Fabrice MATHIEU
2010-Apr-28 17:12 UTC
[Dovecot] Question about auth multiple configuration
Hello,
My mail system is build with postfix, dovecot and roundcube.
In first time users can view and "manage" their mail only on the
webmail.
So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access
to users maildir. This connection is made on the 'loopback' interface
and use PLAIN method.
This works fine (configuration below without ssl parameters).
Now I want to see and send my mail with a MUA (thunderbird).
As my system is on an Internet provider I want to add more security
"solutions".
I use smtps with postfix and SASL/auth by dovecot socket mechanism to send mail.
I use imaps with dovecot for managing my maildir.
I have added ssl parameters to the configuration file (see below) and I required
certificate from the client (to avoid man in the middle attack and to get access
only for client with user certificate).
To get this "ssl_require_client_cert" is set to yes.
Ok, now imaps works perfectly.
But since a certificate is required webmail authentication (localhost) and SASL
(postfix auth trough dovecot socket mechanism) don't work.
Webmail => dovecot: imap-login: Disconnected (cert required, client
didn't start TLS): method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Postfix => postfix/smtpd[71640]: warning: TOTO[X.A.B.C]: SASL PLAIN
authentication failed: Client didn't present valid SSL certificate
That's normal. But 127.0.0.1 client(network) is considered by dovecot as
secure, so won't the auth possible without certificate ?
Can't we make two auth policy to make secure (client crt require) for public
IP/client and less "secure" (without crt client) for local process
(postfix) and local newtwork(127.0.0.1) for roundcube ?
I see section "auth default { ... }" and is used by ... default ! But
can we make an other one to make this two particular authentication on the same
"instance" ?
Thank you.
And then my configuration :
operating system => FreeBSD 7.1
dovecot --version => 1.2.8
dovecot -n =>
# 1.2.8: /usr/local/etc/dovecot.conf
# OS: FreeBSD 7.1-RELEASE i386 ufs
protocols: imap
listen: 127.0.0.1
ssl_listen: X.Y.Z.T
ssl: yes
ssl_ca_file: /usr/local/etc/dovecot/CAclient.pem
ssl_cert_file: /usr/local/etc/dovecot/imaps.pem
ssl_key_file: /usr/local/etc/dovecot/imaps.key
ssl_verify_client_cert: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:/jails/mails/%d/%n
imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep
lda:
postmaster_address: postmaster at SOMETHING
hostname: SOMETHING_ELSE
sendmail_path: /usr/sbin/sendmail
auth default:
mechanisms: plain login
username_format: %Lu
passdb:
driver: passwd-file
args: username_format=%n /jails/mails/dov_pass/%d/usr_pas
userdb:
driver: passwd-file
args: username_format=%n /jails/mails/dov_pass/%d/usr_pas
ssl_require_client_cert = yes
ssl_username_from_cert = no
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: wheel
master:
path: /var/run/dovecot/auth-master
mode: 384
Best regards,
_________________________________________________________________
Consultez gratuitement vos emails Orange, Gmail, Free, ... directement dans
HOTMAIL !
http://www.windowslive.fr/hotmail/agregation/
Heiko Schlittermann
2010-Apr-28 19:34 UTC
[Dovecot] Question about auth multiple configuration
Fabrice MATHIEU <simpsons_bart_cs at hotmail.com> (Mi 28 Apr 2010 19:12:31 CEST):> > Hello, > > My mail system is build with postfix, dovecot and roundcube. > In first time users can view and "manage" their mail only on the webmail. > So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method. > This works fine (configuration below without ssl parameters).(?)> That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ? > > Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ? > I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ?(?) If I understood well, you're looking for the config option like login_trusted_networks (as available in 1.2.11, I don't know since when). Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann HS12-RIPE ----------------------------------------- gnupg encrypted messages are welcome - key ID: 48D0359B --------------- gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20100428/48309d8b/attachment-0002.bin>
Fabrice MATHIEU
2010-Apr-28 21:32 UTC
[Dovecot] Question about auth multiple configuration
> Date: Wed, 28 Apr 2010 21:34:03 +0200 > From: hs at schlittermann.de > To: dovecot at dovecot.org > Subject: Re: [Dovecot] Question about auth multiple configuration > > Fabrice MATHIEU <simpsons_bart_cs at hotmail.com> (Mi 28 Apr 2010 19:12:31 CEST): > > > > Hello, > > > > My mail system is build with postfix, dovecot and roundcube. > > In first time users can view and "manage" their mail only on the webmail. > > So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method. > > This works fine (configuration below without ssl parameters). > (?) > > That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ? > > > > Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ? > > I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ? > (?) > > If I understood well, you're looking for the config option like > login_trusted_networks (as available in 1.2.11, I don't know since when). > > Best regards from Dresden/Germany > Viele Gr??e aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de ---------------------------- internet & unix support - > Heiko Schlittermann HS12-RIPE ----------------------------------------- > gnupg encrypted messages are welcome - key ID: 48D0359B --------------- > gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -First, thank you for your answer. I suppose this version is available in version 1.2.8, I have got it (commented) in the default configuration file. ### begin COTE # Space separated list of trusted network ranges. Connections from these # IPs are allowed to override their IP addresses and ports (for logging and # for authentication checks). disable_plaintext_auth is also ignored for # these networks. Typically you'd specify your IMAP proxy servers here. #login_trusted_networks ### end COTE I guess that IPs listed here can "bypass" some check. ssl_require_client_cert too ? I will try it. More information if it can help ! Here an example of my configuration : |---------------| |---------------| |--------------------------------------------------------------| | workstation | | | | mail - server | | with MUA |-------->| ISP1 - modem | |------------------| |--------------| | | (thunderbird) | | |-----------(smtp)--- port 2025 ----------> | smtpds - postfix |-------------------> |UNIX socket | | |---------------| |---------------| |------------------| | | | | | |"dovecot auth"| | | |-------------------------| | | | |----------(imaps)--- port 993 ----------> |dovecot imaps (public IP) | -------------> | internal cnx ?| | |------------------------ | | | | | | | | | |-------------------------| | | | |---------------| |---------------| | | dovecot imap (127.0.0.1) |----> | internal cnx ?| | | workstation | | | | |--------------------------| | | | | with browser |------- >| ISP2 - modem | | ^ |--------------| | | (FireFox) | | | |---------------------| | | |---------------| |---------------|--------(https)--- port 443 -------------> | httpd - roundcube |----| |-------------- | |---------------------| |smtpd normal | |---------------------------------------------------------------| IPs is the server public IP IPm is the workstation public IP (which is visible by public station) which has the MUA IPb is the workstation public IP (which is visible by public station) which has the Internet browser IPlb is the loopback IP (127.0.0.1) Their is three case : A) User send/manage his mail via the webmail B) User manage his mail via MUA by imaps C) User send mail via MUA by smtps A) - User get access to the webmail site (not need to describe it here) - Username/password written in the login page are used by the webmail program which try to login/auth on the imap service via the IPlb (port 143) - This connection must be "clear" => no ssl handshake needed - if "ssl_require_client_cer" is set to "yes" => dovecot say that a client certificated is needed and login fails (see description in the first thread) - Grant access depend of the imap service response B) - User use his MUA to check the mailbox - the software connect to the imaps services (IPs port 993). Before anything it start with an ssl handshake. The imaps service require one client certificate issued by a specified Certificate Authority (which is known by dovecot). - If the client cert is not valid, session should end up ! That's why "ssl_require_client_cert" is set to "yes". - If it is valid, then client (MUA) run the login process and client get access. C) - User use his MUA, too, to send an email. - the software try to connect to the smtpds (IPs port 2025) service (which is configured to require a TLS session to get smtp relay access ). - the MUA ask to begin TLS (starttls) - the handshake is made and MUA send his client certificate (as same as imaps). - Now, sasl authentication is needed. So MUA send the user/pass know by dovecot - postfix use the dovecot auth unix socket to submit the client credential - if "ssl_require_client_cer" is set to "yes" => login fails and say that client cert is not valid (see description in the first thread) - if "ssl_require_client_cer" is set to "no" => login success and client can send mails Depending the value of "ssl_require_client_cer" : Set to "no" => I can access to webmail and send mail via smtps but not get imaps access (more precisely yes but without client cert needed (it is less secure)) Set to "yes" => I can not access to webmail/smtps but I can use imaps with strong authentication (client cert required) An other point : As postfix sasl mechanism use unix socket to check user/pass why a client certificate is needed ? I suppose it don't work like IP connection... The question is : With dovecot configuration (multiple auth YYY { ... } bloc ?) or anything else, can I force SSL/client certificate for imaps connections and "clear" (no SSL) connection for local imap/unix socket ? Tank you. Best regards, _________________________________________________________________ Hotmail et MSN dans la poche? HOTMAIL et MSN sont dispo gratuitement sur votre t?l?phone! http://www.messengersurvotremobile.com/?d=Hotmail
On Wed, 2010-04-28 at 19:12 +0200, Fabrice MATHIEU wrote:> That's normal. But 127.0.0.1 client(network) is considered by dovecot > as secure, so won't the auth possible without certificate ?It's considered secure against man-in-the-middle attacks, but requiring SSL cert is more about authentication. I know in some setups people don't use passwords at all, only the SSL cert. So if I did this change, in such setups localhost could log in as any user, which is clearly pretty bad.> Can't we make two auth policy to make secure (client crt require) for > public IP/client and less "secure" (without crt client) for local > process (postfix) and local newtwork(127.0.0.1) for roundcube ?Only way I can think of is to run two Dovecots, one listening for localhost and another listening for external IP, both using different config files.> I see section "auth default { ... }" and is used by ... default ! But > can we make an other one to make this two particular authentication on > the same "instance" ?auth sections won't help. v2.0 makes this almost possible, it just doesn't yet have per-IP settings support for auth settings. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20100429/0a60c449/attachment-0002.bin>
Fabrice MATHIEU
2010-Apr-29 17:31 UTC
[Dovecot] Question about auth multiple configuration
Helo, Thank you for your answer. I will wait for v2.0. I will try to make two dovecot configuration but can this make problems to make concurrent access (process) to the maildir ? Thank you. Best regards,> > > That's normal. But 127.0.0.1 client(network) is considered by dovecot > > as secure, so won't the auth possible without certificate ? > > It's considered secure against man-in-the-middle attacks, but requiring > SSL cert is more about authentication. I know in some setups people > don't use passwords at all, only the SSL cert. So if I did this change, > in such setups localhost could log in as any user, which is clearly > pretty bad. > > > Can't we make two auth policy to make secure (client crt require) for > > public IP/client and less "secure" (without crt client) for local > > process (postfix) and local newtwork(127.0.0.1) for roundcube ? > > Only way I can think of is to run two Dovecots, one listening for > localhost and another listening for external IP, both using different > config files. > > > I see section "auth default { ... }" and is used by ... default ! But > > can we make an other one to make this two particular authentication on > > the same "instance" ? > > auth sections won't help. v2.0 makes this almost possible, it just > doesn't yet have per-IP settings support for auth settings. >_________________________________________________________________ Hotmail et MSN dans la poche? HOTMAIL et MSN sont dispo gratuitement sur votre t?l?phone! http://www.messengersurvotremobile.com/?d=Hotmail