Try adding auth_debug_password=yes
Aki
On 01.02.2018 10:27, yuryb wrote:We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and password database is a text file with plaintext passwords. Clients connect to imap-server via TLS protocol and plaintext password. All works fine. But I want to configure ability to authorize with a client certificates. I have generated a client certificate and imported it to email-client. Also I have configured dovecot to verify client certificates. But email-client cannot authorize: Password mismatch. Why dovecot reject my password in this case? Please help!
My log:dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatchdovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>My configuration:# 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf# OS: FreeBSD 10.2-RELEASE-p20 amd64 ufsauth_debug = yesauth_mechanisms = plain login externalauth_ssl_require_client_cert = yesauth_ssl_username_from_cert = yesauth_username_format = %Lnauth_verbose = yesdisable_plaintext_auth = nolda_mailbox_autocreate = yesmail_debug = yesmail_gid = 999mail_location = maildir:/mnt/mail/%nmail_uid = 999namespace inbox {inbox = yeslocation =mailbox Drafts {special_use = \Drafts}mailbox Junk {special_use = \Junk}mailbox Sent {special_use = \Sent}mailbox "Sent Messages" {special_use = \Sent}mailbox Trash {special_use = \Trash}prefix =}passdb {args = /usr/local/etc/dovecot/usersdriver = passwd-file}protocols = imap pop3service auth {unix_listener /var/spool/postfix/private/auth {group = postfixmode = 0660user = postfix}unix_listener auth-userdb {group = vmailmode = 0660user = vmail}}service imap-login {inet_listener imaps {ssl = yes}}ssl_ca = </etc/ssl/cacert.pemssl_cert = </etc/ssl/certs/dovecot.pemssl_dh_parameters_length = 2048ssl_key = </etc/ssl/private/dovecot.pemssl_prefer_server_ciphers = yesssl_protocols = !SSLv2 !SSLv3 !TLSv1ssl_require_crl = nossl_verify_client_cert = yesuserdb {args = /usr/local/etc/dovecot/usersdriver = passwd-file}verbose_ssl = yes