Hi.
The tests using SASL and SASL-IR in Thunderbird both fail to
authenticate. I have tried using openssl s_client with the same result.
I've run the auth command in three ways just to be sure I got the second
example right. I even checked to make sure I've spelt my name right and
the case of the letters.
# dovecot -n # 1.2.10: /opt/etc/dovecot/dovecot.conf # OS: Linux 2.6.12.6-arm1 armv5tejl ext3 base_dir: /opt/var/run/dovecot/ log_path: /opt/var/log/dovecot/messages info_log_path: /opt/var/log/dovecot/info protocols: imaps listen: [::] ssl_ca_file: /opt/etc/domain.ca/cacrl.pem ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer ssl_key_file: /opt/etc/domain.ca/private/mail.key ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /opt/var/run/dovecot/login login_executable: /opt/libexec/dovecot/imap-login login_process_size: 32 mail_location: dbox:/share/MD0_DATA/mail/%u mail_debug: yes dbox_rotate_days: 0 imap_id_send: * imap_id_log: * lda: postmaster_address: postmaster@ksudra.net auth default: mechanisms: EXTERNAL realms: ksudra.net default_realm: ksudra.net user: admin verbose: yes debug: yes ssl_require_client_cert: yes ssl_username_from_cert: yes passdb: driver: passwd-file args: /opt/etc/dovecot/passwd userdb: driver: passwd
/opt/etc/dovecot/passwd Stephen:{EXTERNAL}
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready. 01 AUTHENTICATE EXTERNAL = 01 NO [AUTHENTICATIONFAILED] Authentication failed. DONE
$ tail /opt/var/log/info.log
Mar 16 21:37:18 auth(default): Info: new auth connection: pid=10161
Mar 16 21:37:19 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:37:19 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:37:39 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=55745 resp=<hidden>
Mar 16 21:37:39 auth(default): Info: passwd-file(Stephen,10.1.1.4):
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:37:41 auth(default): Info: client out: FAIL 1
user=Stephen
Mar 16 21:38:52 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready. 01 AUTHENTICATE EXTERNAL
01 NO [AUTHENTICATIONFAILED] Authentication failed. DONE
Mar 16 21:40:24 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
Mar 16 21:40:26 auth(default): Info: new auth connection: pid=10173
Mar 16 21:40:28 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:40:28 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:40:38 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=35721
Mar 16 21:40:38 auth(default): Info: client out: CONT 1
Mar 16 21:40:40 auth(default): Info: client in: CONT<hidden>
Mar 16 21:40:40 auth(default): Info: passwd-file(Stephen,10.1.1.4):
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:40:42 auth(default): Info: client out: FAIL 1
user=Stephen
Mar 16 21:40:47 imap-login: Info: Disconnected (cert required, client
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,
lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready. 01 AUTHENTICATE EXTERNAL
- 01 = 01 NO [ALERT] Invalid base64 data in continued response DONE
Mar 16 21:42:04 auth(default): Info: new auth connection: pid=10178
Mar 16 21:42:06 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:42:06 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:42:31 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=35725
Mar 16 21:42:31 auth(default): Info: client out: CONT 1
Mar 16 21:42:35 auth(default): Info: client in: CONT<hidden>
Mar 16 21:42:35 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 21:42:35 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 21:42:55 imap-login: Info: Disconnected (cert required, client
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
-- Thanks
Stephen Feyrer.
On Tue, 16 Mar 2010 18:03:38 -0000, Timo Sirainen <tss@iki.fi> wrote:
On Tue, 2010-03-16 at 18:01 +0000, Stephen Feyrer wrote:
How can I use SASL-IR with dovecot?
It's client that uses it by sending:
AUTHENTICATE EXTERNAL =
instead of:
AUTHENTICATE EXTERNAL <wait for reply>
so nothing really you can do about it..