[Dovecot] SSL Certifcates

Stephen Feyrer steve at toth.org.uk
Sat Aug 9 00:06:10 EEST 2008


Hi Timo.

Thanks, I will persevere.  I would like to point out that I'm only using 
  PAM as it seems the best way to get email to system users.  I am open 
to another method that might work.

This was my pam.d/imap file

# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header: 
/var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 
1.1 2005/04/29 13:07:50 ticho Exp $

auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth



My pam.d/imap file now looks like this.

# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header: 
/var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 
1.1 2005/04/29 13:07:50 ticho Exp $

#auth       required     pam_nologin.so
auth       required     pam_allow.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth

This fails the authentication.

While it looks like this it also fails authentication.  (I just thought 
I'd give it a go.)

# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header: 
/var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 
1.1 2005/04/29 13:07:50 ticho Exp $

auth       required     pam_nologin.so
auth       required     pam_allow.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth

--
kind regards

Stephen.


Timo Sirainen wrote:
> On Aug 7, 2008, at 5:33 PM, Stephen Feyrer wrote:
> 
>> Timo Sirainen wrote:
>>> On Aug 7, 2008, at 2:49 PM, Stephen Feyrer wrote:
>>>> Hi anyone.
>>>>
>>>> Can dovecot be configured to authenticate user using only SSL 
>>>> Certificates only and not ask for a password.
>>>>
>>>> So far I've got it taking the username from the common name of the 
>>>> certificate but I like it to use the certificate in place of the 
>>>> password.
>>>>
>>>> Is this possible and how?
>>> If you're that far, then you're already authenticating the user 
>>> against the certificate. Or assuming you have 
>>> ssl_require_client_cert=yes. Then just create a passdb that accepts 
>>> any password as valid for the user (nopassword=yes extra field).
>>> In theory there's also this EXTERNAL SASL mechanism that could be 
>>> used to log in without user/pass, but Dovecot doesn't currrently 
>>> support that and I'm not aware of any clients supporting it either.
>>
>> Hi Timo.
>>
>> I have authenticating user against the certificate as you say and do 
>> have ssl_require_client_cert=yes.
>>
>> I'm using PAM to authenticate against my user database at the moment. 
>> I'm still baffled... :)
> 
> If you only want to allow users to log in with certificates, then just 
> change the PAM configuration file to be something like (not tested, and 
> my PAM knowledge isn't too good):
> 
> auth    required        pam_allow.so
> 
> Although it would be nice to be able to verify that the user still 
> exists, but you could do that with certificate revocation lists also..

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3309 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20080808/2c824e57/attachment-0001.bin 


More information about the dovecot mailing list