Why does dovecot reject password when authorizing by a certificate?
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and password database is a text file with plaintext passwords. Clients connect to imap-server via TLS protocol and plaintext password. All works fine. But I want to configure ability to authorize with a client certificates. I have generated a client certificate and imported it to email-client. Also I have configured dovecot to verify client certificates. But email-client cannot authorize: Password mismatch. Why dovecot reject my password in this case? Please help!
My log:dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64 ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/users driver = passwd-file } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imaps { ssl = yes } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { args = /usr/local/etc/dovecot/users driver = passwd-file } verbose_ssl = yes
Try adding auth_debug_password=yes
Aki
On 01.02.2018 10:27, yuryb wrote:
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and password database is a text file with plaintext passwords. Clients connect to imap-server via TLS protocol and plaintext password. All works fine. But I want to configure ability to authorize with a client certificates. I have generated a client certificate and imported it to email-client. Also I have configured dovecot to verify client certificates. But email-client cannot authorize: Password mismatch. Why dovecot reject my password in this case? Please help!
My log: dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64 ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/users driver = passwd-file } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imaps { ssl = yes } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { args = /usr/local/etc/dovecot/users driver = passwd-file } verbose_ssl = yes
I have added "auth_debug_password=yes" to "10-logging.conf" and restarted dovecot. But I do not see any information about the password in the logs. Does this mean that the thunderbird does not send the password? Although it asks for the password and I enter one. New log: dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0 code=kill) dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3 dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<pOTtkSNkxNoKAQE7>
Try adding auth_debug_password=yes
Aki
On 01.02.2018 10:27, yuryb wrote:
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and password database is a text file with plaintext passwords. Clients connect to imap-server via TLS protocol and plaintext password. All works fine. But I want to configure ability to authorize with a client certificates. I have generated a client certificate and imported it to email-client. Also I have configured dovecot to verify client certificates. But email-client cannot authorize: Password mismatch. Why dovecot reject my password in this case? Please help!
My log: dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64 ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/users driver = passwd-file } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imaps { ssl = yes } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { args = /usr/local/etc/dovecot/users driver = passwd-file } verbose_ssl = yes
You probably need to also enable
auth_debug=yes
auth_verbose=yes
also, are you sure you just don't have wrong password?
Aki
On 01.02.2018 12:08, yuryb wrote:
I have added "auth_debug_password=yes" to "10-logging.conf" and restarted dovecot. But I do not see any information about the password in the logs. Does this mean that the thunderbird does not send the password? Although it asks for the password and I enter one. New log: dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0 code=kill) dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3 dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<pOTtkSNkxNoKAQE7>
Try adding auth_debug_password=yes Aki On 01.02.2018 10:27, yuryb wrote:
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and password database is a text file with plaintext passwords. Clients connect to imap-server via TLS protocol and plaintext password. All works fine. But I want to configure ability to authorize with a client certificates. I have generated a client certificate and imported it to email-client. Also I have configured dovecot to verify client certificates. But email-client cannot authorize: Password mismatch. Why dovecot reject my password in this case? Please help! My log: dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua <mailto:Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua>: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7> My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64 ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/users driver = passwd-file } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imaps { ssl = yes } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { args = /usr/local/etc/dovecot/users driver = passwd-file } verbose_ssl = yes
My configuration already contained these parameters (auth_debug=yes and auth_verbose=yes). I enter the same password in case of SSL-authorization and in case of authorization by certificate. In first case password has accepted, in second case password has rejected. I have no ideas.
--- Исходное сообщение --- От кого: "Aki Tuomi" <aki.tuomi@dovecot.fi> Дата: 1 февраля 2018, 12:09:05
You probably need to also enable
auth_debug=yes
auth_verbose=yes
also, are you sure you just don't have wrong password?
Aki
On 01.02.2018 12:08, yuryb wrote:
I have added "auth_debug_password=yes" to "10-logging.conf" and restarted dovecot. But I do not see any information about the password in the logs. Does this mean that the thunderbird does not send the password? Although it asks for the password and I enter one. New log: dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0 code=kill) dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3 dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<pOTtkSNkxNoKAQE7>
Try adding auth_debug_password=yes
Aki
On 01.02.2018 10:27, yuryb wrote:
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and password database is a text file with plaintext passwords. Clients connect to imap-server via TLS protocol and plaintext password. All works fine. But I want to configure ability to authorize with a client certificates. I have generated a client certificate and imported it to email-client. Also I have configured dovecot to verify client certificates. But email-client cannot authorize: Password mismatch. Why dovecot reject my password in this case? Please help!
My log: dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
My configuration: # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE-p20 amd64 ufs auth_debug = yes auth_mechanisms = plain login external auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_format = %Ln auth_verbose = yes disable_plaintext_auth = no lda_mailbox_autocreate = yes mail_debug = yes mail_gid = 999 mail_location = maildir:/mnt/mail/%n mail_uid = 999 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/users driver = passwd-file } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imaps { ssl = yes } } ssl_ca = </etc/ssl/cacert.pem ssl_cert = </etc/ssl/certs/dovecot.pem ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 ssl_require_crl = no ssl_verify_client_cert = yes userdb { args = /usr/local/etc/dovecot/users driver = passwd-file } verbose_ssl = yes
participants (2)
-
Aki Tuomi
-
yuryb