[Dovecot] Secure Sockets Layer client certificate authentication

Stephen Feyrer steve at toth.org.uk
Mon May 25 16:51:22 EEST 2009


Hi everyone.

Please note, I've asked a very similar question before and I apologize
for sounding like a broken record.  Well here it goes.

What I want to do is authenticate my users using a certificate.  Thereby
authenticating both the user and server with strong tokens that are
centrally managed. In the worst case scenario the user should only need
to enter a password for the certificate store and then the certificate
should trigger the appropriate level of access to their account.

Is Dovecot the correct tool for the job?

If yes then, how?

Else if not, then what would you recommend?


I have tried setting the auth mechanism to anonymous without any joy.
My password file is set with nopassword.  All my certificates work well
with the Secure Sockets Layer system.

This is the configuration I am currently running:
# 1.2.beta1: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl
log_path: /opt/var/log/dovecot.log
info_log_path: /opt/var/log/dovecot-info.log
protocols: imaps
ssl_ca_file: /opt/etc/ssl.ca/cacrl.pem
ssl_cert_file: /opt/etc/ssl.ca/newcerts/imap.cer
ssl_key_file: /opt/etc/ssl.ca/private/imap.key
ssl_parameters_regenerate: 24
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
disable_plaintext_auth: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_user: guest
login_processes_count: 2
login_max_processes_count: 4
mbox_write_locks: fcntl
mail_process_size: 512
imap_client_workarounds: outlook-idle tb-negative-fetch
auth default:
  user: admin
  verbose: yes
  debug: yes
  ssl_require_client_cert: yes
  ssl_username_from_cert: yes
  passdb:
    driver: passwd-file
    args: /opt/etc/dovecot/h.org/passwd
  userdb:
    driver: passwd

This is a log of a login attempt:
dovecot: May 25 11:55:58 Info: auth(default): new auth connection: pid=22556
dovecot: May 25 11:56:08 Info: imap-login: Valid certificate:
/O=home.org/emailAddress=admin at nas2.h.org/L=W/ST=C/C=G/CN=h.org
dovecot: May 25 11:56:08 Info: imap-login: Valid certificate:
/C=G/ST=C/O=h.org/OU=K F/CN=k
dovecot: May 25 11:56:10 Info: auth(default): new auth connection: pid=22585
dovecot: May 25 11:56:16 Info: auth(default): client in: AUTH	1	PLAIN
service=imap	secured	valid-client-cert	cert_username=k	lip=10.1.1.245
rip=10.1.1.1	lport=993	rport=53430
dovecot: May 25 11:56:16 Info: auth(default): client out: CONT	1	
dovecot: May 25 11:56:16 Info: auth(default): client in: CONT<hidden>
dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1):
lookup: user=k file=/opt/etc/dovecot/h.org/passwd
dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1):
No password
dovecot: May 25 11:56:16 Info: auth(default): client out: OK	1	user=k
dovecot: May 25 11:56:16 Info: auth(default): master in: REQUEST	6	22164	1
dovecot: May 25 11:56:16 Info: auth(default): passwd(k,10.1.1.1): lookup
dovecot: May 25 11:56:16 Info: auth(default): master out: USER	6	k
system_user=k	uid=500	gid=100	home=/
dovecot: May 25 11:56:16 Info: imap-login: Login: user=<k>,
method=PLAIN, rip=10.1.1.1, lip=10.1.1.245, TLS

With this configuration the client will connect over ssl and identify
itself with a certificate but a client password is still required.



--
Regards

Stephen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3322 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090525/9f8b46da/attachment-0001.bin 


More information about the dovecot mailing list