--- a/dovecot-example.conf	Sun Sep 09 05:30:20 2007 +0300
+++ b/dovecot-example.conf	Sun Sep 09 05:54:32 2007 +0300
@@ -107,6 +107,11 @@
 # ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
 
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
 # How often to regenerate the SSL parameters file. Generation is quite CPU
 # intensive operation. The value is in hours, 0 disables regeneration
 # entirely.

--- a/src/login-common/ssl-proxy-openssl.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Sun Sep 09 05:54:32 2007 +0300
@@ -66,6 +66,7 @@
 static SSL_CTX *ssl_ctx;
 static struct hash_table *ssl_proxies;
 static struct ssl_parameters ssl_params;
+static int ssl_username_nid;
 
 static void plain_read(struct ssl_proxy *proxy);
 static void ssl_read(struct ssl_proxy *proxy);
@@ -522,7 +523,7 @@
 		return NULL; /* we should have had it.. */
 
 	if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
-				      NID_commonName, buf, sizeof(buf)) < 0)
+				      ssl_username_nid, buf, sizeof(buf)) < 0)
 		name = "";
 	else
 		name = t_strndup(buf, sizeof(buf));
@@ -681,7 +682,7 @@
 void ssl_proxy_init(void)
 {
 	static char dovecot[] = "dovecot";
-	const char *cafile, *certfile, *keyfile, *cipher_list;
+	const char *cafile, *certfile, *keyfile, *cipher_list, *username_field;
 	char *password;
 	unsigned char buf;
 
@@ -760,6 +761,17 @@
 					   SSL_load_client_CA_file(cafile));
 	}
 
+	username_field = getenv("SSL_CERT_USERNAME_FIELD");
+	if (username_field == NULL)
+		ssl_username_nid = NID_commonName;
+	else {
+		ssl_username_nid = OBJ_txt2nid(username_field);
+		if (ssl_username_nid == NID_undef) {
+			i_fatal("Invalid ssl_cert_username_field: %s",
+				username_field);
+		}
+	}
+
 	/* PRNG initialization might want to use /dev/urandom, make sure it
 	   does it before chrooting. We might not have enough entropy at
 	   the first try, so this function may fail. It's still been

--- a/src/master/login-process.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/login-process.c	Sun Sep 09 05:54:32 2007 +0300
@@ -542,6 +542,8 @@
 			env_put(t_strconcat("SSL_CIPHER_LIST=",
 					    set->ssl_cipher_list, NULL));
 		}
+		env_put(t_strconcat("SSL_CERT_USERNAME_FIELD=",
+				    set->ssl_cert_username_field, NULL));
 		if (set->ssl_verify_client_cert)
 			env_put("SSL_VERIFY_CLIENT_CERT=1");
 	}

--- a/src/master/master-settings-defs.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings-defs.c	Sun Sep 09 05:54:32 2007 +0300
@@ -27,6 +27,7 @@
 	DEF_STR(ssl_key_password),
 	DEF_INT(ssl_parameters_regenerate),
 	DEF_STR(ssl_cipher_list),
+	DEF_STR(ssl_cert_username_field),
 	DEF_BOOL(ssl_verify_client_cert),
 	DEF_BOOL(disable_plaintext_auth),
 	DEF_BOOL(verbose_ssl),

--- a/src/master/master-settings.c	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings.c	Sun Sep 09 05:54:32 2007 +0300
@@ -183,6 +183,7 @@
 	MEMBER(ssl_key_password) "",
 	MEMBER(ssl_parameters_regenerate) 168,
 	MEMBER(ssl_cipher_list) "",
+	MEMBER(ssl_cert_username_field) "commonName",
 	MEMBER(ssl_verify_client_cert) FALSE,
 	MEMBER(disable_plaintext_auth) TRUE,
 	MEMBER(verbose_ssl) FALSE,

--- a/src/master/master-settings.h	Sun Sep 09 05:30:20 2007 +0300
+++ b/src/master/master-settings.h	Sun Sep 09 05:54:32 2007 +0300
@@ -41,6 +41,7 @@
 	const char *ssl_key_password;
 	unsigned int ssl_parameters_regenerate;
 	const char *ssl_cipher_list;
+	const char *ssl_cert_username_field;
 	bool ssl_verify_client_cert;
 	bool disable_plaintext_auth;
 	bool verbose_ssl;