So I've posted about this problem to the Dovecot mailing list as well, but since it's specifically Roundcube where I'm falling down I thought perhaps other Roundcube users may have encountered the same or a similar issue.
Basically I want to enable client certificate authentication for IMAPS connections, which requires Dovecot's auth_ssl_require_client_cert to be set to yes (along with related settings). The problem I'm experiencing however is that setting this to yes causes dovecot to require a client certificate on all connections, not just encrypted ones, so although I've configured Roundcube to use an unencrypted IMAP connection accessible only to my trusted private network, it's still being challenged for a certificate that it can't provide.
I've already made an exception to client certificates for SMTP to prevent issues with postfix authentication, using the following dovecot configuration:
protocol !smtp {
auth_ssl_require_client_cert = yes;
}
This enables it only for non-SMTP protocols, allowing postfix to continue to authenticate users via dovecot, but this fix only seems to apply to an entire protocol, not to a specific port. What I need to be able to do is also make an exception for unencrypted IMAP, so that I can allow Roundcube to connect that way without requiring a client certificate. The problem really is that the auth_ssl_require_client_cert can't just be placed anywhere; it doesn't seem to be valid in local or remote blocks, or in listeners (where the actual port numbers are defined). More annoying is that it also seems to override the ssl_verify_client_cert setting, so although I can happily set ssl_verify_client_cert to no for particular connections, dovecot is requesting a client certificate anyway.
As a note; I don't know if Roundcube can pass on a client certificate via IMAP, but I don't actually want to enable client certificate authentication for webmail, as I'm instead requiring the use of two-factor authentication, which I feel gives a better balance of security and portability by not requiring a certificate to be installed on a public computer (which may not even be possible). However, I still want client certificates for remote IMAPS connections for the added security on regular mail clients.
The only workaround I can think of myself would be to force mail clients to use POP3, so that I can disable client certificates for all IMAP connections (thus enabling Roundcube), but really I'd like to disable POP support completely.
