Hello,
I stucked in Thunderbird authentication with X.509 client certs.
This is my config (dovecot -n):
$ /opt/dovecot/sbin/dovecot -n # 2.2.rc3: /opt/dovecot-2.2.rc3/etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.0 auth_debug = yes auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_verbose = yes base_dir = /home/dovecot/ hostname = mail.ip6.li instance_name = dovecot-01 lda_mailbox_autocreate = yes mail_gid = dovecot mail_uid = dovecot managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { args = scheme=CRYPT username_format=%u /opt/dovecot/etc/dovecot/mailusers.993 driver = passwd-file } plugin { acl = vfile:/etc/dovecot/global-acls:cache_secs=300 acl_shared_dict = file:/home/dovecot/shared-mailboxes sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@ip6.li protocols = imap pop3 lmtp sieve quota_full_tempfail = yes sendmail_path = /usr/lib/sendmail service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } ssl_ca =
Logfile shows this after Thunderbirds tries to get access:
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: auth: Debug: Loading modules from directory: /opt/dovecot-2.2.rc3/lib/dovecot/auth Mar 22 19:22:32 dovecot dovecot: auth: Debug: Read auth token secret from /home/dovecot//auth-token-secret.dat Mar 22 19:22:32 dovecot dovecot: auth: Debug: passwd-file /opt/dovecot/etc/dovecot/mailusers.993: Read 1 users in 0 secs Mar 22 19:22:32 dovecot dovecot: auth: Debug: auth client connected (pid=20082) Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate request A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Valid certificate: /CN=IP6LI Root Certification Authority Mar 22 19:22:32 dovecot dovecot: imap-login: Valid certificate: /CN=Intermediate CA for ip6.li users/OU=ip6.li Certificates/O=ip6.li/C=DE Mar 22 19:22:32 dovecot dovecot: imap-login: Valid certificate: /emailAddress=christian@felsing.lan/CN=Christian Felsing/OU=ip6.li Certificates/O=ip6.li/C=DE Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [192.168.200.6] Mar 22 19:22:32 dovecot dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.200.6, lip=192.168.200.22, TLS, session=<EfvjiYfYrgCwxigG>
seems client cert is ok, but Dovecot does not like Thunderbirds method to handle TLS-Cert login w/o username and password.
Hint http://dovecot.org/list/dovecot/2012-December/069771.html does not seem to be valid for Dovecot 2.2
On the other hand I think it is not a suitable method to include CRLs into CA file. Certificate should include a link to CRL or - better - an URL to OCSP. Does Dovecot support OCSP?
best regards Christian