This issue is peripherally related to the following thread
Re: [Dovecot] client certs with godaddy ssl cert
This is running on CentOS 5.2 with latest Atrpms for Dovecot as of this weekend.
# rpm -qa | grep dovecot dovecot-sieve-1.1.5-8.el5 dovecot-1.1.4-0_81.el5
With assistance from Rainer Frey (Inxmail GmbH), I am able to successfully use client ssl certs for imap access on both my Nokia e61i and Thunderbird 2.0.0.17, problem now is dovecot sasl and postfix smtp authentication.
Using the same self created CA that generates and certifies the ssl client certs in Postfix and using Dovecot SASL, I always get client didn't send proper ssl cert when trying to do a tls based smtp connection from either the e61i or tbird.
Cranking up the peer debug level in Postfix, I see the connection is always rejected by Dovecot SASL eg
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15
got 45
Oct 21 16:39:07 myserver postfix/smtpd[18189]: <
mycomp.myserver.net[10.11.12.5]: AUTH PLAIN
********************************************=
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_server_first:
sasl_method PLAIN, init_response **************************************==
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16
flush 64
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply:
auth reply: FAIL?1?reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: warning:
mycomp.myserver.net[10.11.12.5]: SASL PLAIN authentication failed: Client
didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: >
mycomp.myserver.net[10.11.12.5]: 535 5.7.0 Error: authentication failed:
Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: watchdog_pat: 0x868a570
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 15
flush 85
Oct 21 16:39:07 myserver dovecot: auth(default): client in: AUTH 1
PLAIN service=smtp resp=*********************************************==
Oct 21 16:39:07 myserver dovecot: auth(default): PLAIN(?): Client didn't
present valid SSL certificate
Oct 21 16:39:07 myserver dovecot: auth(default): client out: FAIL 1
reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15
got 12
Oct 21 16:39:07 myserver postfix/smtpd[18189]: <
mycomp.myserver.net[10.11.12.5]: AUTH LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_server_first:
sasl_method LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16
flush 26
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply:
auth reply: FAIL?2?reason=Client didn't present valid SSL certificate
Not sure where to look now, I've configured dovecot and postfix as per their respective wiki's
Here are the relevant config entries
/etc/postfix/main.cf
### Oct 11/08 - added to allow dovecot sasl for smtp auth smtpd_sasl_type = dovecot # Can be an absolute path, or relative to $queue_directory smtpd_sasl_path = private/auth # and the common settings to enable SASL: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_security_options = noanonymous
### Oct 11/08 - added to allow tls smtp authentication with client certs smtpd_tls_auth_only = yes smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = server.myserver.net
### these are the self signed CA based authentication keys, this CA created ### the client certs for the nokia e61i and the Thunderbird 2.0.0.17 smtpd_tls_key_file = /etc/postfix/ssl/server.myserver.net.key smtpd_tls_cert_file = /etc/postfix/ssl/server.myserver.net.crt ### this is the ca cert and crl combined smtpd_tls_CAfile = /etc/postfix/ssl/ca1.crt
dovecot -n
# 1.1.4: /etc/dovecot.conf protocols: imaps pop3s ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(pop3): *:995 ssl_ca_file: /etc/openvpn/easy-rsa/keys/combined-ca-and-crl.crt ssl_cert_file: /etc/pki/dovecot/certs/dovecot-chained.cert ssl_key_file: /etc/pki/tls/private/server.myserver.net.key ssl_verify_client_cert: yes ssl_require_client_cert = yes verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=~/mail/.imap/indexes mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 auth default: mechanisms: plain login debug: yes debug_passwords: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
Interestingly enough the mode line in the dovecot.conf file is set as 0660, not 432 as noted above?!?!?
What else should I be looking at to troubleshoot this issue?
Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)