# Dovecot client certificate authentication



## xy16644 (May 9, 2014)

I am interested in enabling client certificate authentication with Dovecot (and Postfix). I was reading:

http://wiki2.dovecot.org/SSL/DovecotConfiguration

But I have a question:

Is it possible to make client certificate authentication with Dovecot optional? So if a user presents a client certificate they will be authenticated but if they don't then they can login "normally" using their password...is this possible?

If you enable client certificate authentication for Dovecot will this break Roundcube (since it is an IMAP front end)?

Ultimately I would like to use normal passwords for Roundcube and K9 on Android but when using Thunderbird I would like to present a client side certificate for authentication.

Thank you!


----------



## MuggenHor (Jun 9, 2017)

I've been wanting to setup the same kind of authentication configuration for a while now and thought it may be helpful to describe how I've managed to accomplish both password and certificate authentication with a single Dovecot instance.

I've done so in this article:
https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html

It's written for Debian, but the largest difference should be the location of configuration files (/etc/ instead of /usr/local/etc).


----------

