[Dovecot] Testing EXTERNAL AUTHENTICATION
Stephen Feyrer
steve at toth.org.uk
Wed Mar 17 00:04:09 EET 2010
Hi.
The tests using SASL and SASL-IR in Thunderbird both fail to
authenticate. I have tried using openssl s_client with the same result.
I've run the auth command in three ways just to be sure I got the second
example right. I even checked to make sure I've spelt my name right and
the case of the letters.
# dovecot -n
# 1.2.10: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl ext3
base_dir: /opt/var/run/dovecot/
log_path: /opt/var/log/dovecot/messages
info_log_path: /opt/var/log/dovecot/info
protocols: imaps
listen: [::]
ssl_ca_file: /opt/etc/domain.ca/cacrl.pem
ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer
ssl_key_file: /opt/etc/domain.ca/private/mail.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_process_size: 32
mail_location: dbox:/share/MD0_DATA/mail/%u
mail_debug: yes
dbox_rotate_days: 0
imap_id_send: *
imap_id_log: *
lda:
postmaster_address: postmaster at ksudra.net
auth default:
mechanisms: EXTERNAL
realms: ksudra.net
default_realm: ksudra.net
user: admin
verbose: yes
debug: yes
ssl_require_client_cert: yes
ssl_username_from_cert: yes
passdb:
driver: passwd-file
args: /opt/etc/dovecot/passwd
userdb:
driver: passwd
/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL =
01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE
$ tail /opt/var/log/info.log
Mar 16 21:37:18 auth(default): Info: new auth connection: pid=10161
Mar 16 21:37:19 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:37:19 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:37:39 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=55745 resp=<hidden>
Mar 16 21:37:39 auth(default): Info: passwd-file(Stephen,10.1.1.4):
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:37:41 auth(default): Info: client out: FAIL 1
user=Stephen
Mar 16 21:38:52 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+
01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE
Mar 16 21:40:24 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
Mar 16 21:40:26 auth(default): Info: new auth connection: pid=10173
Mar 16 21:40:28 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:40:28 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:40:38 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=35721
Mar 16 21:40:38 auth(default): Info: client out: CONT 1
Mar 16 21:40:40 auth(default): Info: client in: CONT<hidden>
Mar 16 21:40:40 auth(default): Info: passwd-file(Stephen,10.1.1.4):
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:40:42 auth(default): Info: client out: FAIL 1
user=Stephen
Mar 16 21:40:47 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+
01 =
01 NO [ALERT] Invalid base64 data in continued response
DONE
Mar 16 21:42:04 auth(default): Info: new auth connection: pid=10178
Mar 16 21:42:06 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:42:06 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:42:31 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=35725
Mar 16 21:42:31 auth(default): Info: client out: CONT 1
Mar 16 21:42:35 auth(default): Info: client in: CONT<hidden>
Mar 16 21:42:35 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 21:42:35 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 21:42:55 imap-login: Info: Disconnected (cert required, client
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
--
Thanks
Stephen Feyrer.
On Tue, 16 Mar 2010 18:03:38 -0000, Timo Sirainen <tss at iki.fi> wrote:
> On Tue, 2010-03-16 at 18:01 +0000, Stephen Feyrer wrote:
>
>> How can I use SASL-IR with dovecot?
>
> It's client that uses it by sending:
>
> AUTHENTICATE EXTERNAL =
>
> instead of:
>
> AUTHENTICATE EXTERNAL
> <wait for reply>
> =
>
> so nothing really you can do about it..
>
More information about the dovecot
mailing list