[Dovecot] dovecot and postfix with tls and dovecot sasl issues for smtp clients

Harondel J. Sibble help at pdscc.com
Wed Oct 22 03:18:14 EEST 2008 

This issue is peripherally related to the following thread

Re: [Dovecot] client certs with godaddy ssl cert

This is running on CentOS 5.2 with latest Atrpms for Dovecot as of this 
weekend.

# rpm -qa | grep dovecot
dovecot-sieve-1.1.5-8.el5
dovecot-1.1.4-0_81.el5

With assistance from Rainer Frey (Inxmail GmbH), I am able to successfully 
use client ssl certs for imap access on both my Nokia e61i and Thunderbird 
2.0.0.17, problem now is dovecot sasl and postfix smtp authentication.

Using the same self created CA that generates and certifies the ssl client 
certs in Postfix and using Dovecot SASL, I always get client didn't send 
proper ssl cert when trying to do a tls based smtp connection from either the 
e61i or tbird.

Cranking up the peer debug level in Postfix, I see the connection is always 
rejected by Dovecot SASL eg


Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15 
got 45
Oct 21 16:39:07 myserver postfix/smtpd[18189]: < 
mycomp.myserver.net[10.11.12.5]: AUTH PLAIN 
********************************************=
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_server_first: 
sasl_method PLAIN, init_response **************************************==
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16 
flush 64
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16 
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply: 
auth reply: FAIL?1?reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: warning: 
mycomp.myserver.net[10.11.12.5]: SASL PLAIN authentication failed: Client 
didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: > 
mycomp.myserver.net[10.11.12.5]: 535 5.7.0 Error: authentication failed: 
Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: watchdog_pat: 0x868a570
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 15 
flush 85
Oct 21 16:39:07 myserver dovecot: auth(default): client in: AUTH       1      
 PLAIN   service=smtp    resp=*********************************************==
Oct 21 16:39:07 myserver dovecot: auth(default): PLAIN(?): Client didn't 
present valid SSL certificate
Oct 21 16:39:07 myserver dovecot: auth(default): client out: FAIL      1      
 reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15 
got 12
Oct 21 16:39:07 myserver postfix/smtpd[18189]: < 
mycomp.myserver.net[10.11.12.5]: AUTH LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_server_first: 
sasl_method LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16 
flush 26
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16 
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply: 
auth reply: FAIL?2?reason=Client didn't present valid SSL certificate

Not sure where to look now, I've configured dovecot and postfix as per their 
respective wiki's

Here are the relevant config entries

/etc/postfix/main.cf

### Oct 11/08 - added to allow dovecot sasl for smtp auth
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_security_options = noanonymous

### Oct 11/08 - added to allow tls smtp authentication with client certs
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server.myserver.net

### these are the self signed CA based authentication keys, this CA created 
### the client certs for the nokia e61i and the Thunderbird 2.0.0.17
smtpd_tls_key_file = /etc/postfix/ssl/server.myserver.net.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.myserver.net.crt
### this is the ca cert and crl combined
smtpd_tls_CAfile = /etc/postfix/ssl/ca1.crt


dovecot -n

# 1.1.4: /etc/dovecot.conf
protocols: imaps pop3s
ssl_listen(default): *:993
ssl_listen(imap): *:993
ssl_listen(pop3): *:995
ssl_ca_file: /etc/openvpn/easy-rsa/keys/combined-ca-and-crl.crt
ssl_cert_file: /etc/pki/dovecot/certs/dovecot-chained.cert
ssl_key_file: /etc/pki/tls/private/server.myserver.net.key
ssl_verify_client_cert: yes
ssl_require_client_cert = yes
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: 
mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=~/mail/.imap/indexes
mail_debug: yes
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/imap
mail_plugin_dir(imap): /usr/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
auth default:
  mechanisms: plain login
  debug: yes
  debug_passwords: yes
  ssl_require_client_cert: yes
  passdb:
    driver: pam
  userdb:
    driver: passwd
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix

Interestingly enough the mode line in the dovecot.conf file is set as 0660, 
not 432 as noted above?!?!?

What else should I be looking at to troubleshoot this issue?
-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

More information about the dovecot mailing list