[Dovecot] Thunderbird SSL/TLS client authentication fails - solved with workaround

Mon Dec 3 14:41:11 EET 2012

On 2012/12/02 22:18, Daniel Parthey wrote:
> Roger Hunen wrote:
>> I am seeking your help with SSL/TLS client authentication.
>> Unfortunately the authentication fails :(
>
> http://wiki2.dovecot.org/SSL/DovecotConfiguration states:
>
> "You may also want to disable the password checking completely. Doing this
> currently circumvents Dovecot's security model so it's not recommended to use
> it, but it is possible by making the passdb allow logins using any password
> (typically requiring "nopassword" extra field to be returned)."
>
> See http://wiki2.dovecot.org/PasswordDatabase/ExtraFields

This sounded like a bad idea at first as it would allow webmail users
to logon without entering a password. However, your suggestion made me
think (and go!) in a direction that I would not have gone on my own.

Thank you for that!

First things first: the solution/workaround :)

* Create two passwd style files
   - mailusers.143 with password and without 'nopassword' extra field
   - mailusers.993 without password but with 'nopassword' extra field

* Configure a passdb (driver=passwd-file) that selects the password
   database file using the %a variable (local port): mailusers.%a

My Dovecot setup now

* does not require a valid password for connections to the imaps
   port (993); the username is taken from the certificate that is
   issued by a trusted CA.

* does require a password for connections to the imap port (143).

Currently the system supports very few users, so working with two
passwd files is not a problem. For the future I plan to use a mysql
database with two different queries on the same table based on the
local port number.

For those who are interested: read on for some more findings...

* As far as I can tell (from docs and source) Dovecot supports only
   username/password based authentication schemes. There is no such
   thing as certificate based authentication (unless I have overlooked
   something or it is undocumented).

* Even if 'auth_ssl_username_from_cert=yes' Dovecot will only take
   the username from the certificate if the client sends username and
   password to logon.

* When configured to use "TLS Certificate" authentication Thunderbird
   will not send a username/password to logon. Thunderbird considers
   the authentication done once the SSL handshake has completed. Given
   the above this is a recipe for failure.

* With 'auth_ssl_username_from_cert=yes' Dovecot will ignore the given
   username and use the designated field in the certificate instead
   (usually commonName). Together with the 'nopasswd' extra field a
   certificate based authentication scheme can be implemented. The
   client must be configured to use username and password (which will
   be completely ignored by Dovecot as intended in such a setup).

* Dovecot will log an error if a passwd file record has a non-empty
   password and the 'nopassword' extra field is present. Either can
   be present but not both.

* Dovecot will log an error "input is missing end-of-settings line"
   if the configuration contains a setting with a name that is not
   valid in the given context. Something like "Invalid setting 'x'
   at line y" would be more helpful to pinpoint the problem.

* Dovecot documentation is sparse in many respects which makes it
   difficult to use Dovecot to its full potential. I realize though
   that resources are at a premium and that writing documentation
   is not everybody's cup of tea. From a documentation point of view
   Exim4 is an excellent example.

Regards,
-Roger