Hi.
I'm trying to test EXTERNAL AUTHENTICATION in Dovecot. To do this I first
configured Thunderbird and Opera to use my server, neither of them were
successful. As a result I contacted both organisations to enquire if they
supported EXTERNAL AUTHENTICATION in their products. Thunderbird
responded and said yes. However, on closer inspection my contact at
Thunderbird identified that support for EXTERNAL AUTHENTICATION was poor
at best and then only in SMTP. From that point on, my contact has been
trying to implement support in Thunderbird.
I've also try to test using openssl s_client which is detailed below. As
far as I can tell my problems appear after the authentication. I don't
know what the problem is only that there is one.
[~] # dovecot -n # 1.2.10: /opt/etc/dovecot/dovecot.conf # OS: Linux 2.6.12.6-arm1 armv5tejl ext3 base_dir: /opt/var/run/dovecot/ log_path: /opt/var/log/dovecot/messages info_log_path: /opt/var/log/dovecot/info protocols: imaps listen: [::] ssl_ca_file: /opt/etc/domain.ca/cacrl.pem ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer ssl_key_file: /opt/etc/domain.ca/private/mail.key ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /opt/var/run/dovecot//login login_executable: /opt/libexec/dovecot/imap-login login_process_size: 32 mail_location: dbox:/share/MD0_DATA/mail/%u mail_debug: yes dbox_rotate_days: 0 imap_id_send: * imap_id_log: * lda: postmaster_address: postmaster@ksudra.net auth default: mechanisms: EXTERNAL realms: ksudra.net default_realm: ksudra.net user: admin verbose: yes debug: yes ssl_require_client_cert: yes ssl_username_from_cert: yes passdb: driver: passwd-file args: /opt/etc/dovecot/passwd userdb: driver: passwd
[~] # openssl s_client -cert Stephen.pem -connect 10.1.1.245:993
<-- snip -->SSL handshake has read 4460 bytes and written 2451 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: [...] Session-ID-ctx: Master-Key: [...] Key-Arg : None Krb5 Principal: None Start Time: 1268756439 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=EXTERNAL] Dovecot ready. 01 AUTHENTICATE EXTERNAL
- 01 list "" * 01 NO [ALERT] Invalid base64 data in continued response 01 select inbox 01 BAD Error in IMAP command received by server. 02 select inbox 02 BAD Error in IMAP command received by server. DONE
[~] # tail -f /opt/var/log/dovecot/info
Mar 16 16:51:14 auth(default): Info: new auth connection: pid=9176
Mar 16 16:51:16 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:51:16 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:52:06 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=45379
Mar 16 16:52:06 auth(default): Info: client out: CONT 1
Mar 16 16:52:42 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:52:42 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:52:42 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=45381
Mar 16 16:52:42 auth(default): Info: client out: CONT 1
Mar 16 16:52:42 auth(default): Info: client in: CONT<hidden>
Mar 16 16:52:42 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 16:52:42 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 16:52:42 auth(default): Info: new auth connection: pid=9182
Mar 16 16:52:45 auth(default): Info: client in: CONT<hidden>
Mar 16 16:52:45 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 16:52:45 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 16:52:47 imap-login: Info: Aborted login (cert required, client
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
Mar 16 16:54:36 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:54:36 auth(default): Info: new auth connection: pid=9188
Mar 16 16:54:37 auth(default): Info: client in: AUTH 1
EXTERNAL service=imap secured valid-client-cert
cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4
lport=993 rport=49113
Mar 16 16:54:37 auth(default): Info: client out: CONT 1
Mar 16 16:54:37 auth(default): Info: client in: CONT<hidden>
Mar 16 16:54:37 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid
base64 data in continued response
Mar 16 16:54:37 auth(default): Info: client out: FAIL 1
reason=Invalid base64 data in continued response
Mar 16 16:54:42 imap-login: Info: Aborted login (cert required, client
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
Mar 16 16:54:49 imap-login: Info: Valid certificate:
/O=ksudra.net/OU=Ksudra
CA/emailAddress=certs@ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:54:49 imap-login: Info: Valid certificate:
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
-- kind regards
Stephen Feyrer.