On 2012/12/02 22:18, Daniel Parthey wrote:
Roger Hunen wrote:
I am seeking your help with SSL/TLS client authentication.
Unfortunately the authentication fails :(
http://wiki2.dovecot.org/SSL/DovecotConfiguration states:
"You may also want to disable the password checking completely. Doing this
currently circumvents Dovecot's security model so it's not recommended to use
it, but it is possible by making the passdb allow logins using any password
(typically requiring "nopassword" extra field to be returned)."
See http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
This sounded like a bad idea at first as it would allow webmail users
to logon without entering a password. However, your suggestion made me
think (and go!) in a direction that I would not have gone on my own.
Thank you for that!
First things first: the solution/workaround :)
* Create two passwd style files
- mailusers.143 with password and without 'nopassword' extra field
- mailusers.993 without password but with 'nopassword' extra field
* Configure a passdb (driver=passwd-file) that selects the password
database file using the %a variable (local port): mailusers.%a
My Dovecot setup now
* does not require a valid password for connections to the imaps
port (993); the username is taken from the certificate that is
issued by a trusted CA.
* does require a password for connections to the imap port (143).
Currently the system supports very few users, so working with two
passwd files is not a problem. For the future I plan to use a mysql
database with two different queries on the same table based on the
local port number.
For those who are interested: read on for some more findings...
* As far as I can tell (from docs and source) Dovecot supports only
username/password based authentication schemes. There is no such
thing as certificate based authentication (unless I have overlooked
something or it is undocumented).
* Even if 'auth_ssl_username_from_cert=yes' Dovecot will only take
the username from the certificate if the client sends username and
password to logon.
* When configured to use "TLS Certificate" authentication Thunderbird
will not send a username/password to logon. Thunderbird considers
the authentication done once the SSL handshake has completed. Given
the above this is a recipe for failure.
* With 'auth_ssl_username_from_cert=yes' Dovecot will ignore the given
username and use the designated field in the certificate instead
(usually commonName). Together with the 'nopasswd' extra field a
certificate based authentication scheme can be implemented. The
client must be configured to use username and password (which will
be completely ignored by Dovecot as intended in such a setup).
* Dovecot will log an error if a passwd file record has a non-empty
password and the 'nopassword' extra field is present. Either can
be present but not both.
* Dovecot will log an error "input is missing end-of-settings line"
if the configuration contains a setting with a name that is not
valid in the given context. Something like "Invalid setting 'x'
at line y" would be more helpful to pinpoint the problem.
* Dovecot documentation is sparse in many respects which makes it
difficult to use Dovecot to its full potential. I realize though
that resources are at a premium and that writing documentation
is not everybody's cup of tea. From a documentation point of view
Exim4 is an excellent example.
Regards,
-Roger
