> On 19/05/2023 09:44 EEST Sean Gallagher <s...@teletech.com.au> wrote: > > > > What is your use-case for validation here? Did you mean submission? It has > > actual authentication and can do client cert name validation with > > auth_ssl_username_from_cert. > > I've been pulling apart an old monolithic server and putting various > systems into dedicated containers. To this end I have put Dovecot and > the user mailboxes into it's their own container and set up a LMTPS link > between the MSA container (Postfix) and the MDA container (Dovcot). Mail > submissions go directly to the MSA. Both the MSA and MDA independently > connect back to an LDAP database (in another container) for > authentication/validation. All the containers have valid public > certificates which I would like to use throughout but Dovecot is the > standout exception. It can't check the MSA's certificate. > > In short, I want to check that all deliveries come from the MSA > container, with stronger checks than IP addresses alone. On the > monolithic server, the deliveries flowed over an IPC socket. I'd like a > similar level of security. > > I've created a single-use CA and used it to sign a certificate for the > MSA to connect with over LMTP, but the arrangement is a bit of an > embarrassment. All for the sake of a few lines of code to check the name > on the certificate. > > Mail redirects (from sieve scrips) flow back in the other direction over > SMTPS. This uses the regular PKI infrastructure. > > As a side note, It would be nice to be able to specify the bind address > of the SMTP client. The interfaces tend to have several IPv6 addresses. > It's hard to predict which one the operating system will choose. > > At least now I know I have taken it as far as I can. > > Regards > > Sean >
Seems there indeed is no way to require SSL cert for LMTP client connection. This seems to be a bug. I'll put this into our tracker. Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
