[PLUG] imap server that allows ssl certificate based authentication?
Martin A. Brown
martin at linux-ip.net
Mon Oct 26 22:55:29 UTC 2015
Good afternoon,
>> > My current imap server is Courier. And having finally set up
>> > mutt to use imap based message stores I'd like to also use my
>> > ssl shared key for authentication. Courier does not support
>> > this. What imap servers do?
>> >
>> > (currently searching Dovecot references...)
>>
>> I've used both dovecot and courier with SSL certificates so i'm
>> not sure why you are not able to.
>>
>> I might be misunderstanding what an SSL shared key is.
>
>This is for client authentication when connecting to the imap
>server.
So, you would like to use a client-side SSL certificate and you want
the server to validate that certificate?
https://www.stunnel.org/features.html
>Rather than checking my password against /etc/shadow I want
>it to request my shared key stored in ~/.ssh and compare to the
>public version in ~/.ssh on the mail server.
You appear to be asking about SSL in the subject line, but referring
to a 'shared key stored in ~/.ssh' in the body. It is unclear from
this whether you mean ssh or client-identifying SSL certificates.
That is probably immaterial given that you simply want to use mutt
to talk to your (courier) imapd.
Given:
A) your question sounds like you are asking only for yourself
B) theconvenient factor that courier-imap functions as a forked
one-process-per-connection service
C) you already have shell access to the remote server (sounds like
it is yours)
Then:
Why not use ssh as the transport instead of bothering with SSL?
In that case you could use a force-command option in
~/.ssh/authorized_keys (server side):
command='/usr/lib/courier-imap/bin/imapd Maildir'
If you need to set a bunch of environment variables ahead of time,
then simply replace that command='' with the path to a shell script
that sets the appropriate envars and ends with:
exec \
/usr/lib/courier-imap/bin/imapd Maildir
Or whatever suits your fancy.
>Much like being able to ssh to another server when you have the
>keys set up.
If you actually meant that you want your server (couriertls) to
validate an offered client certificate, then you could also use an
SSL-capable transport layer shim like stunnel [0] (cf. Bri Hatch
from Seattle's gslug).
That's all,
-Martin
P.S. What versions of the various courier tools are you using in
order to get mutt to communicate happily with the imapd?
[0] https://www.stunnel.org/features.html
--
Martin A. Brown
http://linux-ip.net/
More information about the PLUG
mailing list