Hi.
I'm trying to test EXTERNAL AUTHENTICATION in Dovecot. To do this I first
configured Thunderbird and Opera to use my server, neither of them were
successful. As a result I contacted both organisations to enquire if they
supported EXTERNAL AUTHENTICATION in their products. Thunderbird
responded and said yes. However, on closer inspection my contact at
Thunderbird identified that support for EXTERNAL AUTHENTICATION was poor
at best and then only in SMTP. From that point on, my contact has been
trying to implement support in Thunderbird.
I've also try to test using openssl s_client which is detailed below. As
far as I can tell my problems appear after the authentication. I don't
know what the problem is only that there is one.
[~] # dovecot -n
# 1.2.10: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl ext3
base_dir: /opt/var/run/dovecot/
log_path: /opt/var/log/dovecot/messages
info_log_path: /opt/var/log/dovecot/info
protocols: imaps
listen: [::]
ssl_ca_file: /opt/etc/domain.ca/cacrl.pem
ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer
ssl_key_file: /opt/etc/domain.ca/private/mail.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot//login
login_executable: /opt/libexec/dovecot/imap-login
login_process_size: 32
mail_location: dbox:/share/MD0_DATA/mail/%u
mail_debug: yes
dbox_rotate_days: 0
imap_id_send: *
imap_id_log: *
lda:
postmaster_address: postmas...@ksudra.net
auth default:
mechanisms: EXTERNAL
realms: ksudra.net
default_realm: ksudra.net
user: admin
verbose: yes
debug: yes
ssl_require_client_cert: yes
ssl_username_from_cert: yes
passdb:
driver: passwd-file
args: /opt/etc/dovecot/passwd
userdb:
driver: passwd
[~] # openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
<-- snip -->
SSL handshake has read 4460 bytes and written 2451 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: [...]
Session-ID-ctx:
Master-Key: [...]
Key-Arg : None
Krb5 Principal: None
Start Time: 1268756439
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+
01 list "" *
01 NO [ALERT] Invalid base64 data in continued response
01 select inbox
01 BAD Error in IMAP command received by server.
02 select inbox
02 BAD Error in IMAP command received by server.
DONE
[~] # tail -f /opt/var/log/dovecot/info
Mar 16 16:51:14 auth(default): Info: new auth connection: pid=9176
Mar 16 16:51:16 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:51:16 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:52:06 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=45379
Mar 16 16:52:06 auth(default): Info: client out: CONT 1
Mar 16 16:52:42 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:52:42 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:52:42 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=45381
Mar 16 16:52:42 auth(default): Info: client out: CONT 1
Mar 16 16:52:42 auth(default): Info: client in: CONT<hidden>
Mar 16 16:52:42 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 16:52:42 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 16:52:42 auth(default): Info: new auth connection: pid=9182
Mar 16 16:52:45 auth(default): Info: client in: CONT<hidden>
Mar 16 16:52:45 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 16:52:45 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 16:52:47 imap-login: Info: Aborted login (cert required, client
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
Mar 16 16:54:36 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:54:36 auth(default): Info: new auth connection: pid=9188
Mar 16 16:54:37 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=49113
Mar 16 16:54:37 auth(default): Info: client out: CONT 1
Mar 16 16:54:37 auth(default): Info: client in: CONT<hidden>
Mar 16 16:54:37 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 16:54:37 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 16:54:42 imap-login: Info: Aborted login (cert required, client
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
Mar 16 16:54:49 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:54:49 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
--
kind regards
Stephen Feyrer.
