Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
Hi.
It works, I'm in! Authentication mechanism set to External and five
colons after {PLAIN} the command a AUTHENTICATE EXTERNAL = worked.
It was brute force that did the trick, after reading as much as I could
find about /etc/passwd file formats I was still none the wiser.
passwd file looks like this:
Stephen:{PLAIN}:nopassword=y
Anyway the result is below:-
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
a AUTHENTICATE EXTERNAL =
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
a list *
* LIST (\HasNoChildren) / INBOX
a OK List completed.
a select INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags
permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1268850687] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
a OK [READ-WRITE] Select completed.
DONE
Perhaps in the great game of snakes and ladders, I have now finally
reached square one?
--
A big Thank YOU!
Stephen Feyrer.
On Tue, 16 Mar 2010 23:10:57 -, Timo Sirainen t...@iki.fi wrote:
On 17.3.2010, at 1.09, Stephen Feyrer wrote:
Hi.
I tried:
Stephen:{EXTERNAL}nopassword=y
{EXTERNAL} is never going to work anywhere, because there's no such
password scheme.
and
Stephen:{PLAIN}nopassword=y
This is the wrong format. It's more like:
Stephen:{PLAIN}nopassword=y
Just figure out the correct number of : characters (based on the wiki
page I gave or just brute force).
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
On Tue, 2010-03-16 at 16:57 +, Stephen Feyrer wrote: I'm trying to test EXTERNAL AUTHENTICATION in Dovecot. To do this I first configured Thunderbird and Opera to use my server, neither of them were successful. As a result I contacted both organisations to enquire if they supported EXTERNAL AUTHENTICATION in their products. Thunderbird responded and said yes. However, on closer inspection my contact at Thunderbird identified that support for EXTERNAL AUTHENTICATION was poor at best and then only in SMTP. From that point on, my contact has been trying to implement support in Thunderbird. I already got a mail about it from David Bienvenu and answered it. 01 AUTHENTICATE EXTERNAL + 01 list * The problem is that Dovecot (well, EXTERNAL mechanism really) expects the client to send authorization string after the AUTHENTICATE EXTERNAL command. Typically you would just give = line there. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
Quoting Stephen Feyrer st...@toth.org.uk: Hi. I'm trying to test EXTERNAL AUTHENTICATION in Dovecot. To do this I first configured Thunderbird and Opera to use my server, neither of them were successful. As a result I contacted both organisations to enquire if they supported EXTERNAL AUTHENTICATION in their products. Thunderbird responded and said yes. However, on closer inspection my contact at Thunderbird identified that support for EXTERNAL AUTHENTICATION was poor at best and then only in SMTP. From that point on, my contact has been trying to implement support in Thunderbird. [snip] * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=EXTERNAL] Dovecot ready. 01 AUTHENTICATE EXTERNAL + 01 list * 01 NO [ALERT] Invalid base64 data in continued response This is incorrect. You need this: C: 01 AUTHENTICATE EXTERNAL S: + C: S: 01 OK (you are missing the empty response back to the server) Or, better yet (since SASL-IR is available): C: 01 AUTHENTICATE EXTERNAL = S: 01 OK michael
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
Hi. I am sorry, I didn't understand what is going on. I knew that David Bienvenu had emailed you but I thought I'd done something to break Dovecot in some other way. Again I'm sorry. How can I use SASL-IR with dovecot? -- If you think education is expensive, have you tried costing ignorance? Stephen. On Tue, 16 Mar 2010 17:02:48 -, Timo Sirainen t...@iki.fi wrote: On Tue, 2010-03-16 at 16:57 +, Stephen Feyrer wrote: I'm trying to test EXTERNAL AUTHENTICATION in Dovecot. To do this I first configured Thunderbird and Opera to use my server, neither of them were successful. As a result I contacted both organisations to enquire if they supported EXTERNAL AUTHENTICATION in their products. Thunderbird responded and said yes. However, on closer inspection my contact at Thunderbird identified that support for EXTERNAL AUTHENTICATION was poor at best and then only in SMTP. From that point on, my contact has been trying to implement support in Thunderbird. I already got a mail about it from David Bienvenu and answered it. 01 AUTHENTICATE EXTERNAL + 01 list * The problem is that Dovecot (well, EXTERNAL mechanism really) expects the client to send authorization string after the AUTHENTICATE EXTERNAL command. Typically you would just give = line there.
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
On Tue, 2010-03-16 at 18:01 +, Stephen Feyrer wrote: How can I use SASL-IR with dovecot? It's client that uses it by sending: AUTHENTICATE EXTERNAL = instead of: AUTHENTICATE EXTERNAL wait for reply = so nothing really you can do about it.. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
Hi. Thanks. I am guessing then I can still play with it through openssl s_client. -- with gratitude Stephen On Tue, 16 Mar 2010 18:03:38 -, Timo Sirainen t...@iki.fi wrote: On Tue, 2010-03-16 at 18:01 +, Stephen Feyrer wrote: How can I use SASL-IR with dovecot? It's client that uses it by sending: AUTHENTICATE EXTERNAL = instead of: AUTHENTICATE EXTERNAL wait for reply = so nothing really you can do about it..
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
Hi.
The tests using SASL and SASL-IR in Thunderbird both fail to
authenticate. I have tried using openssl s_client with the same result.
I've run the auth command in three ways just to be sure I got the second
example right. I even checked to make sure I've spelt my name right and
the case of the letters.
# dovecot -n
# 1.2.10: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl ext3
base_dir: /opt/var/run/dovecot/
log_path: /opt/var/log/dovecot/messages
info_log_path: /opt/var/log/dovecot/info
protocols: imaps
listen: [::]
ssl_ca_file: /opt/etc/domain.ca/cacrl.pem
ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer
ssl_key_file: /opt/etc/domain.ca/private/mail.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_process_size: 32
mail_location: dbox:/share/MD0_DATA/mail/%u
mail_debug: yes
dbox_rotate_days: 0
imap_id_send: *
imap_id_log: *
lda:
postmaster_address: postmas...@ksudra.net
auth default:
mechanisms: EXTERNAL
realms: ksudra.net
default_realm: ksudra.net
user: admin
verbose: yes
debug: yes
ssl_require_client_cert: yes
ssl_username_from_cert: yes
passdb:
driver: passwd-file
args: /opt/etc/dovecot/passwd
userdb:
driver: passwd
/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL =
01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE
$ tail /opt/var/log/info.log
Mar 16 21:37:18 auth(default): Info: new auth connection: pid=10161
Mar 16 21:37:19 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:37:19 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:37:39 auth(default): Info: client in: AUTH1
EXTERNALservice=imapsecured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=55745 resp=hidden
Mar 16 21:37:39 auth(default): Info: passwd-file(Stephen,10.1.1.4):
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:37:41 auth(default): Info: client out: FAIL 1
user=Stephen
Mar 16 21:38:52 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=Stephen, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+
01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE
Mar 16 21:40:24 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=Stephen, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
Mar 16 21:40:26 auth(default): Info: new auth connection: pid=10173
Mar 16 21:40:28 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:40:28 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:40:38 auth(default): Info: client in: AUTH1
EXTERNALservice=imapsecured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=35721
Mar 16 21:40:38 auth(default): Info: client out: CONT 1
Mar 16 21:40:40 auth(default): Info: client in: CONThidden
Mar 16 21:40:40 auth(default): Info: passwd-file(Stephen,10.1.1.4):
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:40:42 auth(default): Info: client out: FAIL 1
user=Stephen
Mar 16 21:40:47 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=Stephen, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+
01 =
01 NO [ALERT] Invalid base64 data in continued response
DONE
Mar 16 21:42:04 auth(default): Info: new auth connection: pid=10178
Mar 16 21:42:06 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailaddress=ce...@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:42:06 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:42:31 auth(default): Info: client in: AUTH1
EXTERNALservice=imapsecured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=35725
Mar 16 21:42:31 auth(default): Info: client out: CONT 1
Mar 16 21:42:35 auth(default): Info: client in:
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
On 17.3.2010, at 0.04, Stephen Feyrer wrote:
The tests using SASL and SASL-IR in Thunderbird both fail to authenticate. I
have tried using openssl s_client with the same result. I've run the auth
command in three ways just to be sure I got the second example right. I even
checked to make sure I've spelt my name right and the case of the letters.
EXTERNAL auth works only if this this also works:
a LOGIN username-from-cert
i.e. login with empty password.
passdb:
driver: passwd-file
args: /opt/etc/dovecot/passwd
userdb:
driver: passwd
/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}
So try {PLAIN} here.
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
Hi.
It didn't work. I tried first with {EXTERNAL} and then with {PLAIN} the
result below was the same in both cases.
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
a LOGIN username-from-cert
a NO [ALERT] Unsupported authentication mechanism.
DONE
--
Thanks
Stephen Feyrer
On Tue, 16 Mar 2010 22:12:11 -, Timo Sirainen t...@iki.fi wrote:
On 17.3.2010, at 0.04, Stephen Feyrer wrote:
The tests using SASL and SASL-IR in Thunderbird both fail to
authenticate. I have tried using openssl s_client with the same
result. I've run the auth command in three ways just to be sure I got
the second example right. I even checked to make sure I've spelt my
name right and the case of the letters.
EXTERNAL auth works only if this this also works:
a LOGIN username-from-cert
i.e. login with empty password.
passdb:
driver: passwd-file
args: /opt/etc/dovecot/passwd
userdb:
driver: passwd
/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}
So try {PLAIN} here.
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
And you also tested the external with the {PLAIN} too, right? Well, maybe it
also wants nopassword=y extra field. See
http://wiki.dovecot.org/AuthDatabase/PasswdFile how to add it. Maybe I should
add {ANY} or something that makes accept any password easy..
On 17.3.2010, at 0.41, Stephen Feyrer wrote:
Hi.
It didn't work. I tried first with {EXTERNAL} and then with {PLAIN} the
result below was the same in both cases.
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
a LOGIN username-from-cert
a NO [ALERT] Unsupported authentication mechanism.
DONE
--
Thanks
Stephen Feyrer
On Tue, 16 Mar 2010 22:12:11 -, Timo Sirainen t...@iki.fi wrote:
On 17.3.2010, at 0.04, Stephen Feyrer wrote:
The tests using SASL and SASL-IR in Thunderbird both fail to authenticate.
I have tried using openssl s_client with the same result. I've run the
auth command in three ways just to be sure I got the second example right.
I even checked to make sure I've spelt my name right and the case of the
letters.
EXTERNAL auth works only if this this also works:
a LOGIN username-from-cert
i.e. login with empty password.
passdb:
driver: passwd-file
args: /opt/etc/dovecot/passwd
userdb:
driver: passwd
/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}
So try {PLAIN} here.
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
Hi.
I tried:
Stephen:{EXTERNAL}nopassword=y
and
Stephen:{PLAIN}nopassword=y
Both with the same result below.
--
Thanks,
Stephen Feyrer.
On Tue, 16 Mar 2010 22:47:45 -, Timo Sirainen t...@iki.fi wrote:
And you also tested the external with the {PLAIN} too, right? Well,
maybe it also wants nopassword=y extra field. See
http://wiki.dovecot.org/AuthDatabase/PasswdFile how to add it. Maybe I
should add {ANY} or something that makes accept any password easy..
On 17.3.2010, at 0.41, Stephen Feyrer wrote:
Hi.
It didn't work. I tried first with {EXTERNAL} and then with {PLAIN}
the result below was the same in both cases.
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
a LOGIN username-from-cert
a NO [ALERT] Unsupported authentication mechanism.
DONE
--
Thanks
Stephen Feyrer
Re: [Dovecot] Testing EXTERNAL AUTHENTICATION
On 17.3.2010, at 1.09, Stephen Feyrer wrote:
Hi.
I tried:
Stephen:{EXTERNAL}nopassword=y
{EXTERNAL} is never going to work anywhere, because there's no such password
scheme.
and
Stephen:{PLAIN}nopassword=y
This is the wrong format. It's more like:
Stephen:{PLAIN}nopassword=y
Just figure out the correct number of : characters (based on the wiki page I
gave or just brute force).
