[Dovecot] dovecot and postfix with tls and dovecot sasl issues for smtp clients
This issue is peripherally related to the following thread
Re: [Dovecot] client certs with godaddy ssl cert
This is running on CentOS 5.2 with latest Atrpms for Dovecot as of this weekend.
# rpm -qa | grep dovecot dovecot-sieve-1.1.5-8.el5 dovecot-1.1.4-0_81.el5
With assistance from Rainer Frey (Inxmail GmbH), I am able to successfully use client ssl certs for imap access on both my Nokia e61i and Thunderbird 2.0.0.17, problem now is dovecot sasl and postfix smtp authentication.
Using the same self created CA that generates and certifies the ssl client certs in Postfix and using Dovecot SASL, I always get client didn't send proper ssl cert when trying to do a tls based smtp connection from either the e61i or tbird.
Cranking up the peer debug level in Postfix, I see the connection is always rejected by Dovecot SASL eg
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15
got 45
Oct 21 16:39:07 myserver postfix/smtpd[18189]: <
mycomp.myserver.net[10.11.12.5]: AUTH PLAIN
********************************************=
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_server_first:
sasl_method PLAIN, init_response **************************************==
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16
flush 64
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply:
auth reply: FAIL?1?reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: warning:
mycomp.myserver.net[10.11.12.5]: SASL PLAIN authentication failed: Client
didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: >
mycomp.myserver.net[10.11.12.5]: 535 5.7.0 Error: authentication failed:
Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: watchdog_pat: 0x868a570
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 15
flush 85
Oct 21 16:39:07 myserver dovecot: auth(default): client in: AUTH 1
PLAIN service=smtp resp=*********************************************==
Oct 21 16:39:07 myserver dovecot: auth(default): PLAIN(?): Client didn't
present valid SSL certificate
Oct 21 16:39:07 myserver dovecot: auth(default): client out: FAIL 1
reason=Client didn't present valid SSL certificate
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 15
got 12
Oct 21 16:39:07 myserver postfix/smtpd[18189]: <
mycomp.myserver.net[10.11.12.5]: AUTH LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_server_first:
sasl_method LOGIN
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_fflush_some: fd 16
flush 26
Oct 21 16:39:07 myserver postfix/smtpd[18189]: vstream_buf_get_ready: fd 16
got 58
Oct 21 16:39:07 myserver postfix/smtpd[18189]: xsasl_dovecot_handle_reply:
auth reply: FAIL?2?reason=Client didn't present valid SSL certificate
Not sure where to look now, I've configured dovecot and postfix as per their respective wiki's
Here are the relevant config entries
/etc/postfix/main.cf
### Oct 11/08 - added to allow dovecot sasl for smtp auth smtpd_sasl_type = dovecot # Can be an absolute path, or relative to $queue_directory smtpd_sasl_path = private/auth # and the common settings to enable SASL: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_security_options = noanonymous
### Oct 11/08 - added to allow tls smtp authentication with client certs smtpd_tls_auth_only = yes smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = server.myserver.net
### these are the self signed CA based authentication keys, this CA created ### the client certs for the nokia e61i and the Thunderbird 2.0.0.17 smtpd_tls_key_file = /etc/postfix/ssl/server.myserver.net.key smtpd_tls_cert_file = /etc/postfix/ssl/server.myserver.net.crt ### this is the ca cert and crl combined smtpd_tls_CAfile = /etc/postfix/ssl/ca1.crt
dovecot -n
# 1.1.4: /etc/dovecot.conf protocols: imaps pop3s ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(pop3): *:995 ssl_ca_file: /etc/openvpn/easy-rsa/keys/combined-ca-and-crl.crt ssl_cert_file: /etc/pki/dovecot/certs/dovecot-chained.cert ssl_key_file: /etc/pki/tls/private/server.myserver.net.key ssl_verify_client_cert: yes ssl_require_client_cert = yes verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=~/mail/.imap/indexes mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 auth default: mechanisms: plain login debug: yes debug_passwords: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
Interestingly enough the mode line in the dovecot.conf file is set as 0660, not 432 as noted above?!?!?
What else should I be looking at to troubleshoot this issue?
Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
Harondel J. Sibble wrote:
dovecot -n
# 1.1.4: /etc/dovecot.conf protocols: imaps pop3s ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(pop3): *:995 ssl_ca_file: /etc/openvpn/easy-rsa/keys/combined-ca-and-crl.crt ssl_cert_file: /etc/pki/dovecot/certs/dovecot-chained.cert ssl_key_file: /etc/pki/tls/private/server.myserver.net.key ssl_verify_client_cert: yes ssl_require_client_cert = yes verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=~/mail/.imap/indexes mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 auth default: mechanisms: plain login debug: yes debug_passwords: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
Interestingly enough the mode line in the dovecot.conf file is set as 0660, not 432 as noted above?!?!?
0660 (octal) = 432 (decimal), so the setting is OK.
-- Esperto é o homem que acredita em apenas metade do que lhe dizem. Genial é o homem que sabe em que metade acreditar.
Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb
On Tue, 2008-10-21 at 17:18 -0700, Harondel J. Sibble wrote:
Using the same self created CA that generates and certifies the ssl client certs in Postfix and using Dovecot SASL, I always get client didn't send proper ssl cert when trying to do a tls based smtp connection from either the e61i or tbird.
I don't think Postfix ever sends the "valid-cert" parameter that's required for Dovecot to treat the authentication as valid.
On 22 Oct 2008 at 20:37, Timo Sirainen wrote:
I don't think Postfix ever sends the "valid-cert" parameter that's required for Dovecot to treat the authentication as valid.
Bummer, any suggested workarounds or should I be looking at a different MTA that is known to work with Dovecot's SASL implementation.
Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
On Wed, 2008-10-22 at 10:57 -0700, Harondel J. Sibble wrote:
On 22 Oct 2008 at 20:37, Timo Sirainen wrote:
I don't think Postfix ever sends the "valid-cert" parameter that's required for Dovecot to treat the authentication as valid.
Bummer, any suggested workarounds or should I be looking at a different MTA that is known to work with Dovecot's SASL implementation.
A quick look shows that Exim apparently sends the valid-client-cert parameter. Maybe it wouldn't be too difficult to modify Postfix's sources either.
On 22 Oct 2008 at 21:01, Timo Sirainen wrote:
A quick look shows that Exim apparently sends the valid-client-cert parameter. Maybe it wouldn't be too difficult to modify Postfix's sources either.
I see there's been some discussion about this a few years ago
http://www.dovecot.org/list/dovecot/2008-August/032732.html http://www.nabble.com/sasl-parameters-missing-td18820817.html
I guess I'll have to look at Exim in the interim.
Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
On 10/22/2008 2:54 PM, Harondel J. Sibble wrote:
On 22 Oct 2008 at 21:01, Timo Sirainen wrote:
A quick look shows that Exim apparently sends the valid-client-cert parameter. Maybe it wouldn't be too difficult to modify Postfix's sources either.
I see there's been some discussion about this a few years ago
http://www.dovecot.org/list/dovecot/2008-August/032732.html http://www.nabble.com/sasl-parameters-missing-td18820817.html
I guess you meant a few MONTHS ago - those were from August 2008...
Wietse said:
"Postfix passes the information in the SMTP client's AUTH command. This is how I got the Dovecot extension from Timo. If someone is willing to monitor his docs for changes, then they are welcome to do so. I won't."
So... did he get all of the correct info on the extension from Timo? Only Timo can say...
--
Best regards,
Charles
On Oct 22, 2008, at 10:19 PM, Charles Marcus wrote:
Wietse said:
"Postfix passes the information in the SMTP client's AUTH command. This is how I got the Dovecot extension from Timo. If someone is willing to monitor his docs for changes, then they are welcome to do so. I won't."
So... did he get all of the correct info on the extension from Timo? Only Timo can say...
I wrote the initial implementation and it didn't support all the
features. Wietse changed the code a bit and added it to Postfix. I
think since then there have been a few small changes by some people,
but I don't know why features like sending local/remote IP still
aren't supported. People have requested those before and I also
remember seeing patches. Maybe it's just that no-one (including me..)
has cared enough to try to really get those features included.
participants (4)
-
Charles Marcus
-
Eduardo M KALINOWSKI
-
Harondel J. Sibble
-
Timo Sirainen