thr3ads.net - dovecot - [Dovecot] Secure Sockets Layer client certificate authentication [May 2009]

If this information is useful, please help other people find it:
Share via:

Stephen Feyrer

2009-May-25 13:51 UTC

[Dovecot] Secure Sockets Layer client certificate authentication

Hi everyone.

Please note, I've asked a very similar question before and I apologize
for sounding like a broken record.  Well here it goes.

What I want to do is authenticate my users using a certificate.  Thereby
authenticating both the user and server with strong tokens that are
centrally managed. In the worst case scenario the user should only need
to enter a password for the certificate store and then the certificate
should trigger the appropriate level of access to their account.

Is Dovecot the correct tool for the job?

If yes then, how?

Else if not, then what would you recommend?


I have tried setting the auth mechanism to anonymous without any joy.
My password file is set with nopassword.  All my certificates work well
with the Secure Sockets Layer system.

This is the configuration I am currently running:
# 1.2.beta1: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl
log_path: /opt/var/log/dovecot.log
info_log_path: /opt/var/log/dovecot-info.log
protocols: imaps
ssl_ca_file: /opt/etc/ssl.ca/cacrl.pem
ssl_cert_file: /opt/etc/ssl.ca/newcerts/imap.cer
ssl_key_file: /opt/etc/ssl.ca/private/imap.key
ssl_parameters_regenerate: 24
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
disable_plaintext_auth: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_user: guest
login_processes_count: 2
login_max_processes_count: 4
mbox_write_locks: fcntl
mail_process_size: 512
imap_client_workarounds: outlook-idle tb-negative-fetch
auth default:
  user: admin
  verbose: yes
  debug: yes
  ssl_require_client_cert: yes
  ssl_username_from_cert: yes
  passdb:
    driver: passwd-file
    args: /opt/etc/dovecot/h.org/passwd
  userdb:
    driver: passwd

This is a log of a login attempt:
dovecot: May 25 11:55:58 Info: auth(default): new auth connection: pid=22556
dovecot: May 25 11:56:08 Info: imap-login: Valid certificate:
/O=home.org/emailAddress=admin at nas2.h.org/L=W/ST=C/C=G/CN=h.org
dovecot: May 25 11:56:08 Info: imap-login: Valid certificate:
/C=G/ST=C/O=h.org/OU=K F/CN=k
dovecot: May 25 11:56:10 Info: auth(default): new auth connection: pid=22585
dovecot: May 25 11:56:16 Info: auth(default): client in: AUTH	1	PLAIN
service=imap	secured	valid-client-cert	cert_username=k	lip=10.1.1.245
rip=10.1.1.1	lport=993	rport=53430
dovecot: May 25 11:56:16 Info: auth(default): client out: CONT	1	
dovecot: May 25 11:56:16 Info: auth(default): client in: CONT<hidden>
dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1):
lookup: user=k file=/opt/etc/dovecot/h.org/passwd
dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1):
No password
dovecot: May 25 11:56:16 Info: auth(default): client out: OK	1	user=k
dovecot: May 25 11:56:16 Info: auth(default): master in: REQUEST	6	22164	1
dovecot: May 25 11:56:16 Info: auth(default): passwd(k,10.1.1.1): lookup
dovecot: May 25 11:56:16 Info: auth(default): master out: USER	6	k
system_user=k	uid=500	gid=100	home=/
dovecot: May 25 11:56:16 Info: imap-login: Login: user=<k>,
method=PLAIN, rip=10.1.1.1, lip=10.1.1.245, TLS

With this configuration the client will connect over ssl and identify
itself with a certificate but a client password is still required.



--
Regards

Stephen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3322 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090525/9f8b46da/attachment-0002.bin>

Charles Marcus

2009-May-25 14:39 UTC

head link

[Dovecot] Secure Sockets Layer client certificate authentication

On 5/25/2009, Stephen Feyrer (steve at toth.org.uk)
wrote:> This is the configuration I am currently running:
> # 1.2.beta1: /opt/etc/dovecot/dovecot.conf
If you are going to run unstable versions of s/w, you should be prepared
to run the *latest* versions as soon as they are released, in order to
avoid wasting both your and the developers time
troubleshooting/reporting problems that very well may be fixed already.

If/when you encounter a problem, check versions, update to latest if
available, retest, *then* report problem if it still exists.

1.2.beta1 is 3.5 months old. *Lots* of changes since then.

-- 

Best regards,

Charles

Timo Sirainen

2009-May-25 23:38 UTC

head link

[Dovecot] Secure Sockets Layer client certificate authentication

On Mon, 2009-05-25 at 14:51 +0100, Stephen Feyrer wrote:>   passdb:
>     driver: passwd-file
>     args: /opt/etc/dovecot/h.org/passwd
..> With this configuration the client will connect over ssl and identify
> itself with a certificate but a client password is still required.
Right. A password is always required, but you can set Dovecot to accept
any password. Set the password field empty in the passwd file and add
nopassword extra field. http://wiki.dovecot.org/AuthDatabase/PasswdFile


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090525/1c060150/attachment-0002.bin>

Possibly Parallel Threads

Search for more seemingly similar threads

dovecot - May 2009 - Secure Sockets Layer client certificate authentication

[Dovecot] Secure Sockets Layer client certificate authentication

[Dovecot] Secure Sockets Layer client certificate authentication

[Dovecot] Secure Sockets Layer client certificate authentication

Possibly Parallel Threads