Re: [Dovecot] Testing EXTERNAL AUTHENTICATION

Tue, 16 Mar 2010 15:04:41 -0700 

Hi.
The tests using SASL and SASL-IR in Thunderbird both fail to authenticate. I have tried using openssl s_client with the same result. I've run the auth command in three ways just to be sure I got the second example right. I even checked to make sure I've spelt my name right and the case of the letters. 


# dovecot -n
# 1.2.10: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl  ext3
base_dir: /opt/var/run/dovecot/
log_path: /opt/var/log/dovecot/messages
info_log_path: /opt/var/log/dovecot/info
protocols: imaps
listen: [::]
ssl_ca_file: /opt/etc/domain.ca/cacrl.pem
ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer
ssl_key_file: /opt/etc/domain.ca/private/mail.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_process_size: 32
mail_location: dbox:/share/MD0_DATA/mail/%u
mail_debug: yes
dbox_rotate_days: 0
imap_id_send: *
imap_id_log: *
lda:
  postmaster_address: postmas...@ksudra.net
auth default:
  mechanisms: EXTERNAL
  realms: ksudra.net
  default_realm: ksudra.net
  user: admin
  verbose: yes
  debug: yes
  ssl_require_client_cert: yes
  ssl_username_from_cert: yes
  passdb:
    driver: passwd-file
    args: /opt/etc/dovecot/passwd
  userdb:
    driver: passwd

/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}


$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

---

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE  
AUTH=EXTERNAL] Dovecot ready.

01 AUTHENTICATE EXTERNAL =
01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE

$ tail /opt/var/log/info.log
Mar 16 21:37:18 auth(default): Info: new auth connection: pid=10161

Mar 16 21:37:19 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:37:19 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:37:39 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=55745     resp=<hidden>
Mar 16 21:37:39 auth(default): Info: passwd-file(Stephen,10.1.1.4):  
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:37:41 auth(default): Info: client out: FAIL   1        
user=Stephen
Mar 16 21:38:52 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,  
lip=10.1.1.245, TLS



$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

---

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE  
AUTH=EXTERNAL] Dovecot ready.

01 AUTHENTICATE EXTERNAL
+

01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE


Mar 16 21:40:24 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,  
lip=10.1.1.245, TLS

Mar 16 21:40:26 auth(default): Info: new auth connection: pid=10173

Mar 16 21:40:28 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:40:28 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:40:38 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=35721

Mar 16 21:40:38 auth(default): Info: client out: CONT   1
Mar 16 21:40:40 auth(default): Info: client in: CONT<hidden>

Mar 16 21:40:40 auth(default): Info: passwd-file(Stephen,10.1.1.4):  
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:40:42 auth(default): Info: client out: FAIL   1        
user=Stephen
Mar 16 21:40:47 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,  
lip=10.1.1.245, TLS



$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

---

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE  
AUTH=EXTERNAL] Dovecot ready.

01 AUTHENTICATE EXTERNAL
+
01 =
01 NO [ALERT] Invalid base64 data in continued response
DONE

Mar 16 21:42:04 auth(default): Info: new auth connection: pid=10178

Mar 16 21:42:06 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:42:06 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:42:31 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=35725

Mar 16 21:42:31 auth(default): Info: client out: CONT   1
Mar 16 21:42:35 auth(default): Info: client in: CONT<hidden>

Mar 16 21:42:35 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid  
base64 data in continued response
Mar 16 21:42:35 auth(default): Info: client out: FAIL   1        
reason=Invalid base64 data in continued response
Mar 16 21:42:55 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS


--
Thanks

Stephen Feyrer.


On Tue, 16 Mar 2010 18:03:38 -0000, Timo Sirainen <t...@iki.fi> wrote:


On Tue, 2010-03-16 at 18:01 +0000, Stephen Feyrer wrote:


How can I use SASL-IR with dovecot?


It's client that uses it by sending:

AUTHENTICATE EXTERNAL =

instead of:

AUTHENTICATE EXTERNAL
<wait for reply>
=

so nothing really you can do about it..

























					Reply via email to