Displaying 20 results from an estimated 77 matches for "auth_ssl_username_from_cert".
2014 May 03
1
%{orig_user} missing in checkpassword-Script
Dear dovecot maintainers:
I'm using SSL client certificates together with a checkpassword scripts
to authenticate our users.
My problem is: In the checkpassword script the AUTH_USER environment
variable will either contain the username that was configured in the
mailclient (if auth_ssl_username_from_cert=false) or the username
from the certificate (if auth_ssl_username_from_cert=true).
I would like to compare both values, i.e. the %{user} Dovecot-variable
and the %{orig_user} Dovecot-variable. But the environment of a
checkpassword-script has only one of them.
I tried myself and found the followi...
2014 Mar 27
0
%{orig_user} missing in checkpassword-Script
...ort will ignore the password, if he does not sent a client
certificate but uses his OTP-token then my checkwassword script will check
wether the password is a correct one time password.
My problem is: the AUTH_USER variable will either contain the username that
was configured in the mailclient (if auth_ssl_username_from_cert=false) or
the username from the certificate (if auth_ssl_username_from_cert=true).
I would like to compare both values, i.e. the %{user} Dovecot-variable and
the %{orig_user} Dovecot-variable. But the environment of a
checkpassword-script has only one of them.
Any ideas?
I tried to change the so...
2019 May 16
1
Mutual auth and MS Outlook
I am trying to get Dovecot IMAP and Outlook to talk to each other with SSL
and client certificates enabled. In Dovecot, I have the following options
enabled:
ssl_ca = ...
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
when I try to connect with Outlook, I get:
May 12 08:07:50 mail dovecot: imap-login: Disconnected (client didn't send a
cert): user=<>, method=PLAIN, rip=192.168.1.245, lip=192.168.2.5, TLS:
Disconnected, session=<is7gpa+Im97AqAH1>
But when I use openssl directly w...
2009 Nov 02
2
X.509 certificate based IMAP login
Hello list,
The dovecot version is 1.2.6 running on Solaris x86 11 (nv-b91).
The relevant configuration lines are:
passdb ldap { # LDAP database (doc/wiki/AuthDatabase.LDAP.txt.)
args = /pfx/etc/dovecot/dovecot-ldap.conf
}
The file dovecot-ldap.conf is correct and LDAP authentication is
working well.
We would like to make it possible for users with a X.509 client
certificate to log in
2019 Mar 31
1
Why is 'sent' folder missing in my MUA(email client)
...and dovecot, but
folder name 'Sent' is gone, all sent emails are located in Drafts folder.
Anything wrong? Guess it has something to do with mailbox and location.
Here is `doveconf -n`
------------------
auth_cache_size = 1 M
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_ssl_username_from_cert = yes
auth_verbose = yes
auth_verbose_passwords = yes
import_environment = TZ
login_trusted_networks = 172.16.0.0/12
mail_location = maildir:/var/mail/%n/Maildir
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk...
2018 Feb 01
2
Why does dovecot reject password when authorizing by a certificate?
...>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
My configuration:
# 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs
auth_debug = yes
auth_mechanisms = plain login external
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_format = %Ln
auth_verbose = yes
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
mail_debug = yes
mail_gid = 999
mail_location = maildir:/mnt/mail/%n
mail_uid = 999
namespace inbox {
? inbox = yes
? location =
? mailbox Drafts {
? ? special_use = \Drafts
? }
? mailbox Ju...
2019 Feb 05
0
CVE-2019-3814: Suitable client certificate can be used to login as other user
...the earlier
versions will take the username from the user provided authentication
fields (e.g. LOGIN command). If there is no additional password
verification, this allows the attacker to login as anyone else in the
system.
This affects only installations using:
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
Attacker must also have access to a valid trusted certificate without
the ssl_cert_username_field in it. The default is commonName, which
almost certainly exists in all certificates. This could happen for
example if ssl_cert_username_field is a field that normally doesn't
exist, and atta...
2014 Oct 03
2
Thunderbird ignores some folders
...ls = imap
listen = *
base_dir = /var/dovecot/
mail_location = maildir:/mail/%u:LAYOUT=fs
ssl_cert = </etc/ssl/certs/naev+chain.crt
ssl_key = </etc/ssl/private/naev.key
ssl_ca = </etc/ssl/certs/naev-ca.crt
ssl_verify_client_cert = yes
ssl_cert_username_field = x500UniqueIdentifier
auth_ssl_username_from_cert = yes
service imap-login {
inet_listener imap {
port = 0
}
}
service auth {
client_limit = 4096
}
service anvil {
client_limit = 5000
}
passdb {
driver = checkpassword
args = /usr/dovecot/bin/checkpassword
}
userdb {
driver = passwd
override_fields = home=/mail/%...
2010 Dec 15
2
ssl enabled, but ssl_cert not set ( 2.0.7 freebsd 8.1 )
...Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aN...
2020 Aug 20
3
dovecot-SASL for Postfix: EXTERNAL does not work.
...opassword
}
passdb {
driver = passwd-file
args = /etc/dovecot/pass.db
}
userdb {
driver = passwd
}
which are effectively the same except that one does not have
passwords while the other has, i can use EXTERNAL (with and
without additional user-via-protocol in combination with
auth_ssl_username_from_cert=yes and it just works!
Whereas EXTERNAL works just fine for IMAP and POP3 it does not for
SMTP. Last year when i did it i saw a postfix ML thread in
action, so i have not looked further into that. Looking again
with things unchanged in the postfix 3.5 that they mentioned by
then i think, i now p...
2018 Feb 01
2
Why does dovecot reject password when authorizing by a certificate?
...>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
My configuration:
# 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs
auth_debug = yes
auth_mechanisms = plain login external
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_format = %Ln
auth_verbose = yes
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
mail_debug = yes
mail_gid = 999
mail_location = maildir:/mnt/mail/%n
mail_uid = 999
namespace inbox {
? inbox = yes
? location =
? mailbox Drafts {
? ? special_use = \Drafts
? }
? mailbox Ju...
2014 May 05
2
Broken IMAPS Connects Create Lingering imap-login Processes
....9-7.el6 with a
small patch to disable the IMAP CREATE command, and
openssl-1.0.1e-16.el6_5.7) and distribute standard client software to
customer( site)s.
The clients do IMAPS connects in regular intervals (no IDLE, no
lingering logins) and authenticate with certs issued by a dedicated PKI
("auth_ssl_username_from_cert = yes" and a static global password).
One of the customers has a major networking problem that hasn't been
fully analyzed yet. Sniffing his IMAPS connects on the server side, I
see no (necessarily fragmented) TLSv1 Client Cert + Key Exchange happen;
instead, after ~60s, we receive a singl...
2020 Aug 20
2
dovecot-SASL for Postfix: EXTERNAL does not work.
...mber of them)?
|
| Wietse
| Wietse
--End of <4BXSTk189nzJrP3 at spike.porcupine.org>
I think i will spend some time tomorrow and try to do some
coding with postfix. Let's see wether the immediate response of
EXTERNAL can work with dovecot's SASL, even in conjunction with
auth_ssl_username_from_cert=yes that is!
Otherwise i think what he says here.
|You could try out dovecot submission service. It should work better \
|with EXTERNAL.
For the internal test network this may really be an option. But
for my web vm: ach, i am not an administrator, it is pain to get
used to all that. In real l...
2018 Feb 18
0
SASL LOGIN mechanism with nopassword
Hi list,
I've noticed dovecot pop3 does not request the password with 'AUTH LOGIN' when nopassword is set.
dovecot-2.2.18
auth_mechanisms = plain login
ssl = required
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
passdb {
? driver = ldap
? args = /etc/dovecot/dovecot-ldap.conf.ext
? default_fields = nopassword=yes userdb_uid=vmail userdb_gid=vmail userdb_home=/var/spool/vmail/%d/%n
? override_fields = password=
}
userdb {
? driver = prefetch
}
userdb {
? driver = ldap
? args = /etc/dovecot/dov...
2010 Dec 15
1
Dovecot 2.0.8 don´t recognize auth user format
My configuration file have this lines:
# doveconf | grep user
auth_anonymous_username = anonymous
auth_master_user_separator =
auth_socket_path = auth-userdb
auth_ssl_username_from_cert = no
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu <-----(in version 1.2.10 this work fine)
auth_username_translation =
default_internal_user = dovecot
default_login_user = dovenull
director_user_expire = 15 mins
login_log_fo...
2014 Jun 23
0
Wishlist: add a variable %{x509} expanding to the client cert in Dovecot-auth
Hi there,
As of Dovecot 2.2.9, it's possible to enable passwordless authentication
using client certificates [1]:
ssl_ca = </etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth_ssl_username_from_cert = yes
(Password checking can be bypassed by returning the extra fields
?password= nopassword? in the passdb when the variable ?%k? expands to
"valid".)
However this requires the server admin to set up a PKI. Having
a variable %{x509} expanding to the X.509 client cert in Dovecot-auth...
2018 Feb 01
0
Why does dovecot reject password when authorizing by a certificate?
...0.1.1.99, TLS,
> session=<fp5P5SBkhtMKAQE7>
>
> My configuration:
> # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs
> auth_debug = yes
> auth_mechanisms = plain login external
> auth_ssl_require_client_cert = yes
> auth_ssl_username_from_cert = yes
> auth_username_format = %Ln
> auth_verbose = yes
> disable_plaintext_auth = no
> lda_mailbox_autocreate = yes
> mail_debug = yes
> mail_gid = 999
> mail_location = maildir:/mnt/mail/%n
> mail_uid = 999
> namespace inbox {
> ? inbox = yes
> ? location =
> ?...
2017 Sep 13
2
[RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions
Hi,
I came up with the following patch while trying to figure out a good solution
for the situation described in Debian bug #871987[1]. In short, OpenSSL in
Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that
unless an application requests otherwise, only TLSv1.2 is supported. In the
world of e-mail this is seemingly an issue, as there are still way too many old
clients
2012 Aug 16
1
Postfix & Dovecot: Client certificate authentication
...;t send the client certificat to Dovecot. What do you think ? What is wrong ?
Below are some information about my configuration:
OS: RHEL5
Postfix: 2.7.3
Dovecot: 2.0.14
Dovecot config:
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_verbose = yes
mail_debug = yes
passdb {
? args = /etc/dovecot/dovecot-ldap.conf
? driver = ldap
}
protocols = none
service auth {
? unix_listener /data/postfix/private/auth {
??? group = postfix
??? mode = 0660
??? user = postfix
? }
? user = root
}
ssl = required
ssl_ca = </etc/dovec...
2018 Feb 01
0
Why does dovecot reject password when authorizing by a certificate?
...;
>> My configuration:
>> # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
>> # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs
>> auth_debug = yes
>> auth_mechanisms = plain login external
>> auth_ssl_require_client_cert = yes
>> auth_ssl_username_from_cert = yes
>> auth_username_format = %Ln
>> auth_verbose = yes
>> disable_plaintext_auth = no
>> lda_mailbox_autocreate = yes
>> mail_debug = yes
>> mail_gid = 999
>> mail_location = maildir:/mnt/mail/%n
>> mail_uid = 999
&g...