dovecot require client to send cert

Ernie Luzar luzar722 at
Fri Jun 19 16:14:37 UTC 2015

Hello List;

I have dovecot installed and configured as pop3 server requiring ssl/tls
which is working.
I want to tighten security even more by requiring  my Thunderbird client
to present a access certificate when accessing the dovecot pop3 server.
It's documented here
section titled "Client certificate verification/authentication".

    Client certificate verification/authentication

If you want to require clients to present a valid SSL certificate,
you'll need these settings:

ssl_ca = </etc/ssl/ca.pem
ssl_verify_client_cert = yes

auth_ssl_require_client_cert = yes
#ssl_username_from_cert = yes

The CA file should contain the certificate(s) followed by the matching
Note that the CRLs are required to exist.
For a multi-level CA place the certificates in this order:

   1. Issuing CA cert
   2. Issuing CA CRL
   3. Intermediate CA cert
   4. Intermediate CA CRL
   5. Root CA cert
   6. Root CA CRL

The certificates and the CRLs have to be in PEM format.

I think my problem is centered on this "Note that the CRLs are required
to exist."
Are CRLs still required?
Need pointer to how-to about doing this.

This is what I run to create the self signed key/cert for dovecot.
# This was downloaded from dovecot website.
# Generates a self-signed certificate in a single step.
# Doesn't use a config file

openssl req -new -x509 -nodes -days 3650 \
  -keyout /usr/local/etc/dovecot/dovecot-key.pem \
  -out /usr/local/etc/dovecot/dovecot-cert.pem \
  -subj '/C=US/ST=Ohio/L=Cleveland/O=powerman/CN='

More information about the freebsd-questions mailing list