Re: [Dovecot] Question about auth multiple configuration

29 Apr 2010

      ...
Date: Wed, 28 Apr 2010 21:34:03 +0200
From: hs@schlittermann.de
To: dovecot@dovecot.org
Subject: Re: [Dovecot] Question about auth multiple configuration
Fabrice MATHIEU simpsons_bart_cs@hotmail.com (Mi 28 Apr 2010 19:12:31 CEST):
...
Hello,
My mail system is build with postfix, dovecot and roundcube.
In first time users can view and "manage" their mail only on the webmail.
So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method.
This works fine (configuration below without ssl parameters).
(…)
...
That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?
Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ?
I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ?
(…)
If I understood well, you're looking for the config option like
login_trusted_networks (as available in 1.2.11, I don't know since when).
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann HS12-RIPE -----------------------------------------
gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -
First, thank you for your answer.
I suppose this version is available in version 1.2.8, I have got it (commented) in the default configuration file.
### begin COTE
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
### end COTE
I guess that IPs listed here can "bypass" some check. ssl_require_client_cert too ?
I will try it.
More information if it can help !
Here an example of my configuration :
|---------------|            |---------------|

|--------------------------------------------------------------|
|  workstation   |             |                     |
|                             mail - server

|
|   with MUA     |-------->| ISP1 - modem |

|------------------|                               |--------------|

|
| (thunderbird)  |             |

|-----------(smtp)--- port 2025 ----------> |  smtpds - postfix
|------------------->  |UNIX socket   |       |
|---------------|            |---------------|

|------------------|                               |

|      |
                                                      |           

|                                                          |"dovecot
auth"|      |
                                                       |          

|-------------------------|                      |

|      |
|----------(imaps)--- port 993 ----------> |dovecot imaps (public
IP) | -------------> |  internal cnx ?|      |
|------------------------ |                      |

|      |
|

|                    |      |
                                              |          
|-------------------------|         |                    |      |
|---------------|            |---------------|

|           | dovecot imap
(127.0.0.1) |----> |  internal cnx ?|       |
|  workstation   |             |                     |

|

|--------------------------|        |                    |      |
| with browser   |------- >| ISP2 - modem |

|

^                     |--------------|       |
|    (FireFox)     |            |                     |

|---------------------|

|                                                   |
|---------------|            |---------------|--------(https)--- port
443 ------------->  |  httpd - roundcube   |----|
|-------------- |
|---------------------|                                  |smtpd
normal    |
|---------------------------------------------------------------|
IPs is the server public IP
IPm is the workstation public IP (which is visible by public station) which has the MUA
IPb is the workstation public IP (which is visible by public station) which has the Internet browser
IPlb is the loopback IP (127.0.0.1)
Their is three case :
A) User send/manage his mail via the webmail
B) User manage his mail via MUA by imaps
C) User send mail via MUA by smtps
A) - User get access to the webmail site (not need to describe it here)

Username/password written in the login page are used by the webmail
program which try to login/auth on the imap service via the IPlb (port

This connection must be "clear" => no ssl handshake needed

if "ssl_require_client_cer" is set to "yes" => dovecot say that a
client certificated is needed and login fails (see description in the
first thread)

Grant access depend of the imap service response

B) - User use his MUA to check the mailbox

the software connect to the imaps services (IPs port 993). Before
anything it start with an ssl handshake. The imaps service require one
client certificate issued by a specified Certificate Authority (which
is known by dovecot).

If the client cert is not valid, session should end up ! That's why "ssl_require_client_cert" is set to "yes".

If it is valid, then client (MUA) run the login process and client get access.

C) - User use his MUA, too, to send an email.

the software try to connect to the smtpds (IPs port 2025) service
(which is configured to require a TLS session to get smtp relay access
).

the MUA ask to begin TLS (starttls)

the handshake is made and MUA send his client certificate (as same as imaps).

Now, sasl authentication is needed. So MUA send the user/pass know by dovecot

postfix use the dovecot auth unix socket to submit the client credential

if "ssl_require_client_cer" is set to "yes" => login fails and say
that client cert is not valid (see description in the first thread)

if "ssl_require_client_cer" is set to "no" => login success and client can send mails

Depending the value of "ssl_require_client_cer" :
Set to "no" => I can access to webmail and send mail via smtps but
not get imaps access (more precisely yes but without client cert needed
(it is less secure))
Set to "yes" =>  I can not access to webmail/smtps but I can use imaps with strong authentication (client cert required)
An other point : As postfix sasl mechanism use unix socket to check
user/pass why a client certificate is needed ? I suppose it don't work
like IP connection...
The question is :
With dovecot configuration (multiple auth YYY { ... } bloc ?) or
anything else, can I force SSL/client certificate for imaps connections
and "clear" (no SSL) connection for local imap/unix socket ?
Tank you.
Best regards,

Hotmail et MSN dans la poche? HOTMAIL et MSN sont dispo gratuitement sur votre téléphone!
http://www.messengersurvotremobile.com/?d=Hotmail