After a bit of a struggle I've managed to configure Dovecot to require client certificates for users logging in, and it works well.
However, I also want to setup a web-mail solution (Roundcube) which needs to be able to connect via IMAP, but doesn't appear to be capable of sending a client certificate. I'm configuring it to use port 143 (unencrypted) as the connection occurs over a trusted network, and with this in mind I've added my local network to Dovecot's login_trusted_networks so that plaintext authentication works as well.
Unfortunately when Roundcube connects, it's still being asked for a client certificate even though the connection doesn't have SSL enabled.
I've already limited the requirement for client certificates to avoid issues with postfix using the following:
protocol !smtp {
ssl_ca = </etc/dovecot/ca/dovecot-ca.pem
ssl_verify_client_cert = yes
ssl_cert_username_field = commonName
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
}
However I don't know how I can restrict this further to only encrypted connections? I don't allow remote access to unencrypted protocols, except for port 25 as necessary for sending e-mail between servers.
As a security note, the same certificate protecting IMAPS connections is also used for client authentication by nginx, so the webmail is already restricted by certificate, though I may switch for some other second layer of authentication for mobility (e.g- some kind of two-factor API).
