Harondel J. Sibble
2008-Oct-22 00:18 UTC
[Dovecot] dovecot and postfix with tls and dovecot sasl issues for smtp clients
This issue is peripherally related to the following thread
Re: [Dovecot] client certs with godaddy ssl cert
This is running on CentOS 5.2 with latest Atrpms for Dovecot as of this
weekend.
# rpm -qa | grep dovecot
dovecot-sieve-1.1.5-8.el5
dovecot-1.1.4-0_81.el5
With assistance from Rainer Frey (Inxmail GmbH), I am able to successfully
use client ssl certs for imap access on both my Nokia e61i and Thunderbird
2.0.0.17, problem now is dovecot sasl and postfix smtp authentication.
Using the same self created CA that generates and certifies the ssl client
certs in Postfix and using Dovecot SASL, I always get client didn't send
proper ssl cert when trying to do a tls based smtp connection from either the
e61i or tbird.
Cranking up the peer debug level in Postfix, I see the connection is always
rejected by Dovecot SASL eg
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15
got 45
Oct 21 16:39:07 myserver postfix/smtpd[18189]: <
mycomp.myserver.net[10.11.12.5]: AUTH PLAIN
********************************************Oct 21 16:39:07 myserver
postfix/smtpd[18189]: xsasl_dovecot_server_first:
sasl_method PLAIN, init_response **************************************=Oct 21
16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16
flush 64
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply:
auth reply: FAIL?1?reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: warning:
mycomp.myserver.net[10.11.12.5]: SASL PLAIN authentication failed: Client
didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: >
mycomp.myserver.net[10.11.12.5]: 535 5.7.0 Error: authentication failed:
Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: watchdog_pat: 0x868a570
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 15
flush 85
Oct 21 16:39:07 myserver dovecot: auth(default): client in: AUTH 1
PLAIN service=smtp resp=*********************************************=Oct
21 16:39:07 myserver dovecot: auth(default): PLAIN(?): Client didn't
present valid SSL certificate
Oct 21 16:39:07 myserver dovecot: auth(default): client out: FAIL 1
reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15
got 12
Oct 21 16:39:07 myserver postfix/smtpd[18189]: <
mycomp.myserver.net[10.11.12.5]: AUTH LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_server_first:
sasl_method LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16
flush 26
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply:
auth reply: FAIL?2?reason=Client didn't present valid SSL certificate
Not sure where to look now, I've configured dovecot and postfix as per their
respective wiki's
Here are the relevant config entries
/etc/postfix/main.cf
### Oct 11/08 - added to allow dovecot sasl for smtp auth
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_security_options = noanonymous
### Oct 11/08 - added to allow tls smtp authentication with client certs
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server.myserver.net
### these are the self signed CA based authentication keys, this CA created
### the client certs for the nokia e61i and the Thunderbird 2.0.0.17
smtpd_tls_key_file = /etc/postfix/ssl/server.myserver.net.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.myserver.net.crt
### this is the ca cert and crl combined
smtpd_tls_CAfile = /etc/postfix/ssl/ca1.crt
dovecot -n
# 1.1.4: /etc/dovecot.conf
protocols: imaps pop3s
ssl_listen(default): *:993
ssl_listen(imap): *:993
ssl_listen(pop3): *:995
ssl_ca_file: /etc/openvpn/easy-rsa/keys/combined-ca-and-crl.crt
ssl_cert_file: /etc/pki/dovecot/certs/dovecot-chained.cert
ssl_key_file: /etc/pki/tls/private/server.myserver.net.key
ssl_verify_client_cert: yes
ssl_require_client_cert = yes
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location:
mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=~/mail/.imap/indexes
mail_debug: yes
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/imap
mail_plugin_dir(imap): /usr/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
auth default:
mechanisms: plain login
debug: yes
debug_passwords: yes
ssl_require_client_cert: yes
passdb:
driver: pam
userdb:
driver: passwd
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
Interestingly enough the mode line in the dovecot.conf file is set as 0660,
not 432 as noted above?!?!?
What else should I be looking at to troubleshoot this issue?
--
Harondel J. Sibble
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax) (604) 686-2253 (pager)
Eduardo M KALINOWSKI
2008-Oct-22 10:36 UTC
[Dovecot] dovecot and postfix with tls and dovecot sasl issues for smtp clients
Harondel J. Sibble wrote:> dovecot -n > > # 1.1.4: /etc/dovecot.conf > protocols: imaps pop3s > ssl_listen(default): *:993 > ssl_listen(imap): *:993 > ssl_listen(pop3): *:995 > ssl_ca_file: /etc/openvpn/easy-rsa/keys/combined-ca-and-crl.crt > ssl_cert_file: /etc/pki/dovecot/certs/dovecot-chained.cert > ssl_key_file: /etc/pki/tls/private/server.myserver.net.key > ssl_verify_client_cert: yes > ssl_require_client_cert = yes > verbose_ssl: yes > login_dir: /var/run/dovecot/login > login_executable(default): /usr/libexec/dovecot/imap-login > login_executable(imap): /usr/libexec/dovecot/imap-login > login_executable(pop3): /usr/libexec/dovecot/pop3-login > mail_location: > mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=~/mail/.imap/indexes > mail_debug: yes > mail_executable(default): /usr/libexec/dovecot/imap > mail_executable(imap): /usr/libexec/dovecot/imap > mail_executable(pop3): /usr/libexec/dovecot/pop3 > mail_plugin_dir(default): /usr/lib/dovecot/imap > mail_plugin_dir(imap): /usr/lib/dovecot/imap > mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 > auth default: > mechanisms: plain login > debug: yes > debug_passwords: yes > ssl_require_client_cert: yes > passdb: > driver: pam > userdb: > driver: passwd > socket: > type: listen > client: > path: /var/spool/postfix/private/auth > mode: 432 > user: postfix > group: postfix > > Interestingly enough the mode line in the dovecot.conf file is set as 0660, > not 432 as noted above?!?!? >0660 (octal) = 432 (decimal), so the setting is OK. -- Esperto ? o homem que acredita em apenas metade do que lhe dizem. Genial ? o homem que sabe em que metade acreditar. Eduardo M KALINOWSKI eduardo at kalinowski.com.br http://move.to/hpkb
Timo Sirainen
2008-Oct-22 17:37 UTC
[Dovecot] dovecot and postfix with tls and dovecot sasl issues for smtp clients
On Tue, 2008-10-21 at 17:18 -0700, Harondel J. Sibble wrote:> Using the same self created CA that generates and certifies the ssl client > certs in Postfix and using Dovecot SASL, I always get client didn't send > proper ssl cert when trying to do a tls based smtp connection from either the > e61i or tbird.I don't think Postfix ever sends the "valid-cert" parameter that's required for Dovecot to treat the authentication as valid. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20081022/00000d39/attachment-0002.bin>
Harondel J. Sibble
2008-Oct-22 17:57 UTC
[Dovecot] dovecot and postfix with tls and dovecot sasl issues for smtp clients
On 22 Oct 2008 at 20:37, Timo Sirainen wrote:> I don't think Postfix ever sends the "valid-cert" parameter that's > required for Dovecot to treat the authentication as valid.Bummer, any suggested workarounds or should I be looking at a different MTA that is known to work with Dovecot's SASL implementation. -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)