dovecot - Aug 2019 - IMAP frontend authenticating proxy with GSSAPI/Kerberos SSO

Hi,

My IMAP backend server is lacking SSO authentication, so I am
trying to set up Dovecot in front of it as an authenticating proxy.
Fortunately, my backend server provides a way to ignore the
password provided and will simply trust the username given to
be authenticated, using plain login authentication. I'm struggling
with setting this up, as it seems to me that as soon as I enable
GSSAPI/Kerberos SSO in Dovecot it ignores my passdb proxy
settings and it creates a local mail store instead.

Is this behavior intentional, and why?

See also my Q on Serverfault.com [1], where some user has
reported this set up to be working with the same backend server
and provided some hints, but I believe I'm hitting a combination
that cannot be working with this version.

Dovecot version: v2.3.4.1 (from Debian Buster)

dovecot -n (I'm using only a single flat file dovecot.conf):
====# dovecot -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.15.0-46-generic x86_64 Debian 10.0 overlay
# Hostname: imap.sub.mydomain.tld
auth_debug = yes
auth_default_realm = MY-REALM.DOMAIN.TLD
auth_gssapi_hostname = imap.sub.mydomain.tld
auth_krb5_keytab = /etc/dovecot/imap.keytab
auth_mechanisms = gssapi
auth_realms = MY-REALM.DOMAIN.TLD
auth_username_format = %n
auth_verbose = yes
log_path = /dev/stderr
mail_gid = 65534
mail_location = mbox:/tmp
mail_uid = 65534
passdb {
  args = proxy=y host=127.0.0.1 port=1143 pass=#hidden_use-P_to_show#
  driver = static
}
protocols = imap
ssl = required
ssl_cert = </etc/dovecot-ssl/cert.crt
ssl_cipher_list
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
====
My comments are lost with "dovecot -n", so here I repeat some
why's.
====# uid/gid of nobody or else:
# imap(username)<15><6SCG0QOPgtcKAAYE>: Error: Couldn't drop
privileges: User is missing UID (see mail_uid setting)
mail_uid = 65534
mail_gid = 65534

# Have to set dummy mail_location or else:
# Error: mail_location not set and autodetection failed: Mail storage
autodetection failed with home=(not set)
mail_location = mbox:/tmp
====
(Ideally, I don't want to set any local storage storage, Dovecot should
just be a proxy in my case.)

Log, debug enabled, with client connecting:
====master: Info: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap
auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so
auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
auth: Debug: auth client connected (pid=9)
auth: Debug: client in: AUTH    1       GSSAPI  service=imap
secured=tls     session=9WOjSwWP8toKAAYE        lip=9.9.9.9
rip=1.2.3.4    lport=143       rport=56050
local_name=sub.mydomain.tld
ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256  ssl_cipher_bits=128
ssl_pfs=KxECDHE ssl_protocol=TLSv1.2
auth: Debug: gssapi(?,1.2.3.4,<9WOjSwWP8toKAAYE>): Obtaining
credentials for imap at sub.mydomain.tld
auth: Debug: client passdb out: CONT    1
auth: Debug: client in: CONT<hidden>
auth: Debug: gssapi(username,1.2.3.4,<9WOjSwWP8toKAAYE>): security
context state completed.
auth: Debug: client passdb out: CONT    1       YIGZBgkqhki[...]7Bm1G
auth: Debug: client in: CONT<hidden>
auth: Debug: gssapi(username,1.2.3.4,<9WOjSwWP8toKAAYE>): Negotiated
security layer
auth: Debug: client passdb out: CONT    1       BQQF/w[...]yjNOoauth: Debug:
client in: CONT<hidden>
auth: Debug: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): lookup
auth: Info: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): No password
returned (and no nopassword)
auth: Debug: client passdb out: OK      1       user=username
original_user=username at MY-REALM.DOMAIN.TLD
auth: Debug: master in: REQUEST 3940810753      9       1
740b6a075ea21dbe10397f3734262bbe        session_pid=12
request_auth_token
auth: Debug: master userdb out: USER    3940810753      username
     auth_token=d1503de7036a68a85ea9db25f32bc9df3ebf08a8
auth_user=username at MY-REALM.DOMAIN.TLD
imap-login: Info: Login: user=<username>, method=GSSAPI, rip=1.2.3.4,
lip=9.9.9.9, mpid=12, TLS, session=<9WOjSwWP8toKAAYE>
====
The good news is that everything related to Kerberos/GSSAPI
authentication seems to work fine!
Noteworthy in the above output I think is the line
"auth: Debug: client passdb out: ..." which does not mention
any proxy related settings any longer which aligns with my
observations:

- The client is then logged into an empty mailbox in local
  storage. Not okay.
- No attempt to connect to my backend server is made
  (checked with tcpdump). Not okay.

Somehow I start to believe that as soon as I set
auth_mechanisms = gssapi, any args/field in passdb are
ignored. Is that a bug or am I looking at a feature?

What else have I tried:

- Using imapc proxy [2], but that example config does not work
  in my Dovecot version with the error:
    auth: Error: prefetch(username,1.2.3.4,): userdb lookup not
possible with only userdb prefetch
- Using a passdb with master=yes and pass=yes.
    passdb {
      driver = static
      args = proxy=y host=127.0.0.1 port=1143 pass=dummypass
      master = yes
      pass = yes
    }
  This fails with the error:
    auth: Fatal: Master passdb can't have pass=yes if there are no passdbs
    master: Error: service(auth): command startup failed, throttling for 2 secs
    imap-login: Info: Disconnected: Auth process broken (disconnected
before auth was ready, waited 0 secs): user=<>, rip=1.2.3.4,
lip=9.9.9.9, session=<0i46qgWPntsKAAYE>
    imap-login: Warning: Timeout leak: 0x7efe483e8120
(auth-server-connection.c:397)


Any help or clues are very much appreciated. Thanks!

[1]: https://serverfault.com/q/951010/135437
[2]: https://wiki.dovecot.org/HowTo/ImapcProxy

Gert van Dijk

On 1 Aug 2019, at 12.26, Gert van Dijk via dovecot <dovecot at
dovecot.org> wrote:
> 
> passdb {
>  args = proxy=y host=127.0.0.1 port=1143 pass=#hidden_use-P_to_show#
..
> auth: Info: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): No password
> returned (and no nopassword)
I think this is why it's not using the passdb at all. Try adding
password=something to the args.

On Thu, Aug 1, 2019 at 3:42 PM Timo Sirainen <timo at sirainen.com>
wrote:
>
> On 1 Aug 2019, at 12.26, Gert van Dijk via dovecot <dovecot at
dovecot.org> wrote:
> >
> > passdb {
> >  args = proxy=y host=127.0.0.1 port=1143 pass=#hidden_use-P_to_show#
> ..
> > auth: Info: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): No
password
> > returned (and no nopassword)
>
> I think this is why it's not using the passdb at all. Try adding
password=something to the args.
Thanks for your quick reply.

    passdb {
      driver = static
      args = proxy=y host=127.0.0.1 port=1143 pass=masterpass password=something
    }

indeed does the trick:

    imap-login: Info: proxy(username): started proxying to
127.0.0.1:1143: user=<username>, method=GSSAPI, rip=1.2.3.4,
lip=9.9.9.9, TLS, session=<iJvnvg6P8KEKAAYE>

Also nopassword=y instead of password=something works, which I think
is even better.

I was also able to remove the mail_location / mail_uid / mail_gid settings. :-)

Thanks a million!

(I now have a new error, listing subfolders errors in IMAP clients. Oh well...,
another thing to dive in another time.)

Gert van Dijk