dovecot - Apr 2014 - Incompatibility Thunderbirds Auth Mech TLS-Certificate <-> Dovecot

Hello,

it seems there there is an issue regarding "TLS-Certtificate"
authentication in Thunderbird and Dovecot. Obviously client certificate
is recognized by Dovecot:

Apr 25 14:29:01 dovecot dovecot: imap-login: Valid certificate:
/emailAddress=christian.felsing at example.net/CN=Christian Felsing
(Test)/OU=CF Certificates/O=example.net/C=DE

AFAIK Dovecot always requires IMAP login, even in "static" passdb
config. Static means arbitrary password is ok, but not "no login"

I hope, I am wrong, following log entry gave a hint, what Thunderbird
does or more precisely - not do:

Apr 25 14:29:01 dovecot dovecot: imap-login: Disconnected (no auth
attempts in 5 secs): user=<>, rip=192.168.1.99, lip=192.168.42.1, TLS,
session=<3+1THN33NQBtWq5D>

Dovecot wants an IMAP login, but Thunderbird does not so. I am not sure
if that is a bug (or feature) of Dovecot or Thunderbird. Thunderbird
does several strange things on client certificates:

1st) If Dovecot is configured to request a client certificate and
Thunderbird is configured to use plain text auth, Thunderbird offers a
client certificate and login succeeds as configured in Dovecot.
Unfortunately Thunderbird uses same certificate for all configured
accounts to that host. Very bad if Dovecot reads username from
certificate attributes.

2nd) If Dovecot is configured to request a client certificate and
Thunderbird is configured to use TLS-Certificate, Thunderbird also
offers a client certificate, but Dovecot requests login from
Thunderbird. That fails, because Thunderbird assumes TLS-Certificate is
enough for successful log.

If it is true that Dovecot is not compatible to Thunderbirds way of
TLS-Certificate Authentication, I consider to set up a proxy, which
supports that way. May be Nginx would be a solution, it supports IMAP
and LUA module plus some LUA code will fake the authentication. This is
an ugly hack so I would like to avoid that, if anybody has a better
solution. Thunderbird is a very widespread IMAP client so it should not
be ignored.

best regards
Christian

---Dovecot config---

# /opt/dovecot/bin/doveconf -n

# 2.2.12: /opt/dovecot/etc/dovecot-cert/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.4
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_chars
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#"
auth_username_translation = "@#"
base_dir = /var/run/dovecot-cert
first_valid_uid = 124
last_valid_uid = 124
listen = 192.168.42.1
log_timestamp = %Y-%m-%d %H:%M:%S
login_greeting = example.net imap4/pop3 (cert only) ready.
mail_gid = 124
mail_location = maildir:~/Maildir
mail_privileged_group = vmail
mail_uid = 124
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave imapflags notify
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  list = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix   separator = /
  type = private
}
passdb {
  args = password=test
  driver = static
}
plugin {
  acl = vfile:/etc/dovecot/global-acls:cache_secs=300
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
  autocreate = Trash
  autocreate2 = Drafts
  autosubscribe = Trash
  autosubscribe2 = Drafts
  quota = maildir:User quota
  quota_rule = *:storage=500M
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  recipient_delimiter = +
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags
}
protocols = imap pop3 lmtp sieve
service anvil {
  client_limit = 4000
}
service auth-worker {
  group = vmail
}
service auth {
  client_limit = 8000
  unix_listener auth-master {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = dovecot
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_limit = 1024
}
service imap-postlogin {
  executable = script-login /opt/cfbin/lastlogin.sh
}
service imap {
  executable = imap imap-postlogin
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
  process_limit = 1024
}
service pop3-postlogin {
  executable = script-login /opt/cfbin/lastlogin.sh
}
service pop3 {
  executable = pop3 pop3-postlogin
}
service quota-warning {
  executable = script /opt/cfbin/quota-warning.sh
  user = vmail
}
ssl_ca = </opt/dovecot/etc/dovecot/client-ca.pem
ssl_cert = </opt/dovecot/etc/dovecot/example.net.pem
ssl_cipher_list kEECDH:kEDH:AESGCM:ALL:+3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl_dh_parameters_length = 4096
ssl_key = </opt/dovecot/etc/dovecot/example.net.key
ssl_prefer_server_ciphers = yes
ssl_verify_client_cert = yes
verbose_ssl = yes
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_max_userip_connections = 20
  mail_plugins = quota imap_quota acl imap_acl
}
protocol sieve {
  managesieve_logout_format = bytes ( in=%i : out=%o )
}
protocol pop3 {
  mail_plugins = quota
  pop3_uidl_format = %08Xu%08Xv
}

Am 25.04.2014 14:56, schrieb Christian Felsing:
> Apr 25 14:29:01 dovecot dovecot: imap-login: Disconnected (no auth
> attempts in 5 secs): user=<>, rip=192.168.1.99, lip=192.168.42.1,
TLS,
> session=<3+1THN33NQBtWq5D>
> 
> Dovecot wants an IMAP login, but Thunderbird does not so. I am not sure
> if that is a bug (or feature) of Dovecot or Thunderbird. Thunderbird
> does several strange things on client certificates:
that is the normal behavior if you force a auth-mech on the client
which the server don't announce - auth-mech and TLS certificicate
are completly different worlds

just configure thunderbird to use plain instead encrypted auth
which means CRAM-MD5 at the end of the day, by default dovecot
only offers PLAIN which is fine inside a TLS connection

you can only support CRAM-MD5 with passwords stored as plain-text

[root at testserver:~]$ doveconf -n | grep -i mech
auth_mechanisms = CRAM-MD5 DIGEST-MD5 APOP LOGIN PLAIN

[root at testserver:~]$ doveconf -d | grep -i mech
auth_mechanisms = plain

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140425/b468c0da/attachment.sig>