Date: Fri, 19 Jun 2015 12:14:45 -0400 From: Ernie Luzar <luzar722@gmail.com> To: freebsd-questions@freebsd.org Subject: dovecot require client to send cert Message-ID: <55843FF5.5050205@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello List; I have dovecot installed and configured as pop3 server requiring ssl/tls which is working. I want to tighten security even more by requiring my Thunderbird client to present a access certificate when accessing the dovecot pop3 server. It's documented here http://wiki2.dovecot.org/SSL/DovecotConfiguration section titled "Client certificate verification/authentication". Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings: ssl_ca = </etc/ssl/ca.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes #ssl_username_from_cert = yes The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: 1. Issuing CA cert 2. Issuing CA CRL 3. Intermediate CA cert 4. Intermediate CA CRL 5. Root CA cert 6. Root CA CRL The certificates and the CRLs have to be in PEM format. I think my problem is centered on this "Note that the CRLs are required to exist." Are CRLs still required? Need pointer to how-to about doing this. This is what I run to create the self signed key/cert for dovecot. #!/bin/sh # This was downloaded from dovecot website. # Generates a self-signed certificate in a single step. # Doesn't use a config file openssl req -new -x509 -nodes -days 3650 \ -keyout /usr/local/etc/dovecot/dovecot-key.pem \ -out /usr/local/etc/dovecot/dovecot-cert.pem \ -subj '/C=US/ST=Ohio/L=Cleveland/O=powerman/CN=26.26.26.26'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55843FF5.5050205>