[PLUG] imap server that allows ssl certificate based authentication?

Martin A. Brown martin at linux-ip.net
Mon Oct 26 22:55:29 UTC 2015 

Good afternoon,

>> > My current imap server is Courier. And having finally set up 
>> > mutt to use imap based message stores I'd like to also use my 
>> > ssl shared key for authentication.  Courier does not support 
>> > this.  What imap servers do?
>> > 
>> > (currently searching Dovecot references...)
>>
>> I've used both dovecot and courier with SSL certificates so i'm 
>> not sure why you are not able to.
>> 
>> I might be misunderstanding what an SSL shared key is.
>
>This is for client authentication when connecting to the imap 
>server.

So, you would like to use a client-side SSL certificate and you want 
the server to validate that certificate?

  https://www.stunnel.org/features.html

>Rather than checking my password against /etc/shadow I want 
>it to request my shared key stored in ~/.ssh and compare to the 
>public version in ~/.ssh on the mail server.

You appear to be asking about SSL in the subject line, but referring 
to a 'shared key stored in ~/.ssh' in the body.  It is unclear from 
this whether you mean ssh or client-identifying SSL certificates.  

That is probably immaterial given that you simply want to use mutt 
to talk to your (courier) imapd.

Given:

  A) your question sounds like you are asking only for yourself
  B) theconvenient factor that courier-imap functions as a forked 
     one-process-per-connection service
  C) you already have shell access to the remote server (sounds like
     it is yours)

Then:

  Why not use ssh as the transport instead of bothering with SSL?

In that case you could use a force-command option in 
~/.ssh/authorized_keys (server side):

  command='/usr/lib/courier-imap/bin/imapd Maildir'

If you need to set a bunch of environment variables ahead of time, 
then simply replace that command='' with the path to a shell script 
that sets the appropriate envars and ends with:

  exec \
    /usr/lib/courier-imap/bin/imapd Maildir

Or whatever suits your fancy.

>Much like being able to ssh to another server when you have the 
>keys set up.

If you actually meant that you want your server (couriertls) to 
validate an offered client certificate, then you could also use an 
SSL-capable transport layer shim like stunnel [0] (cf. Bri Hatch 
from Seattle's gslug).

That's all,

-Martin

P.S. What versions of the various courier tools are you using in 
order to get mutt to communicate happily with the imapd?

 [0] https://www.stunnel.org/features.html

-- 
Martin A. Brown
http://linux-ip.net/

More information about the PLUG mailing list