RE: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Have you added your root CA to where the rest of the ca certs are stored on your distribution? > > I forgot to say that this mail server has been working perfectly for > many years (but without client certificates). > > On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot > wrote: > > > > @build+dove...@de-korte.org > > > > ssl_ca = > contains actually the private CA certificate bundled with the > > private CA CRL. > > > > ssl_cert = > contains the public server certificate bundled with Let's > > encrypt CA X3 cross-signed certificate. > > > > Maybe the latter should rather contain the root and intermediate > certificates. > > > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte > > wrote: > > > > > > Citeren jean-christophe manciot : > > > > > > > Hi everyone, > > > > > > > > I'm trying to setup dovecot to accept only client certificates > created > > > > with a private CA: > > > > auth_ssl_require_client_cert = yes > > > > ssl_verify_client_cert = yes > > > > ssl_ca = > > > > > This is wrong, you should enter your private CA here. If > > > 'ssl_verify_client_cert' is not set to 'yes', this field should > > > generally be empty / not configured. > > > > > > > At the same time, dovecot is setup with an SSL certificate created > by > > > > a public CA (let's encrypt): > > > > ssl = required > > > > ssl_cert = > > > ssl_key = > > > > > > > When I try to connect to the server with a client (evolution), I > get a > > > > connection error: > > > > "Client did not present valid SSL certificate" except that it is > valid. > > > > > > > > As you probably already know, let's encrypt does not create client > > > > certificates. > > > > It seems that using a different CA for client certificates and for > the > > > > server certificate is unsupported. > > > > > > > > Am I missing something?
Re: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
I forgot to say that this mail server has been working perfectly for many years (but without client certificates). On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot wrote: > > @build+dove...@de-korte.org > > ssl_ca = contains actually the private CA certificate bundled with the > private CA CRL. > > ssl_cert = contains the public server certificate bundled with Let's > encrypt CA X3 cross-signed certificate. > > Maybe the latter should rather contain the root and intermediate certificates. > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte > wrote: > > > > Citeren jean-christophe manciot : > > > > > Hi everyone, > > > > > > I'm trying to setup dovecot to accept only client certificates created > > > with a private CA: > > > auth_ssl_require_client_cert = yes > > > ssl_verify_client_cert = yes > > > ssl_ca = > > > This is wrong, you should enter your private CA here. If > > 'ssl_verify_client_cert' is not set to 'yes', this field should > > generally be empty / not configured. > > > > > At the same time, dovecot is setup with an SSL certificate created by > > > a public CA (let's encrypt): > > > ssl = required > > > ssl_cert = > > ssl_key = > > > > > When I try to connect to the server with a client (evolution), I get a > > > connection error: > > > "Client did not present valid SSL certificate" except that it is valid. > > > > > > As you probably already know, let's encrypt does not create client > > > certificates. > > > It seems that using a different CA for client certificates and for the > > > server certificate is unsupported. > > > > > > Am I missing something? > > > > > > > > > -- > Jean-Christophe -- Jean-Christophe
Re: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
@build+dove...@de-korte.org ssl_ca = contains actually the private CA certificate bundled with the private CA CRL. ssl_cert = contains the public server certificate bundled with Let's encrypt CA X3 cross-signed certificate. Maybe the latter should rather contain the root and intermediate certificates. On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte wrote: > > Citeren jean-christophe manciot : > > > Hi everyone, > > > > I'm trying to setup dovecot to accept only client certificates created > > with a private CA: > > auth_ssl_require_client_cert = yes > > ssl_verify_client_cert = yes > > ssl_ca = > This is wrong, you should enter your private CA here. If > 'ssl_verify_client_cert' is not set to 'yes', this field should > generally be empty / not configured. > > > At the same time, dovecot is setup with an SSL certificate created by > > a public CA (let's encrypt): > > ssl = required > > ssl_cert = > ssl_key = > > > When I try to connect to the server with a client (evolution), I get a > > connection error: > > "Client did not present valid SSL certificate" except that it is valid. > > > > As you probably already know, let's encrypt does not create client > > certificates. > > It seems that using a different CA for client certificates and for the > > server certificate is unsupported. > > > > Am I missing something? > > > -- Jean-Christophe
Re: rawlog data in a lua script
Hi Aki, On 08.08.22 13:54, Aki Tuomi wrote: Hi, Michael, did you consider my suggestion to use raw events instead of rawlogs for this? I was writing an answer to you next :-) As far as I can see, the "Event Export" only exports events of the requests, but not the full raw responses, correct? https://doc.dovecot.org/configuration_manual/event_export/ I need the complete rawlog that currently is written to the rawlog directory, which means the raw requests (IMAP, POP3 commands), and the raw response lines (for example a FETCH response -> a 20 MB mail content). Everything that could be seen on the wire via tcpdump after authentication (which is the rawlog of Dovecot as far as I can see). I need the rawlog feature, but not written to multiple files (which I have to collect in realtime with some black magic), but for example in a lua-script, which would make it a lot easier to analyse and/or send it to an HTTP endpoint. Maybe there are other possibilities, for example sending the rawlog of a user to a single file (or pipe/socket), where I can easily receive the raw logs for that user and send it to an HTTP endpoint. That's a lot easier than to "watch" a directory for new files, detect changes to existing files, collect them and send them via HTTP. I somehow need to send the raw log of specific users in realtime (maybe with a few seconds delay) to an HTTP endpoint (where each request or response is a single HTTP request, maybe we could also batch some requests and responses to reduce the HTTP requests to the endpoint). The current implementation of the rawlog feature is nice for manually debugging a single user, but when debugging/monitoring multiple users automatically, collect the logs and send them to a central place, it's hard to use ("watching" directories for changes via inotify, and run "tail" on the files for hours and days is not fun and can easily break). Michael On 08/08/2022 14:52 eestmichael.z...@feierfighter.de wrote: Hi, as far as I know I cannot configure Dovecot to pipe the rawlog into rsyslog. Or can I, how? The rawlog feature in Dovecot writes multiple files (two for each connection, one for raw requests and one for raw responses) into a predefined directory for the user. This generates dozens or hundreds of files per user per day, each file with a timestamp in it, so the filename is not predictable. Even if it works, I'm not sure if syslog (rsyslog or syslog-ng) should be (ab)used to collect the rawlog file contents, which might be hundreds of MB per minute if someone FETCHes all his emails while setting up a new account in Thunderbird or so. That sounds like a suboptional idea. Syslog cannot handle binary text I guess, and it might have limits like "line length limits" or similar. It sounds like the wrong tool for the job. Michael Am 28-Jul-2022 15:28:16 +0200 schriebdove...@ptld.com: I'm searching for a possibility to have the rawlog feature in lua, which would be much easier for processing. It would be much easier to hook to the "raw request and response events" inside Dovecot and have the rawlog-data in a lua script, where I can prepare it and send it to another maschine for monitoring/collection/analysis/statistics or similar, for example via HTTP. rsyslog has this feature (omprog) allowing you to setup any script/program for it to pipe logs to in real time. https://www.rsyslog.com/doc/master/configuration/modules/omprog.html https://github.com/rsyslog/rsyslog/blob/master/plugins/external/INTERFACE.md Works similar in concept to postfix policy servers if you are familiar with them.
Re: rawlog data in a lua script
Hi, Michael, did you consider my suggestion to use raw events instead of rawlogs for this? Aki > On 08/08/2022 14:52 EEST michael.z...@feierfighter.de wrote: > > > Hi, > > as far as I know I cannot configure Dovecot to pipe the rawlog into rsyslog. > Or can I, how? > > The rawlog feature in Dovecot writes multiple files (two for each connection, > one for raw requests and one for raw responses) into a predefined directory > for the user. This generates dozens or hundreds of files per user per day, > each file with a timestamp in it, so the filename is not predictable. > > Even if it works, I'm not sure if syslog (rsyslog or syslog-ng) should be > (ab)used to collect the rawlog file contents, which might be hundreds of MB > per minute if someone FETCHes all his emails while setting up a new account > in Thunderbird or so. That sounds like a suboptional idea. Syslog cannot > handle binary text I guess, and it might have limits like "line length > limits" or similar. It sounds like the wrong tool for the job. > > Michael > > > Am 28-Jul-2022 15:28:16 +0200 schrieb dove...@ptld.com: > > > I'm searching for a possibility to have the rawlog feature in lua, which > > > would be much easier for processing. > > > > > > It would be much easier to hook to the "raw request and response events" > > > inside Dovecot and have the rawlog-data in a lua script, > > > where I can prepare it and send it to another maschine for > > > monitoring/collection/analysis/statistics or similar, for example via > > > HTTP. > > > > > > rsyslog has this feature (omprog) allowing you to setup any script/program > > for it to pipe logs to in real time. > > > > https://www.rsyslog.com/doc/master/configuration/modules/omprog.html > > https://github.com/rsyslog/rsyslog/blob/master/plugins/external/INTERFACE.md > > > > Works similar in concept to postfix policy servers if you are familiar with > > them.
Re: rawlog data in a lua script
Hi, as far as I know I cannot configure Dovecot to pipe the rawlog into rsyslog. Or can I, how? The rawlog feature in Dovecot writes multiple files (two for each connection, one for raw requests and one for raw responses) into a predefined directory for the user. This generates dozens or hundreds of files per user per day, each file with a timestamp in it, so the filename is not predictable. Even if it works, I'm not sure if syslog (rsyslog or syslog-ng) should be (ab)used to collect the rawlog file contents, which might be hundreds of MB per minute if someone FETCHes all his emails while setting up a new account in Thunderbird or so. That sounds like a suboptional idea. Syslog cannot handle binary text I guess, and it might have limits like "line length limits" or similar. It sounds like the wrong tool for the job. Michael Am 28-Jul-2022 15:28:16 +0200 schrieb dove...@ptld.com: > I'm searching for a possibility to have the rawlog feature in lua, which > would be much easier for processing. > > It would be much easier to hook to the "raw request and response events" > inside Dovecot and have the rawlog-data in a lua script, > where I can prepare it and send it to another maschine for > monitoring/collection/analysis/statistics or similar, for example via HTTP. rsyslog has this feature (omprog) allowing you to setup any script/program for it to pipe logs to in real time. https://www.rsyslog.com/doc/master/configuration/modules/omprog.html https://github.com/rsyslog/rsyslog/blob/master/plugins/external/INTERFACE.md Works similar in concept to postfix policy servers if you are familiar with them.
Re: rawlog data in a lua script
Hi Paul, I don't understand how to use your idea/script together with the rawlog feature of Dovecot. The rawlog feature in Dovecot writes multiple files (two for each connection, one for raw requests and one for raw responses) into a predefined directory for the user. This generates dozens or hundreds of files per user per day, each file with a timestamp in it, so the filename is not predictable. How should I create "a socket" for that to capture the file contents if I don't know the filenames that will be used? Michael Am 28-Jul-2022 13:02:16 +0200 schrieb p...@scom.ca: Hi - I use this python script to capture a socket (ie the log file) and then send it to syslog, i use this for all the systems that do not really support syslogging (apache etc) basic useage /usr/bin/nohup /programs/common/capture -s /usr/local/apache2/logs/httpd-access.log -l httpd -d 10.228.0.6:514 -p httpd & > /dev/null i typically run this at startup in rc.local hope this helps
Re: RFC 9266: Channel Bindings for TLS 1.3 support
> On 02/08/2022 23:53 EEST * Neustradamus * wrote: > > > Hello all, > > I would like to know if it is possible to add RFC 9266: Channel Bindings for > TLS 1.3? > - https://datatracker.ietf.org/doc/html/rfc9266 > > Little details, to know easily: > - tls-unique for TLS =< 1.2 > - tls-exporter for TLS = 1.3 > > It is will be used by SCRAM-SHA-*-PLUS like > SCRAM-SHA-1-PLUS/SCRAM-SHA-256-PLUS. > SCRAM-SHA-1 and SCRAM-SHA-256 are already supported. > > Thanks in advance. > > Regards, > > Neustradamus Not sure how much use the channel binding would be for IMAP. Do you have any particular use case for this? Aki
pre-define or alter list of IMAP keywords
I am using Dovecot 2.3.4.1 with sdbox and mostly Thunderbird on Linux and FairEmail on Android as IMAP clients. I use a defined set of IMAP keywords to allow different users to mark and filter their mails based on keywords. That works pretty well but I stumble across an issue from time to time: In TB I can pre-define a list of keywords which the user can choose one from. FairEmail shows all those keywords Dovecot presents - there is nothing like the list in TB. Issue 1: If there are no mails flagged in a folder, Dovecot doesn't present any keywords and therefore FairEmail shows none - the user has to remember and type in the correct keyword. Issue 2: After some time FairEmail shows a huge list of keywords for the INBOX, even keywords not in use for quite some time. To get rid of these keywords I deleted the index files on Dovecot (which with sdbox are not meant to be deleted?). It seems, Dovecot caches the keywords in the index files. Question: 1) Is there a way on Dovecot to define a list of keywords Dovecot presents to the IMAP clients? 2) If not, is there a nicer way to clean the keyword lists from old entries not assigned to any mail in that folder? -- Cheers spi
Re: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Citeren jean-christophe manciot : Hi everyone, I'm trying to setup dovecot to accept only client certificates created with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca = This is wrong, you should enter your private CA here. If 'ssl_verify_client_cert' is not set to 'yes', this field should generally be empty / not configured. At the same time, dovecot is setup with an SSL certificate created by a public CA (let's encrypt): ssl = required ssl_cert = As you probably already know, let's encrypt does not create client certificates. It seems that using a different CA for client certificates and for the server certificate is unsupported. Am I missing something?
how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Hi everyone, I'm trying to setup dovecot to accept only client certificates created with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca =