On 2012/12/02 22:18, Daniel Parthey wrote:
Roger Hunen wrote:
I am seeking your help with SSL/TLS client authentication. Unfortunately the authentication fails :(
http://wiki2.dovecot.org/SSL/DovecotConfiguration states:
"You may also want to disable the password checking completely. Doing this currently circumvents Dovecot's security model so it's not recommended to use it, but it is possible by making the passdb allow logins using any password (typically requiring "nopassword" extra field to be returned)."
This sounded like a bad idea at first as it would allow webmail users to logon without entering a password. However, your suggestion made me think (and go!) in a direction that I would not have gone on my own.
Thank you for that!
First things first: the solution/workaround :)
Create two passwd style files
- mailusers.143 with password and without 'nopassword' extra field
- mailusers.993 without password but with 'nopassword' extra field
Configure a passdb (driver=passwd-file) that selects the password database file using the %a variable (local port): mailusers.%a
My Dovecot setup now
does not require a valid password for connections to the imaps port (993); the username is taken from the certificate that is issued by a trusted CA.
does require a password for connections to the imap port (143).
Currently the system supports very few users, so working with two passwd files is not a problem. For the future I plan to use a mysql database with two different queries on the same table based on the local port number.
For those who are interested: read on for some more findings...
As far as I can tell (from docs and source) Dovecot supports only username/password based authentication schemes. There is no such thing as certificate based authentication (unless I have overlooked something or it is undocumented).
Even if 'auth_ssl_username_from_cert=yes' Dovecot will only take the username from the certificate if the client sends username and password to logon.
When configured to use "TLS Certificate" authentication Thunderbird will not send a username/password to logon. Thunderbird considers the authentication done once the SSL handshake has completed. Given the above this is a recipe for failure.
With 'auth_ssl_username_from_cert=yes' Dovecot will ignore the given username and use the designated field in the certificate instead (usually commonName). Together with the 'nopasswd' extra field a certificate based authentication scheme can be implemented. The client must be configured to use username and password (which will be completely ignored by Dovecot as intended in such a setup).
Dovecot will log an error if a passwd file record has a non-empty password and the 'nopassword' extra field is present. Either can be present but not both.
Dovecot will log an error "input is missing end-of-settings line" if the configuration contains a setting with a name that is not valid in the given context. Something like "Invalid setting 'x' at line y" would be more helpful to pinpoint the problem.
Dovecot documentation is sparse in many respects which makes it difficult to use Dovecot to its full potential. I realize though that resources are at a premium and that writing documentation is not everybody's cup of tea. From a documentation point of view Exim4 is an excellent example.
Regards, -Roger