mTLS ldap auth failure against openldap + TLSVerifyClient: demand

Mon, 15 Dec 2025 14:46:44 -0800 

Hi,
I'm trying to setup up a Dovecot/Postfix/OpenLDAP combo on a Fedora 43 aarch64 box with the following versions: 

dovecot-2.4.2

from https://src.fedoraproject.org/rpms/dovecot/tree/rawhide and rebuilt 
for F43 at https://copr.fedorainfracloud.org/coprs/patrickl/dovecot/

postfix-3.10.3
openldap-2.6.10
openssl-3.5.4


Problem: I can't seem to make Dovecot (lmtp) establish a mTLS connection 
with the slapd server.



Postfix works fine when using /etc/postfix/ldap-aliases.cf etc to get 
info from the slapd server which demands that the client sends a 
certificate due to olcTLSVerifyClient: demand. This is with a 
self-signed CA, intermediate CA and client & server certificates.


Dovecot journalctl error:

lmtp(92847): Error: lmtp-server: conn unix:pid=92846,uid=89 [1]: rcpt 
patrick@<domain>: Failed to lookup user patrick@<domain>: Internal error 
occurred. Refer to server log for more information.


# doveadm log errors

Dec 15 22:35:41.655525 Error: auth: ldap(ldaps://<FQDN>:636): Connection 
lost to LDAP server, reconnecting

<snipped many more of the same message>

Slapd error:
TLS trace: SSL_accept:before SSL initialization
<snip>
TLS trace: SSL_accept:TLSv1.3 early data
TLS trace: SSL_accept:error in TLSv1.3 early data
TLS trace: SSL_accept:TLSv1.3 early data
TLS trace: SSL3 alert write:fatal:unknown
TLS trace: SSL_accept:error in error

TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a 
certificate.

TLS accept failure error=-1 id=1178, closing
conn=1178 fd=15 closed (TLS negotiation failure)


It seems that Dovecot does not send its client certificate to the slapd 
server when asked? Perhaps due to a config error?


Example with postfix where the client cert is sent and mTLS succeeds:
# postmap -q info@<domain> ldap:/etc/postfix/ldap-aliases.cf

TLS trace: SSL_accept:before SSL initialization
TLS trace: SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read
SSL_accept:TLSv1.3 early data
TLS trace: SSL_accept:error in TLSv1.3 early data
TLS trace: SSL_accept:TLSv1.3 early data

TLS certificate verification: depth: 2, err: 0, subject: 
/C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleCA

issuer: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleCA

TLS certificate verification: depth: 1, err: 0, subject: 
/C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleSubCA,

issuer: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleCA

TLS certificate verification: depth: 0, err: 0, subject: 
/CN=postfix-ldap, issuer: /C=ZZ/ST=FooBar/O=Example/OU=IT/CN=ExampleSubCA

TLS trace: SSL_accept:TLSv1.3 read client compressed certificate
TLS trace: SSL_accept:SSLv3/TLS read certificate verify
TLS trace: SSL_accept:SSLv3/TLS read finished
TLS trace: SSL_accept:SSLv3/TLS write session ticket
TLS trace: SSL_accept:SSLv3/TLS write session ticket

conn=1000 fd=13 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 
tls_cipher=TLS_AES_256_GCM_SHA384


Dovecot config
# dovecot -n:

# 2.4.2 (0962ed2104): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.2 (767418c3)

# OS: Linux 6.17.11-300.fc43.aarch64 aarch64 Fedora release 43 (Forty 
Three)

# Hostname: <FQDN>
# 5 default setting changes since version 2.4.1
dovecot_config_version = 2.4.1
auth_mechanisms = plain
dovecot_storage_version = 2.4.1
first_valid_uid = 1000
ldap_auth_dn = cn=dovecot,dc=hosted,dc=ldap
ldap_auth_dn_password = # hidden, use -P to show it
ldap_uris = ldaps://<FQDN>
log_debug = category=ssl
mail_driver = sdbox
mail_gid = vmail
mail_home = /var/mail/virtual/%{user | domain}/%{user | username}
mail_path = ~/mail
mail_uid = vmail
protocols {
  imap = yes
  lmtp = yes
}
ssl = required
ssl_cipher_list = PROFILE=SYSTEM
ssl_cipher_suites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl_min_protocol = TLSv1.3
namespace inbox {
  inbox = yes
  separator = /
}
ssl_server {
  ca_file = /etc/pki/dovecot/certs/dovecot_ca_bundle.pem
  cert_file = /etc/pki/dovecot/certs/kronos.laimbock.nl.crt
  key_file = /etc/pki/dovecot/private/kronos.laimbock.nl_nopass.key.crt
  prefer_ciphers = server
  request_client_cert = yes
  require_crl = no
}
ssl_client {
  ca_file = /etc/pki/dovecot/certs/dovecot_ca_bundle.pem
  cert_file = /etc/pki/dovecot/certs/dovecot-ldap.crt
  key_file = /etc/pki/dovecot/private/dovecot-ldap_nopass.key.crt
  require_valid_cert = yes
}
protocol !smtp {
  auth_ssl_require_client_cert = yes
}
passdb ldap {
  ldap_base = ou=People,ou=%{ user | domain },dc=hosted,dc=ldap
  default_password_scheme = CRYPT
  fields {
    user = %{ldap:mail}
  }
  bind = yes
  filter = (&(objectClass=person)(mail=%{user}))
}
userdb ldap {
  ldap_base = ou=People,ou=%{ user | domain },dc=hosted,dc=ldap
  fields {
    user = %{ldap:mail}
  }
  filter = (&(objectClass=person)(uid=%{user}))
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

The dovecot_ca_bundle.pem is created with
# cat subca.crt ca.crt > dovecot_ca_bundle.pem

The RootCA is imported into the trust store via:
# cp ca.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract

The public certificates live in /etc/pki/dovecot/certs:

lrwxrwxrwx. 1 root root   16 Dec 15 15:49 1c2dd8a4.0 -> dovecot-ldap.crt
lrwxrwxrwx. 1 root root   22 Dec 15 15:49 8dafd16f.0 -> <FQDN>.crt
lrwxrwxrwx. 1 root root    9 Dec 15 20:15 d18284cf.0 -> subca.crt
-rw-r--r--. 1 root root  773 Dec 12 21:21 dhparam
-rw-r--r--. 1 root root 3456 Dec 15 21:34 dovecot_ca_bundle.pem
-rw-r--r--. 1 root root 1586 Dec 15 20:15 dovecot-ldap.crt
-rw-r--r--. 1 root root 1655 Dec 15 20:15 <FQDN>.crt
-rw-r--r--. 1 root root 1850 Dec 15 20:15 subca.crt

The private keys live in /etc/pki/dovecot/private:

-rw-------. 1 root root 1704 Dec 15 20:15 dovecot-ldap_nopass.key.crt
-rw-------. 1 root root 1704 Dec 15 20:15 <FQDN>_nopass.key.crt


SELinux: there are no AVCs in /var/log/audit/audit.log but to make sure 
I ran:

# restorecon -v -F -R /etc/dovecot
# restorecon -v -F -R /etc/pki/doveecot

With setenforce 0 no change in results.

The slapd config:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
olcPasswordCryptSaltFormat: $6$%s
olcLogLevel: 1023
# cat subca.crt ca.crt > slapd_ca_bundle.pem
olcTLSCACertificateFile: /etc/openldap/certs/slapd_ca_bundle.pem
olcTLSCertificateFile: /etc/openldap/certs/<FQDN>.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/<FQDN>_nopass.key.crt
olcTLSCipherSuite: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
olcTLSVerifyClient: demand
olcTLSCRLCheck: none


I would appreciate any hints what I missed, what to read, where to look, 
etc If you need more info I'll be happy to provide. Thanks!


Cheers,
Patrick
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to