a horrible horrible kludge.
... how do you figure that? *Someone*, and that means you, has to
specify which clients are a
We are indeed listening. And Dovecot actually can check the name on the
certificate, if you ask it to do so.
https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_cert
I've been studying the code, looking for any way the
"auth_ssl_username_from_cert" setting could be use
What is your use-case for validation here? Did you mean submission? It has
actual authentication and can do client cert name validation with
auth_ssl_username_from_cert.
I've been pulling apart an old monolithic server and putting various
systems into dedicated containers. To this end I hav
It feels like you are conflating Dovecot with Postfix. Dovecot doesn't
actually "relay" anything. (ignoring sieve and submission proxy).
Relaying is the job of the "Mail Transfer Agent" or MTA. This is often
Postfix but Dovecot could probably work with just about any
standards-compliant mailer.
The relaying only started and stopped when Dovecot was turned on or off.
Isn't it true that Dovecot performs an authentication function for
inbound connect requests, the successful of which then may use the
submission mechanism from what Postfix takes to be an internal
connection to send emai
Useful, thanks. ... May I then presume that port 587 should be going
to Dovecot only and not Postfix? Otherwise, how was I supporting users
with this configuration:
No, you should not assume port 587 (or port 465) goes to Dovecot.
Postfix has enough smarts to handle the authentication itsel
While I am always for security improvements, the utility of this
unclear. I will ABSTAIN from this poll.
Presently, any system administrator who intends to issue must-staple
certificates, faces the dilemma to either chose to
a) Refrain from issuing must-staple certificates at all, resulting i
On 11/07/2023 5:33 pm, novoMedia via dovecot wrote:
I am not exactly sure what hosts have to do with this. The must-staple
extension is a (cryptographically ensured) flag that is 'ingrained'
into a certificate. It tells a client to only accept the certificate
if a valid and recent OCSP response
On 11/07/2023 6:18 pm, Sean Gallagher wrote:
No confrontation here. I support you with your quest. It's just not
something I think I would ever use or need - so I didn't vote for it.
I also didn't vote against it - it would be nice to have,.
I should clarify. When I sa
It's been a while since I looked at this but I think you need
service lmtp {
inet_listener lmtp {
ssl = yes
To restrict login by IP address
protocol lmtp {
login_trusted_networks = 127.0.0.1
Also, last time I looked at this, the LMTP TLS server does not check the
subject name on a client ce
17 matches
Mail list logo
