Hi, please have a look at the attached patch for dovecot-1.0.3 These patch modifies ssl_proxy_get_peer_name() to use the NID_x500UniqueIdentifier as username instead of NID_commonName.
The reason is, that the Common Name doesn't have to be unique for the whole mailserver. Example; in germany a lot of people got the first name "Andreas" and the last name "Schulz". Therefore a lot of certificates exists with subjects like this: C=DE,O=ABC,CN=Andreas Schulz/[EMAIL PROTECTED] C=DE,O=DEF,CN=Andreas Schulz/[EMAIL PROTECTED] ... dovecot couldn't distinguish between these users. So we decide to use certificates with an X509v3 extension NID_x500UniqueIdentifier which allows to extend the subject by an unique ID, e.g. the unix-uid or a database unique key. The new certificates may look like this: C=DE,O=ABC,CN=Andreas Schulz/[EMAIL PROTECTED]/x500UniqueIdentifier=user1 C=DE,O=DEF,CN=Andreas Schulz/[EMAIL PROTECTED]/x500UniqueIdentifier=user2 With the attached patch the user is taken from this extension and e.g. with userdb=ldap you can use the filter string user_filter = (&(objectClass=posixAccount)(uid=%u)) A good solution to use booth, the common name and the UniqueIdentifier is to extend settings like ssl_username_from_cert = no | yes | cn | uid where "yes" is similar to "cn". Regards, Sandro Wefel
diff -urN dovecot-1.0.3.orig/src/login-common/ssl-proxy-openssl.c dovecot-1.0.3.saw/src/login-common/ssl-proxy-openssl.c --- dovecot-1.0.3.orig/src/login-common/ssl-proxy-openssl.c 2007-07-15 21:51:07.000000000 +0200 +++ dovecot-1.0.3.saw/src/login-common/ssl-proxy-openssl.c 2007-08-30 14:24:21.000000000 +0200 @@ -525,8 +525,9 @@ if (x509 == NULL) return NULL; /* we should have had it.. */ + /* SAW: replace NID_commonName by NID_x500UniqueIdentifier */ if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509), - NID_commonName, buf, sizeof(buf)) < 0) + NID_x500UniqueIdentifier, buf, sizeof(buf)) < 0) name = ""; else name = t_strndup(buf, sizeof(buf));
