Hi everyone.
Please note, I've asked a very similar question before and I apologize for sounding like a broken record. Well here it goes.
What I want to do is authenticate my users using a certificate. Thereby authenticating both the user and server with strong tokens that are centrally managed. In the worst case scenario the user should only need to enter a password for the certificate store and then the certificate should trigger the appropriate level of access to their account.
Is Dovecot the correct tool for the job?
If yes then, how?
Else if not, then what would you recommend?
I have tried setting the auth mechanism to anonymous without any joy. My password file is set with nopassword. All my certificates work well with the Secure Sockets Layer system.
This is the configuration I am currently running: # 1.2.beta1: /opt/etc/dovecot/dovecot.conf # OS: Linux 2.6.12.6-arm1 armv5tejl log_path: /opt/var/log/dovecot.log info_log_path: /opt/var/log/dovecot-info.log protocols: imaps ssl_ca_file: /opt/etc/ssl.ca/cacrl.pem ssl_cert_file: /opt/etc/ssl.ca/newcerts/imap.cer ssl_key_file: /opt/etc/ssl.ca/private/imap.key ssl_parameters_regenerate: 24 ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_verify_client_cert: yes disable_plaintext_auth: yes verbose_ssl: yes login_dir: /opt/var/run/dovecot/login login_executable: /opt/libexec/dovecot/imap-login login_user: guest login_processes_count: 2 login_max_processes_count: 4 mbox_write_locks: fcntl mail_process_size: 512 imap_client_workarounds: outlook-idle tb-negative-fetch auth default: user: admin verbose: yes debug: yes ssl_require_client_cert: yes ssl_username_from_cert: yes passdb: driver: passwd-file args: /opt/etc/dovecot/h.org/passwd userdb: driver: passwd
This is a log of a login attempt: dovecot: May 25 11:55:58 Info: auth(default): new auth connection: pid=22556 dovecot: May 25 11:56:08 Info: imap-login: Valid certificate: /O=home.org/emailAddress=admin@nas2.h.org/L=W/ST=C/C=G/CN=h.org dovecot: May 25 11:56:08 Info: imap-login: Valid certificate: /C=G/ST=C/O=h.org/OU=K F/CN=k dovecot: May 25 11:56:10 Info: auth(default): new auth connection: pid=22585 dovecot: May 25 11:56:16 Info: auth(default): client in: AUTH 1 PLAIN service=imap secured valid-client-cert cert_username=k lip=10.1.1.245 rip=10.1.1.1 lport=993 rport=53430 dovecot: May 25 11:56:16 Info: auth(default): client out: CONT 1 dovecot: May 25 11:56:16 Info: auth(default): client in: CONT<hidden> dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1): lookup: user=k file=/opt/etc/dovecot/h.org/passwd dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1): No password dovecot: May 25 11:56:16 Info: auth(default): client out: OK 1 user=k dovecot: May 25 11:56:16 Info: auth(default): master in: REQUEST 6 22164 1 dovecot: May 25 11:56:16 Info: auth(default): passwd(k,10.1.1.1): lookup dovecot: May 25 11:56:16 Info: auth(default): master out: USER 6 k system_user=k uid=500 gid=100 home=/ dovecot: May 25 11:56:16 Info: imap-login: Login: user=<k>, method=PLAIN, rip=10.1.1.1, lip=10.1.1.245, TLS
With this configuration the client will connect over ssl and identify itself with a certificate but a client password is still required.
-- Regards
Stephen.