[PLUG] imap server that allows ssl certificate based authentication?

Michael Rasmussen michael at jamhome.us
Mon Oct 26 23:43:57 UTC 2015


On Mon, Oct 26, 2015 at 03:55:29PM -0700, Martin A. Brown wrote:
> 
> Good afternoon,
> 
> >> > My current imap server is Courier. And having finally set up 
> >> > mutt to use imap based message stores I'd like to also use my 
> >> > ssl shared key for authentication.  Courier does not support 
> >> > this.  What imap servers do?
> >> > 
> >> > (currently searching Dovecot references...)
> [snip]
> 
> You appear to be asking about SSL in the subject line, but referring 
> to a 'shared key stored in ~/.ssh' in the body.  It is unclear from 
> this whether you mean ssh or client-identifying SSL certificates.  
> 
> That is probably immaterial given that you simply want to use mutt 
> to talk to your (courier) imapd.
> 
> Given:
> 
>   A) your question sounds like you are asking only for yourself
>   B) theconvenient factor that courier-imap functions as a forked 
>      one-process-per-connection service
>   C) you already have shell access to the remote server (sounds like
>      it is yours)
> 
> Then:
> 
>   Why not use ssh as the transport instead of bothering with SSL?
> 
> In that case you could use a force-command option in 
> ~/.ssh/authorized_keys (server side):
> 
>   command='/usr/lib/courier-imap/bin/imapd Maildir'
> 
> If you need to set a bunch of environment variables ahead of time, 
> then simply replace that command='' with the path to a shell script 
> that sets the appropriate envars and ends with:
> 
>   exec \
>     /usr/lib/courier-imap/bin/imapd Maildir
> 
> Or whatever suits your fancy.
> 
> >Much like being able to ssh to another server when you have the 
> >keys set up.
> 
> If you actually meant that you want your server (couriertls) to 
> validate an offered client certificate, then you could also use an 
> SSL-capable transport layer shim like stunnel [0] (cf. Bri Hatch 
> from Seattle's gslug).
> 
> That's all,
> 
> -Martin
> 
> P.S. What versions of the various courier tools are you using in 
> order to get mutt to communicate happily with the imapd?
> 
>  [0] https://www.stunnel.org/features.html

I was conflating  use of ssh and SSL certs.
One can put your password in .muttrc but clear text passwords are a bad habit.
So I was exploring a way to use public key to authenticate the imap session.
Courier is v4.9.1 - it was chosen years ago and the decision has not be revisited. Not that I'm adverse to doing so.
stunnel would work, I'll weigh it vs coercing imap server to fit my whim.

I now have a working system and the improvements will be incremental.

FWIW - this all started when I wanted to run mutt from my laptop instead of sshing to my server for email.  
In past trials I've found Thunderbird to be slow and ugly and web mail options to be cumbersome. 


-- 
      Michael Rasmussen, Portland Oregon  
    Be Appropriate && Follow Your Curiosity
I'm talking about large trends here, and therefore when I say things like
"nobody" I really mean "fewer than 10,000,000 people."
    ~ Joel Spolsky



More information about the PLUG mailing list