Re: [Dovecot] Testing EXTERNAL AUTHENTICATION

17 Mar 2010

      Hi.
The tests using SASL and SASL-IR in Thunderbird both fail to

authenticate.  I have tried using openssl s_client with the same result.

I've run the auth command in three ways just to be sure I got the second

example right.  I even checked to make sure I've spelt my name right and

the case of the letters.
# dovecot -n
# 1.2.10: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl  ext3
base_dir: /opt/var/run/dovecot/
log_path: /opt/var/log/dovecot/messages
info_log_path: /opt/var/log/dovecot/info
protocols: imaps
listen: [::]
ssl_ca_file: /opt/etc/domain.ca/cacrl.pem
ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer
ssl_key_file: /opt/etc/domain.ca/private/mail.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_process_size: 32
mail_location: dbox:/share/MD0_DATA/mail/%u
mail_debug: yes
dbox_rotate_days: 0
imap_id_send: *
imap_id_log: *
lda:
postmaster_address: postmaster@ksudra.net
auth default:
mechanisms: EXTERNAL
realms: ksudra.net
default_realm: ksudra.net
user: admin
verbose: yes
debug: yes
ssl_require_client_cert: yes
ssl_username_from_cert: yes
passdb:
driver: passwd-file
args: /opt/etc/dovecot/passwd
userdb:
driver: passwd
/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE

AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL =
01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE

$ tail /opt/var/log/info.log
Mar 16 21:37:18 auth(default): Info: new auth connection: pid=10161
Mar 16 21:37:19 imap-login: Info: Valid certificate:

/O=ksudra.net/OU=Ksudra

CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:37:19 imap-login: Info: Valid certificate:

/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:37:39 auth(default): Info: client in: AUTH    1

EXTERNAL        service=imap    secured valid-client-cert

cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4

lport=993       rport=55745     resp=<hidden>
Mar 16 21:37:39 auth(default): Info: passwd-file(Stephen,10.1.1.4):

lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:37:41 auth(default): Info: client out: FAIL   1

user=Stephen
Mar 16 21:38:52 imap-login: Info: Disconnected (cert required, client

didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,

lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE

AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL

01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE
Mar 16 21:40:24 imap-login: Info: Disconnected (cert required, client

didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,

lip=10.1.1.245, TLS
Mar 16 21:40:26 auth(default): Info: new auth connection: pid=10173
Mar 16 21:40:28 imap-login: Info: Valid certificate:

/O=ksudra.net/OU=Ksudra

CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:40:28 imap-login: Info: Valid certificate:

/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:40:38 auth(default): Info: client in: AUTH    1

EXTERNAL        service=imap    secured valid-client-cert

cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4

lport=993       rport=35721
Mar 16 21:40:38 auth(default): Info: client out: CONT   1
Mar 16 21:40:40 auth(default): Info: client in: CONT<hidden>
Mar 16 21:40:40 auth(default): Info: passwd-file(Stephen,10.1.1.4):

lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:40:42 auth(default): Info: client out: FAIL   1

user=Stephen
Mar 16 21:40:47 imap-login: Info: Disconnected (cert required, client

didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,

lip=10.1.1.245, TLS
$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE

AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL

01 =
01 NO [ALERT] Invalid base64 data in continued response
DONE

Mar 16 21:42:04 auth(default): Info: new auth connection: pid=10178
Mar 16 21:42:06 imap-login: Info: Valid certificate:

/O=ksudra.net/OU=Ksudra

CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:42:06 imap-login: Info: Valid certificate:

/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:42:31 auth(default): Info: client in: AUTH    1

EXTERNAL        service=imap    secured valid-client-cert

cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4

lport=993       rport=35725
Mar 16 21:42:31 auth(default): Info: client out: CONT   1
Mar 16 21:42:35 auth(default): Info: client in: CONT<hidden>
Mar 16 21:42:35 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid

base64 data in continued response
Mar 16 21:42:35 auth(default): Info: client out: FAIL   1

reason=Invalid base64 data in continued response
Mar 16 21:42:55 imap-login: Info: Disconnected (cert required, client

didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
--
Thanks
Stephen Feyrer.
On Tue, 16 Mar 2010 18:03:38 -0000, Timo Sirainen tss@iki.fi wrote:
...
On Tue, 2010-03-16 at 18:01 +0000, Stephen Feyrer wrote:
...
How can I use SASL-IR with dovecot?
It's client that uses it by sending:
AUTHENTICATE EXTERNAL =
instead of:
AUTHENTICATE EXTERNAL
<wait for reply>
so nothing really you can do about it..

Re: [Dovecot] Testing EXTERNAL AUTHENTICATION

Stephen Feyrer

AUTHENTICATE EXTERNAL <wait for reply>