"JARRY Jérémy"
2012-Aug-16 08:41 UTC
[Dovecot] Postfix & Dovecot: Client certificate authentication
Hello, I would like to set up an authentication using certificate with Dovecot: A user sends mail to Postfix and Dovecot authentication is valid only if certificate is trusted. So, I enable the parameter auth_ssl_require_client_cert in dovecot configuration but it is not running. Here are the postfix logs: Aug 16 09:51:48 myserver dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Aug 16 09:51:48 myserver dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Aug 16 09:51:48 myserver dovecot: auth: Debug: auth client connected (pid=6922) Aug 16 09:51:51 myserver dovecot: auth: Debug: client in: AUTH?????? 1?????? PLAIN?? service=smtp??? nologin lip=127.0.0.1?? rip=127.0.0.1?????? secured resp=xxx Aug 16 09:51:51 myserver postfix/smtpd[6922]: warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed: Client didn't present valid SSL certificate Aug 16 09:51:51 myserver dovecot: auth: PLAIN(?,127.0.0.1): Client didn't present valid SSL certificate Aug 16 09:51:51 myserver dovecot: auth: Debug: client out: FAIL????? 1?????? reason=Client didn't present valid SSL certificate Aug 16 09:51:51 myserver dovecot: auth: Debug: client in: AUTH?????? 2?????? LOGIN?? service=smtp??? nologin lip=127.0.0.1?? rip=127.0.0.1?????? secured Aug 16 09:51:51 myserver dovecot: auth: LOGIN(?,127.0.0.1): Client didn't present valid SSL certificate Aug 16 09:51:51 myserver dovecot: auth: Debug: client out: FAIL????? 2?????? reason=Client didn't present valid SSL certificate Aug 16 09:51:51 myserver postfix/smtpd[6922]: warning: localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed: Client didn't present valid SSL certificate It seems Postfix doesn't send the client certificat to Dovecot. What do you think ? What is wrong ? Below are some information about my configuration: OS: RHEL5 Postfix: 2.7.3 Dovecot: 2.0.14 Dovecot config: auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_verbose = yes mail_debug = yes passdb { ? args = /etc/dovecot/dovecot-ldap.conf ? driver = ldap } protocols = none service auth { ? unix_listener /data/postfix/private/auth { ??? group = postfix ??? mode = 0660 ??? user = postfix ? } ? user = root } ssl = required ssl_ca = </etc/dovecot/ca.pem ssl_cert = </etc/dovecot/cert.pem ssl_key = </etc/dovecot/key.pem ssl_verify_client_cert = yes userdb { ? args = /etc/dovecot/dovecot-ldap.conf ? driver = ldap } verbose_ssl = yes Thanks for your help -------------- next part -------------- A non-text attachment was scrubbed... Name: jeremy.jarry.vcf Type: text/x-vcard Size: 56 bytes Desc: Card for "JARRY J?r?my" <jeremy.jarry at admin.gmessaging.net> URL: <http://dovecot.org/pipermail/dovecot/attachments/20120816/afdab100/attachment-0004.vcf>
Timo Sirainen
2012-Aug-16 08:54 UTC
[Dovecot] Postfix & Dovecot: Client certificate authentication
On 16.8.2012, at 11.41, JARRY J?r?my wrote:> I would like to set up an authentication using certificate with Dovecot: A user sends mail to Postfix and Dovecot authentication is valid only if certificate is trusted. > > So, I enable the parameter auth_ssl_require_client_cert in dovecot configuration but it is not running. Here are the postfix logs:..> Aug 16 09:51:51 myserver postfix/smtpd[6922]: warning: localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed: Client didn't present valid SSL certificate > > It seems Postfix doesn't send the client certificat to Dovecot. What do you think ? What is wrong ?Correct. Postfix doesn't send it to Dovecot, so you can't do this currently. I'm not sure if this would require about 2 lines of code or hundreds to Postfix.
Apparently Analagous Threads
- Disable Client Certificate Authentication for Unencrypted Connections?
- How to require client SSL certificate, except for local connections
- Problem with requiring client certificates for external connections
- imap-login hangs after receiving revoked SSL certificate
- CVE-2019-3814: Suitable client certificate can be used to login as other user