[Dovecot] Incompatibility Thunderbirds Auth Mech TLS-Certificate <-> Dovecot
Christian Felsing
pug at felsing.net
Fri Apr 25 12:56:13 UTC 2014
Hello,
it seems there there is an issue regarding "TLS-Certtificate"
authentication in Thunderbird and Dovecot. Obviously client certificate
is recognized by Dovecot:
Apr 25 14:29:01 dovecot dovecot: imap-login: Valid certificate:
/emailAddress=christian.felsing at example.net/CN=Christian Felsing
(Test)/OU=CF Certificates/O=example.net/C=DE
AFAIK Dovecot always requires IMAP login, even in "static" passdb
config. Static means arbitrary password is ok, but not "no login"
I hope, I am wrong, following log entry gave a hint, what Thunderbird
does or more precisely - not do:
Apr 25 14:29:01 dovecot dovecot: imap-login: Disconnected (no auth
attempts in 5 secs): user=<>, rip=192.168.1.99, lip=192.168.42.1, TLS,
session=<3+1THN33NQBtWq5D>
Dovecot wants an IMAP login, but Thunderbird does not so. I am not sure
if that is a bug (or feature) of Dovecot or Thunderbird. Thunderbird
does several strange things on client certificates:
1st) If Dovecot is configured to request a client certificate and
Thunderbird is configured to use plain text auth, Thunderbird offers a
client certificate and login succeeds as configured in Dovecot.
Unfortunately Thunderbird uses same certificate for all configured
accounts to that host. Very bad if Dovecot reads username from
certificate attributes.
2nd) If Dovecot is configured to request a client certificate and
Thunderbird is configured to use TLS-Certificate, Thunderbird also
offers a client certificate, but Dovecot requests login from
Thunderbird. That fails, because Thunderbird assumes TLS-Certificate is
enough for successful log.
If it is true that Dovecot is not compatible to Thunderbirds way of
TLS-Certificate Authentication, I consider to set up a proxy, which
supports that way. May be Nginx would be a solution, it supports IMAP
and LUA module plus some LUA code will fake the authentication. This is
an ugly hack so I would like to avoid that, if anybody has a better
solution. Thunderbird is a very widespread IMAP client so it should not
be ignored.
best regards
Christian
---Dovecot config---
# /opt/dovecot/bin/doveconf -n
# 2.2.12: /opt/dovecot/etc/dovecot-cert/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.4
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#"
auth_username_translation = "@#"
base_dir = /var/run/dovecot-cert
first_valid_uid = 124
last_valid_uid = 124
listen = 192.168.42.1
log_timestamp = %Y-%m-%d %H:%M:%S
login_greeting = example.net imap4/pop3 (cert only) ready.
mail_gid = 124
mail_location = maildir:~/Maildir
mail_privileged_group = vmail
mail_uid = 124
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave imapflags notify
namespace {
list = children
location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
prefix = shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = password=test
driver = static
}
plugin {
acl = vfile:/etc/dovecot/global-acls:cache_secs=300
acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
autocreate = Trash
autocreate2 = Drafts
autosubscribe = Trash
autosubscribe2 = Drafts
quota = maildir:User quota
quota_rule = *:storage=500M
quota_rule2 = Trash:storage=+100M
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
recipient_delimiter = +
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_extensions = +notify +imapflags
}
protocols = imap pop3 lmtp sieve
service anvil {
client_limit = 4000
}
service auth-worker {
group = vmail
}
service auth {
client_limit = 8000
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = dovecot
}
user = root
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
process_limit = 1024
}
service imap-postlogin {
executable = script-login /opt/cfbin/lastlogin.sh
}
service imap {
executable = imap imap-postlogin
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
process_limit = 1024
}
service pop3-postlogin {
executable = script-login /opt/cfbin/lastlogin.sh
}
service pop3 {
executable = pop3 pop3-postlogin
}
service quota-warning {
executable = script /opt/cfbin/quota-warning.sh
user = vmail
}
ssl_ca = </opt/dovecot/etc/dovecot/client-ca.pem
ssl_cert = </opt/dovecot/etc/dovecot/example.net.pem
ssl_cipher_list =
kEECDH:kEDH:AESGCM:ALL:+3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl_dh_parameters_length = 4096
ssl_key = </opt/dovecot/etc/dovecot/example.net.key
ssl_prefer_server_ciphers = yes
ssl_verify_client_cert = yes
verbose_ssl = yes
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
mail_max_userip_connections = 20
mail_plugins = quota imap_quota acl imap_acl
}
protocol sieve {
managesieve_logout_format = bytes ( in=%i : out=%o )
}
protocol pop3 {
mail_plugins = quota
pop3_uidl_format = %08Xu%08Xv
}
More information about the dovecot
mailing list