dovecot require client to send cert
luzar722 at gmail.com
Fri Jun 19 16:14:37 UTC 2015
I have dovecot installed and configured as pop3 server requiring ssl/tls
which is working.
I want to tighten security even more by requiring my Thunderbird client
to present a access certificate when accessing the dovecot pop3 server.
It's documented here http://wiki2.dovecot.org/SSL/DovecotConfiguration
section titled "Client certificate verification/authentication".
Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate,
you'll need these settings:
ssl_ca = </etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
#ssl_username_from_cert = yes
The CA file should contain the certificate(s) followed by the matching
Note that the CRLs are required to exist.
For a multi-level CA place the certificates in this order:
1. Issuing CA cert
2. Issuing CA CRL
3. Intermediate CA cert
4. Intermediate CA CRL
5. Root CA cert
6. Root CA CRL
The certificates and the CRLs have to be in PEM format.
I think my problem is centered on this "Note that the CRLs are required
Are CRLs still required?
Need pointer to how-to about doing this.
This is what I run to create the self signed key/cert for dovecot.
# This was downloaded from dovecot website.
# Generates a self-signed certificate in a single step.
# Doesn't use a config file
openssl req -new -x509 -nodes -days 3650 \
-keyout /usr/local/etc/dovecot/dovecot-key.pem \
-out /usr/local/etc/dovecot/dovecot-cert.pem \
More information about the freebsd-questions