Hello,

it seems there there is an issue regarding "TLS-Certtificate" authentication in Thunderbird and Dovecot. Obviously client certificate is recognized by Dovecot:

Apr 25 14:29:01 dovecot dovecot: imap-login: Valid certificate: /emailAddress=christian.felsing@example.net/CN=Christian Felsing (Test)/OU=CF Certificates/O=example.net/C=DE

AFAIK Dovecot always requires IMAP login, even in "static" passdb config. Static means arbitrary password is ok, but not "no login"

I hope, I am wrong, following log entry gave a hint, what Thunderbird does or more precisely - not do:

Apr 25 14:29:01 dovecot dovecot: imap-login: Disconnected (no auth attempts in 5 secs): user=<>, rip=192.168.1.99, lip=192.168.42.1, TLS, session=<3+1THN33NQBtWq5D>

Dovecot wants an IMAP login, but Thunderbird does not so. I am not sure if that is a bug (or feature) of Dovecot or Thunderbird. Thunderbird does several strange things on client certificates:

1st) If Dovecot is configured to request a client certificate and Thunderbird is configured to use plain text auth, Thunderbird offers a client certificate and login succeeds as configured in Dovecot. Unfortunately Thunderbird uses same certificate for all configured accounts to that host. Very bad if Dovecot reads username from certificate attributes.

2nd) If Dovecot is configured to request a client certificate and Thunderbird is configured to use TLS-Certificate, Thunderbird also offers a client certificate, but Dovecot requests login from Thunderbird. That fails, because Thunderbird assumes TLS-Certificate is enough for successful log.

If it is true that Dovecot is not compatible to Thunderbirds way of TLS-Certificate Authentication, I consider to set up a proxy, which supports that way. May be Nginx would be a solution, it supports IMAP and LUA module plus some LUA code will fake the authentication. This is an ugly hack so I would like to avoid that, if anybody has a better solution. Thunderbird is a very widespread IMAP client so it should not be ignored.

best regards Christian

---Dovecot config---

# /opt/dovecot/bin/doveconf -n

# 2.2.12: /opt/dovecot/etc/dovecot-cert/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.4 auth_debug = yes auth_debug_passwords = yes auth_master_user_separator = * auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#" auth_username_translation = "@#" base_dir = /var/run/dovecot-cert first_valid_uid = 124 last_valid_uid = 124 listen = 192.168.42.1 log_timestamp = %Y-%m-%d %H:%M:%S login_greeting = example.net imap4/pop3 (cert only) ready. mail_gid = 124 mail_location = maildir:~/Maildir mail_privileged_group = vmail mail_uid = 124 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave imapflags notify namespace { list = children location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { args = password=test driver = static } plugin { acl = vfile:/etc/dovecot/global-acls:cache_secs=300 acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes autocreate = Trash autocreate2 = Drafts autosubscribe = Trash autosubscribe2 = Drafts quota = maildir:User quota quota_rule = *:storage=500M quota_rule2 = Trash:storage=+100M quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u recipient_delimiter = + sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_extensions = +notify +imapflags } protocols = imap pop3 lmtp sieve service anvil { client_limit = 4000 } service auth-worker { group = vmail } service auth { client_limit = 8000 unix_listener auth-master { group = vmail mode = 0660 user = vmail } unix_listener auth-userdb { group = vmail mode = 0660 user = dovecot } user = root } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_limit = 1024 } service imap-postlogin { executable = script-login /opt/cfbin/lastlogin.sh } service imap { executable = imap imap-postlogin } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } process_limit = 1024 } service pop3-postlogin { executable = script-login /opt/cfbin/lastlogin.sh } service pop3 { executable = pop3 pop3-postlogin } service quota-warning { executable = script /opt/cfbin/quota-warning.sh user = vmail } ssl_ca =