gssapi considered as PLAIN?
Hello, as soon as I set disable_plaintext_auth = yes, AUTH=GSSAPI vanishes from capabilities. ([CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=GSSAPI AUTH=PLAIN AUTH=LOGIN] vs [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED]) Why? I'm wondering especially because at http://wiki2.dovecot.org/Authentication/Mechanisms, GSSAPI is correctly listed under “Non-plaintext authentication“. Thanks, -Harry
Re: gssapi considered as PLAIN?
On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: as soon as I set disable_plaintext_auth = yes, AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. hmk
Re: gssapi considered as PLAIN?
Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: as soon as I set disable_plaintext_auth = yes, AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. Thanks for the hint, but I don't want to offer PLAIN to my whole LAN. while I do want to offer GSSAPI to my whole LAN. Unfortunately that's not a workarround for me. Thanks, -Harry
Re: gssapi considered as PLAIN?
On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: as soon as I set disable_plaintext_auth = yes, AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks = a CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI Must be something else ... Check my attached config for differences. Cheer Jan -- MAX-PLANCK-INSTITUT fuer Radioastronomie Jan Behrend - Rechenzentrum Auf dem Huegel 69, D-53121 Bonn Tel: +49 (228) 525 359, Fax: +49 (228) 525 229 jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7 xfs auth_gssapi_hostname = imap.mpifr-bonn.mpg.de auth_krb5_keytab = /etc/krb5-ha.keytab auth_mechanisms = plain login gssapi auth_verbose = yes default_process_limit = 1024 default_vsz_limit = 512 M dict { acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } doveadm_password = xxx doveadm_port = 50222 listen = 134.104.18.77 lmtp_save_to_detail_mailbox = yes mail_location = mdbox:/var/mail/%Ln/maildrop mail_plugins = acl zlib notify replication managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags notify mdbox_rotate_size = 10 M namespace mpifr_private { inbox = yes location = prefix = separator = . } namespace mpifr_shared { inbox = no list = children location = mdbox:/var/mail/%%n/maildrop prefix = shared.%%n. separator = . subscriptions = no type = shared } passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap } plugin { acl = vfile acl_defaults_from_inbox = yes acl_shared_dict = proxy::acl mail_replica = tcp:192.168.42.173:50222 sieve = ~/.dovecot.sieve sieve_after = /var/mail/global-after.sieve sieve_dir = ~/sieve sieve_extensions = +notify +imapflags sieve_global_dir = /var/mail zlib_save = gz zlib_save_level = 6 } protocols = imap lmtp sieve pop3 replication_dsync_parameters = -d -l 30 -U -n mpifr_private -n mpifr_shared replication_max_conns = 6 service aggregator { fifo_listener replication-notify-fifo { user = vmail } unix_listener replication-notify { user = vmail } } service anvil { client_limit = 8192 } service auth { client_limit = 8192 unix_listener auth-userdb { group = vmail user = vmail } } service dict { unix_listener dict { group = vmail user = vmail } } service doveadm { inet_listener { address = 192.168.42.105 port = 50222 } } service imap-login { process_min_avail = 5 service_count = 1 } service imap { vsz_limit = 512 M } service indexer-worker { client_limit = 1 process_limit = 10 user = root } service lmtp { inet_listener lmtp { address = 134.104.18.105 port = 24 } } service managesieve-login { inet_listener sieve { address = 134.104.18.77 port = 4190 } service_count = 1 } service pop3-login { process_min_avail = 5 } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } ssl = required ssl_cert = /etc/dovecot/imap.pem ssl_cipher_list = ALL:HIGH:!SSLv2:!LOW:!EXP:!RC4:!MD5:!aNULL ssl_key = /etc/dovecot/private/imap.key ssl_protocols = !SSLv2 !SSLv3 userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } verbose_proctitle = yes protocol lmtp { mail_plugins = acl zlib notify replication sieve } protocol imap { imap_client_workarounds = tb-lsub-flags mail_max_userip_connections = 20 mail_plugins = acl zlib notify replication imap_acl imap_zlib ssl_cert = /etc/dovecot/imap.pem ssl_key = /etc/dovecot/private/imap.key } protocol pop3 { ssl_cert = /etc/dovecot/pop3.pem ssl_key = /etc/dovecot/private/imap.key } smime.p7s Description: S/MIME cryptographic signature
Re: gssapi considered as PLAIN?
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime): On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: as soon as I set disable_plaintext_auth = yes, AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks = a CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI You don't see LOGINDISABLED, so I guess rip==lip (you tested @localhost), right? Thanks, -Harry
Re: gssapi considered as PLAIN?
On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote: Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime): On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: as soon as I set disable_plaintext_auth = yes, AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks = a CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI You don't see LOGINDISABLED, so I guess rip==lip (you tested @localhost), right? No, but I didn't show all of it ;-). Here it is: jbehrend@jb1:~$ gnutls-cli --starttls --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143 imap.mpifr-bonn.mpg.de Processed 1 CA certificate(s). Resolving 'imap.mpifr-bonn.mpg.de'... Connecting to '134.104.18.77:143'... - Simple Client Mode: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. a starttls a OK Begin TLS negotiation now. *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1023 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuer `C=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg...@mpg.de', RSA key 4096 bits, signed using RSA-SHA1, activated `2014-05-06 11:17:21 UTC', expires `2019-05-05 11:17:21 UTC', SHA-1 fingerprint `c0b4fb497ac212f0e05de24f2c097a0b712435cc' - The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'. - Peer's certificate is trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL a CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI a OK Pre-login capabilities listed, post-login capabilities have more. Cheers Jan -- MAX-PLANCK-INSTITUT fuer Radioastronomie Jan Behrend - Rechenzentrum Auf dem Huegel 69, D-53121 Bonn Tel: +49 (228) 525 359, Fax: +49 (228) 525 229 jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de smime.p7s Description: S/MIME cryptographic signature
Re: gssapi considered as PLAIN?
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:15 (localtime): On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote: Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime): On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: as soon as I set disable_plaintext_auth = yes, AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks = a CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI You don't see LOGINDISABLED, so I guess rip==lip (you tested @localhost), right? No, but I didn't show all of it ;-). Here it is: jbehrend@jb1:~$ gnutls-cli --starttls --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143 imap.mpifr-bonn.mpg.de Processed 1 CA certificate(s). Resolving 'imap.mpifr-bonn.mpg.de'... Connecting to '134.104.18.77:143'... - Simple Client Mode: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. a starttls a OK Begin TLS negotiation now. *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1023 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuer `C=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg...@mpg.de', RSA key 4096 bits, signed using RSA-SHA1, activated `2014-05-06 11:17:21 UTC', expires `2019-05-05 11:17:21 UTC', SHA-1 fingerprint `c0b4fb497ac212f0e05de24f2c097a0b712435cc' - The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'. - Peer's certificate is trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL a CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI a OK Pre-login capabilities listed, post-login capabilities have more. Sorry, I might have been unclear. Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along WITH PLAIN (and LOGIN), but the intention of disable_plaintext_auth is to prevent PLAIN if _no_ encryption level was negotiated. So you see LOGINDISABLED before TLS session and also _no_ GSSAPI! At that point (no encryption negotiated) I want to be able to get my kerberos ticket validated :-) disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it doesn't offer until encryption successfully took place. But I don't expect GSSAPI also beeing disabled (regardless if encryption is available or not). I have no idea why this could be the intended behaviour, and hope somebody can enlighten me :-) Thanks, -Harry