yuryb
2018-Feb-01 10:08 UTC
Why does dovecot reject password when authorizing by a certificate?
I have added "auth_debug_password=yes" to "10-logging.conf"
and restarted dovecot.?But I do not see any information about the password in
the logs. Does this mean that the thunderbird does not send the
password??Although it asks for the password and I enter one.
New log:
dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0 code=kill)
dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd:
user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
session=<pOTtkSNkxNoKAQE7>
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso
Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>,
rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7>
dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>):
Password mismatch
dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99 secs):
user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS,
session=<pOTtkSNkxNoKAQE7>
Try adding auth_debug_password=yes
Aki
On 01.02.2018 10:27, yuryb wrote:
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and
password database is a text file with plaintext passwords. Clients connect to
imap-server via TLS protocol and plaintext password. All works fine. But I want
to configure ability to authorize with a client certificates. I have generated a
client certificate and imported it to email-client. Also I have configured
dovecot to verify client certificates. But email-client cannot
authorize:?Password mismatch. Why dovecot reject my password in this case?
Please help!
My log: dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso
Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
session=<fp5P5SBkhtMKAQE7>
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso
Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>,
rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>
dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>):
Password mismatch
dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs):
user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS,
session=<fp5P5SBkhtMKAQE7>
My configuration:
# 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs
auth_debug = yes
auth_mechanisms = plain login external
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_format = %Ln
auth_verbose = yes
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
mail_debug = yes
mail_gid = 999
mail_location = maildir:/mnt/mail/%n
mail_uid = 999
namespace inbox {
? inbox = yes
? location ? mailbox Drafts {
? ? special_use = \Drafts
? }
? mailbox Junk {
? ? special_use = \Junk
? }
? mailbox Sent {
? ? special_use = \Sent
? }
? mailbox "Sent Messages" {
? ? special_use = \Sent
? }
? mailbox Trash {
? ? special_use = \Trash
? }
? prefix }
passdb {
? args = /usr/local/etc/dovecot/users
? driver = passwd-file
}
protocols = imap pop3
service auth {
? unix_listener /var/spool/postfix/private/auth {
? ? group = postfix
? ? mode = 0660
? ? user = postfix
? }
? unix_listener auth-userdb {
? ? group = vmail
? ? mode = 0660
? ? user = vmail
? }
}
service imap-login {
? inet_listener imaps {
? ? ssl = yes
? }
}
ssl_ca = </etc/ssl/cacert.pem
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/dovecot.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_require_crl = no
ssl_verify_client_cert = yes
userdb {
? args = /usr/local/etc/dovecot/users
? driver = passwd-file
}
verbose_ssl = yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180201/0dbcd8b2/attachment.html>
Aki Tuomi
2018-Feb-01 10:09 UTC
Why does dovecot reject password when authorizing by a certificate?
You probably need to also enable auth_debug=yes auth_verbose=yes also, are you sure you just don't have wrong password? Aki On 01.02.2018 12:08, yuryb wrote:> I have added "auth_debug_password=yes" to "10-logging.conf" and > restarted dovecot.?But I do not see any information about the password > in the logs. Does this mean that the thunderbird does not send the > password??Although it asks for the password and I enter one. > New log: > dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0 > code=kill) > dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3 > dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso > Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, > session=<pOTtkSNkxNoKAQE7> > dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso > Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>, > rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7> > dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>): > Password mismatch > dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99 > secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, > TLS, session=<pOTtkSNkxNoKAQE7> > > Try adding auth_debug_password=yes > > Aki > > > On 01.02.2018 10:27, yuryb wrote: >> We have FreeBSD-server with dovecot installed on it as >> IMAP-server. My user and password database is a text file with >> plaintext passwords. Clients connect to imap-server via TLS >> protocol and plaintext password. All works fine. But I want to >> configure ability to authorize with a client certificates. I have >> generated a client certificate and imported it to email-client. >> Also I have configured dovecot to verify client certificates. But >> email-client cannot authorize:?Password mismatch. Why dovecot >> reject my password in this case? Please help! >> >> My log: >> dovecot: imap-login: Valid certificate: >> /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, >> lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> >> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso >> Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua >> <mailto:Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua>: >> user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, >> session=<fp5P5SBkhtMKAQE7> >> dovecot: auth: >> passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch >> dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 >> secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, >> lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7> >> >> My configuration: >> # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf >> # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs >> auth_debug = yes >> auth_mechanisms = plain login external >> auth_ssl_require_client_cert = yes >> auth_ssl_username_from_cert = yes >> auth_username_format = %Ln >> auth_verbose = yes >> disable_plaintext_auth = no >> lda_mailbox_autocreate = yes >> mail_debug = yes >> mail_gid = 999 >> mail_location = maildir:/mnt/mail/%n >> mail_uid = 999 >> namespace inbox { >> ? inbox = yes >> ? location >> ? mailbox Drafts { >> ? ? special_use = \Drafts >> ? } >> ? mailbox Junk { >> ? ? special_use = \Junk >> ? } >> ? mailbox Sent { >> ? ? special_use = \Sent >> ? } >> ? mailbox "Sent Messages" { >> ? ? special_use = \Sent >> ? } >> ? mailbox Trash { >> ? ? special_use = \Trash >> ? } >> ? prefix >> } >> passdb { >> ? args = /usr/local/etc/dovecot/users >> ? driver = passwd-file >> } >> protocols = imap pop3 >> service auth { >> ? unix_listener /var/spool/postfix/private/auth { >> ? ? group = postfix >> ? ? mode = 0660 >> ? ? user = postfix >> ? } >> ? unix_listener auth-userdb { >> ? ? group = vmail >> ? ? mode = 0660 >> ? ? user = vmail >> ? } >> } >> service imap-login { >> ? inet_listener imaps { >> ? ? ssl = yes >> ? } >> } >> ssl_ca = </etc/ssl/cacert.pem >> ssl_cert = </etc/ssl/certs/dovecot.pem >> ssl_dh_parameters_length = 2048 >> ssl_key = </etc/ssl/private/dovecot.pem >> ssl_prefer_server_ciphers = yes >> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 >> ssl_require_crl = no >> ssl_verify_client_cert = yes >> userdb { >> ? args = /usr/local/etc/dovecot/users >> ? driver = passwd-file >> } >> verbose_ssl = yes >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/16bc4b3c/attachment-0001.html>
yuryb
2018-Feb-01 10:38 UTC
Why does dovecot reject password when authorizing by a certificate?
My configuration already contained these parameters (auth_debug=yes and
auth_verbose=yes). I enter the same password in case of SSL-authorization and in
case of authorization by certificate. In first case password has accepted, in
second case password has rejected. I have no ideas.
--- ???????? ????????? ---
?? ????: "Aki Tuomi" <aki.tuomi at dovecot.fi>
????: 1 ??????? 2018, 12:09:05
You probably need to also enable
auth_debug=yes
auth_verbose=yes
also, are you sure you just don't have wrong password?
Aki
On 01.02.2018 12:08, yuryb wrote:
I have added "auth_debug_password=yes" to "10-logging.conf"
and restarted dovecot.?But I do not see any information about the password in
the logs. Does this mean that the thunderbird does not send the
password??Although it asks for the password and I enter one.
New log:
dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0 code=kill)
dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd:
user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
session=<pOTtkSNkxNoKAQE7>
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso
Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>,
rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7>
dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>):
Password mismatch
dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99 secs):
user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS,
session=<pOTtkSNkxNoKAQE7>
Try adding auth_debug_password=yes
Aki
On 01.02.2018 10:27, yuryb wrote:
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and
password database is a text file with plaintext passwords. Clients connect to
imap-server via TLS protocol and plaintext password. All works fine. But I want
to configure ability to authorize with a client certificates. I have generated a
client certificate and imported it to email-client. Also I have configured
dovecot to verify client certificates. But email-client cannot
authorize:?Password mismatch. Why dovecot reject my password in this case?
Please help!
My log: dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso
Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
session=<fp5P5SBkhtMKAQE7>
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso
Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>,
rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>
dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>):
Password mismatch
dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs):
user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS,
session=<fp5P5SBkhtMKAQE7>
My configuration:
# 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs
auth_debug = yes
auth_mechanisms = plain login external
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_format = %Ln
auth_verbose = yes
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
mail_debug = yes
mail_gid = 999
mail_location = maildir:/mnt/mail/%n
mail_uid = 999
namespace inbox {
? inbox = yes
? location ? mailbox Drafts {
? ? special_use = \Drafts
? }
? mailbox Junk {
? ? special_use = \Junk
? }
? mailbox Sent {
? ? special_use = \Sent
? }
? mailbox "Sent Messages" {
? ? special_use = \Sent
? }
? mailbox Trash {
? ? special_use = \Trash
? }
? prefix }
passdb {
? args = /usr/local/etc/dovecot/users
? driver = passwd-file
}
protocols = imap pop3
service auth {
? unix_listener /var/spool/postfix/private/auth {
? ? group = postfix
? ? mode = 0660
? ? user = postfix
? }
? unix_listener auth-userdb {
? ? group = vmail
? ? mode = 0660
? ? user = vmail
? }
}
service imap-login {
? inet_listener imaps {
? ? ssl = yes
? }
}
ssl_ca = </etc/ssl/cacert.pem
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/dovecot.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_require_crl = no
ssl_verify_client_cert = yes
userdb {
? args = /usr/local/etc/dovecot/users
? driver = passwd-file
}
verbose_ssl = yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180201/1d1a427c/attachment.html>
Possibly Parallel Threads
- Why does dovecot reject password when authorizing by a certificate?
- Why does dovecot reject password when authorizing by a certificate?
- Why does dovecot reject password when authorizing by a certificate?
- corrupted db after upgrading to 4.7
- corrupted db after upgrading to 4.7