[lug] dovecot/PAM mix

bgiles at coyotesong.com bgiles at coyotesong.com
Mon Jan 1 09:16:24 MST 2007


> Has anyone here set up dovecot to require that a cert signed by the
> local server is available on the client before allowing connect? I'm
> just toying with the idea of disabling IMAP login even for clients with
> the right password if they don't have the right cert.

I think you're referring to mutual authentication.  It should be a valid
mode, although I don't know how to set it up for dovecot.  BTW the usual
mode is to set up your own CA (even if it's just command-line openssl
tools like 'ca'), create a root certificate and then sign both 'server'
and 'client' certs from that certificate.  The root certificate will have
to be available to both server and client, but the root key should be in a
safe location.  A lot of people use USB drives; I tend to use an old ZIP
drive since I have an internal drive and lots of old disks.

> I imagine that a
> big part of the problem would then be issuing certs to all the different
> clients, e.g., maybe mozilla and mutt can use the same cert format, but
> others might require yet a different cert.

They should all use X.509 certs, and only an extremely naive tool wouldn't
be able to handle both PEM and DER format.  (DER is raw binary, PEM is
base64 encoded so it can be safely transmitted over 8-bit unsafe channels
like email.)

The bigger question is whether the tools can provide client-side certs at
all.




More information about the LUG mailing list