dovecot - Feb 2014 - AUTH_USER variable has invalid value in checkpassword Script

Dear dovecot experts:

We are using client certificates to authenthicate against a
Dovecot server. Our certificates contain a x500UniqueIdentifier.
I'm absolutely sure that the value of the x500UniqueIdentifier
was stored into the AUTH_USER when I tested my setup
last year.

This has somehow changed and now AUTH_USER always
contains the username. This has fatal consequences as now
every owner of a valid certificate can logon as any user.

Here are some more details of our setup:

We are using a checkpassword-Script that does the following:

1. Read Username and Password from file descriptor 3
2. If (AUTH_CERT=="valid") and (AUTH_USER==Username) then
user is authenticated
3 If (AUTH_CERT=="valid") and (AUTH_USER<>Username) then
authentication is rejected (User a tries to logon as User B)
4 If (AUTH_CERT<>"valid) we calculate the current OATH value
for Usernames TOTP-token and compare that with the provided
password.

The last step is the reason why we are using a checkpassword script.
Our smartphone users cannot use a smartcard but enter a password
that was created by an OTP generator, so programming my own
checkpassword script was my only option.

AUTH_USER contains the username even if the x500UniqueIdentifier
from the users certificate does not, so step 2 happens when step 3
should happen.

I did the initial testing with Dovecot 2.2.6. At that time we were using
both port 143 and 993. We now use Dovecot 2.2.7 and port 993 only.
This should not make a difference but I will recompile 2.2.6 right after
sending this posting.

Kind regards and thank you very much for this wonderful IMAP server

Peter Koch

current dovecot.conf:
---------------------------------------------------------
# Dovecot configuration file

default_process_limit = 2048
protocols = imap
listen    = *
base_dir  = /var/dovecot/

mail_location = maildir:/mail/%u:LAYOUT=fs

ssl_cert = </etc/ssl/certs/imap.crt
ssl_key  = </etc/ssl/private/imap.key
ssl_ca   = </etc/ssl/certs/imap-ca.crt
ssl_verify_client_cert  = yes
ssl_cert_username_field = x500UniqueIdentifier

service imap-login {
  inet_listener imap {
    port = 0
  }
}
service auth {
  client_limit = 4096
}
service anvil {
  client_limit = 5000
}
passdb {
  driver = checkpassword
  args   = /usr/dovecot/bin/checkpassword
}
userdb {
  driver          = passwd
  override_fields = home=/mail/%u
}
protocol imap {
   mail_max_userip_connections = 1000
}