search for: auth_ssl_username_from_cert

Dear dovecot maintainers: I'm using SSL client certificates together with a checkpassword scripts to authenticate our users. My problem is: In the checkpassword script the AUTH_USER environment variable will either contain the username that was configured in the mailclient (if auth_ssl_username_from_cert=false) or the username from the certificate (if auth_ssl_username_from_cert=true). I would like to compare both values, i.e. the %{user} Dovecot-variable and the %{orig_user} Dovecot-variable. But the environment of a checkpassword-script has only one of them. I tried myself and found the followi...

...ort will ignore the password, if he does not sent a client certificate but uses his OTP-token then my checkwassword script will check wether the password is a correct one time password. My problem is: the AUTH_USER variable will either contain the username that was configured in the mailclient (if auth_ssl_username_from_cert=false) or the username from the certificate (if auth_ssl_username_from_cert=true). I would like to compare both values, i.e. the %{user} Dovecot-variable and the %{orig_user} Dovecot-variable. But the environment of a checkpassword-script has only one of them. Any ideas? I tried to change the so...

I am trying to get Dovecot IMAP and Outlook to talk to each other with SSL and client certificates enabled. In Dovecot, I have the following options enabled: ssl_ca = ... ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes when I try to connect with Outlook, I get: May 12 08:07:50 mail dovecot: imap-login: Disconnected (client didn't send a cert): user=<>, method=PLAIN, rip=192.168.1.245, lip=192.168.2.5, TLS: Disconnected, session=<is7gpa+Im97AqAH1> But when I use openssl directly w...

Hello list, The dovecot version is 1.2.6 running on Solaris x86 11 (nv-b91). The relevant configuration lines are: passdb ldap { # LDAP database (doc/wiki/AuthDatabase.LDAP.txt.) args = /pfx/etc/dovecot/dovecot-ldap.conf } The file dovecot-ldap.conf is correct and LDAP authentication is working well. We would like to make it possible for users with a X.509 client certificate to log in

...and dovecot, but folder name 'Sent' is gone, all sent emails are located in Drafts folder. Anything wrong? Guess it has something to do with mailbox and location. Here is `doveconf -n` ------------------ auth_cache_size = 1 M auth_debug_passwords = yes auth_mechanisms = plain login auth_ssl_username_from_cert = yes auth_verbose = yes auth_verbose_passwords = yes import_environment = TZ login_trusted_networks = 172.16.0.0/12 mail_location = maildir:/var/mail/%n/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk...

...>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7> My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { ? inbox = yes ? location = ? mailbox Drafts { ? ? special_use = \Drafts ? } ? mailbox Ju...

...the earlier versions will take the username from the user provided authentication fields (e.g. LOGIN command). If there is no additional password verification, this allows the attacker to login as anyone else in the system. This affects only installations using: auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes Attacker must also have access to a valid trusted certificate without the ssl_cert_username_field in it. The default is commonName, which almost certainly exists in all certificates. This could happen for example if ssl_cert_username_field is a field that normally doesn't exist, and atta...

...ls = imap listen = * base_dir = /var/dovecot/ mail_location = maildir:/mail/%u:LAYOUT=fs ssl_cert = </etc/ssl/certs/naev+chain.crt ssl_key = </etc/ssl/private/naev.key ssl_ca = </etc/ssl/certs/naev-ca.crt ssl_verify_client_cert = yes ssl_cert_username_field = x500UniqueIdentifier auth_ssl_username_from_cert = yes service imap-login { inet_listener imap { port = 0 } } service auth { client_limit = 4096 } service anvil { client_limit = 5000 } passdb { driver = checkpassword args = /usr/dovecot/bin/checkpassword } userdb { driver = passwd override_fields = home=/mail/%...

...Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. #ssl_parameters_regenerate = 168 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aN...

...opassword } passdb { driver = passwd-file args = /etc/dovecot/pass.db } userdb { driver = passwd } which are effectively the same except that one does not have passwords while the other has, i can use EXTERNAL (with and without additional user-via-protocol in combination with auth_ssl_username_from_cert=yes and it just works! Whereas EXTERNAL works just fine for IMAP and POP3 it does not for SMTP. Last year when i did it i saw a postfix ML thread in action, so i have not looked further into that. Looking again with things unchanged in the postfix 3.5 that they mentioned by then i think, i now p...

...>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7> My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { ? inbox = yes ? location = ? mailbox Drafts { ? ? special_use = \Drafts ? } ? mailbox Ju...

....9-7.el6 with a small patch to disable the IMAP CREATE command, and openssl-1.0.1e-16.el6_5.7) and distribute standard client software to customer( site)s. The clients do IMAPS connects in regular intervals (no IDLE, no lingering logins) and authenticate with certs issued by a dedicated PKI ("auth_ssl_username_from_cert = yes" and a static global password). One of the customers has a major networking problem that hasn't been fully analyzed yet. Sniffing his IMAPS connects on the server side, I see no (necessarily fragmented) TLSv1 Client Cert + Key Exchange happen; instead, after ~60s, we receive a singl...

...mber of them)? | | Wietse | Wietse --End of <4BXSTk189nzJrP3 at spike.porcupine.org> I think i will spend some time tomorrow and try to do some coding with postfix. Let's see wether the immediate response of EXTERNAL can work with dovecot's SASL, even in conjunction with auth_ssl_username_from_cert=yes that is! Otherwise i think what he says here. |You could try out dovecot submission service. It should work better \ |with EXTERNAL. For the internal test network this may really be an option. But for my web vm: ach, i am not an administrator, it is pain to get used to all that. In real l...

Hi list, I've noticed dovecot pop3 does not request the password with 'AUTH LOGIN' when nopassword is set. dovecot-2.2.18 auth_mechanisms = plain login ssl = required auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes passdb { ? driver = ldap ? args = /etc/dovecot/dovecot-ldap.conf.ext ? default_fields = nopassword=yes userdb_uid=vmail userdb_gid=vmail userdb_home=/var/spool/vmail/%d/%n ? override_fields = password= } userdb { ? driver = prefetch } userdb { ? driver = ldap ? args = /etc/dovecot/dov...

My configuration file have this lines: # doveconf | grep user auth_anonymous_username = anonymous auth_master_user_separator = auth_socket_path = auth-userdb auth_ssl_username_from_cert = no auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_username_format = %Lu <-----(in version 1.2.10 this work fine) auth_username_translation = default_internal_user = dovecot default_login_user = dovenull director_user_expire = 15 mins login_log_fo...

Hi there, As of Dovecot 2.2.9, it's possible to enable passwordless authentication using client certificates [1]: ssl_ca = </etc/ssl/ca.pem ssl_verify_client_cert = yes auth_ssl_username_from_cert = yes (Password checking can be bypassed by returning the extra fields ?password= nopassword? in the passdb when the variable ?%k? expands to "valid".) However this requires the server admin to set up a PKI. Having a variable %{x509} expanding to the X.509 client cert in Dovecot-auth...

...0.1.1.99, TLS, > session=<fp5P5SBkhtMKAQE7> > > My configuration: > # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf > # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs > auth_debug = yes > auth_mechanisms = plain login external > auth_ssl_require_client_cert = yes > auth_ssl_username_from_cert = yes > auth_username_format = %Ln > auth_verbose = yes > disable_plaintext_auth = no > lda_mailbox_autocreate = yes > mail_debug = yes > mail_gid = 999 > mail_location = maildir:/mnt/mail/%n > mail_uid = 999 > namespace inbox { > ? inbox = yes > ? location = > ?...

Hi, I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients

...;t send the client certificat to Dovecot. What do you think ? What is wrong ? Below are some information about my configuration: OS: RHEL5 Postfix: 2.7.3 Dovecot: 2.0.14 Dovecot config: auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_verbose = yes mail_debug = yes passdb { ? args = /etc/dovecot/dovecot-ldap.conf ? driver = ldap } protocols = none service auth { ? unix_listener /data/postfix/private/auth { ??? group = postfix ??? mode = 0660 ??? user = postfix ? } ? user = root } ssl = required ssl_ca = </etc/dovec...

...; >> My configuration: >> # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf >> # OS: FreeBSD 10.2-RELEASE-p20 amd64? ufs >> auth_debug = yes >> auth_mechanisms = plain login external >> auth_ssl_require_client_cert = yes >> auth_ssl_username_from_cert = yes >> auth_username_format = %Ln >> auth_verbose = yes >> disable_plaintext_auth = no >> lda_mailbox_autocreate = yes >> mail_debug = yes >> mail_gid = 999 >> mail_location = maildir:/mnt/mail/%n >> mail_uid = 999 &g...