Hello,
My mail system is build with postfix, dovecot and roundcube. In first time users can view and "manage" their mail only on the webmail. So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method. This works fine (configuration below without ssl parameters).
Now I want to see and send my mail with a MUA (thunderbird). As my system is on an Internet provider I want to add more security "solutions". I use smtps with postfix and SASL/auth by dovecot socket mechanism to send mail. I use imaps with dovecot for managing my maildir.
I have added ssl parameters to the configuration file (see below) and I required certificate from the client (to avoid man in the middle attack and to get access only for client with user certificate). To get this "ssl_require_client_cert" is set to yes. Ok, now imaps works perfectly. But since a certificate is required webmail authentication (localhost) and SASL (postfix auth trough dovecot socket mechanism) don't work.
Webmail => dovecot: imap-login: Disconnected (cert required, client didn't start TLS): method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Postfix => postfix/smtpd[71640]: warning: TOTO[X.A.B.C]: SASL PLAIN authentication failed: Client didn't present valid SSL certificate
That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?
Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ? I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ?
Thank you.
And then my configuration :
operating system => FreeBSD 7.1
dovecot --version => 1.2.8
dovecot -n => # 1.2.8: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.1-RELEASE i386 ufs protocols: imap listen: 127.0.0.1 ssl_listen: X.Y.Z.T ssl: yes ssl_ca_file: /usr/local/etc/dovecot/CAclient.pem ssl_cert_file: /usr/local/etc/dovecot/imaps.pem ssl_key_file: /usr/local/etc/dovecot/imaps.key ssl_verify_client_cert: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login verbose_proctitle: yes first_valid_uid: 1000 first_valid_gid: 1000 mail_privileged_group: mail mail_location: maildir:/jails/mails/%d/%n imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep lda: postmaster_address: postmaster@SOMETHING hostname: SOMETHING_ELSE sendmail_path: /usr/sbin/sendmail auth default: mechanisms: plain login username_format: %Lu passdb: driver: passwd-file args: username_format=%n /jails/mails/dov_pass/%d/usr_pas userdb: driver: passwd-file args: username_format=%n /jails/mails/dov_pass/%d/usr_pas ssl_require_client_cert = yes ssl_username_from_cert = no socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: wheel master: path: /var/run/dovecot/auth-master mode: 384
Best regards,
Consultez gratuitement vos emails Orange, Gmail, Free, ... directement dans HOTMAIL ! http://www.windowslive.fr/hotmail/agregation/