Dear dovecot experts:

We are using client certificates to authenthicate against a Dovecot server. Our certificates contain a x500UniqueIdentifier. I'm absolutely sure that the value of the x500UniqueIdentifier was stored into the AUTH_USER when I tested my setup last year.

This has somehow changed and now AUTH_USER always contains the username. This has fatal consequences as now every owner of a valid certificate can logon as any user.

Here are some more details of our setup:

We are using a checkpassword-Script that does the following:

1. Read Username and Password from file descriptor 3
2. If (AUTH_CERT=="valid") and (AUTH_USER==Username) then user is authenticated 3 If (AUTH_CERT=="valid") and (AUTH_USER<>Username) then authentication is rejected (User a tries to logon as User B) 4 If (AUTH_CERT<>"valid) we calculate the current OATH value for Usernames TOTP-token and compare that with the provided password.

The last step is the reason why we are using a checkpassword script. Our smartphone users cannot use a smartcard but enter a password that was created by an OTP generator, so programming my own checkpassword script was my only option.

AUTH_USER contains the username even if the x500UniqueIdentifier from the users certificate does not, so step 2 happens when step 3 should happen.

I did the initial testing with Dovecot 2.2.6. At that time we were using both port 143 and 993. We now use Dovecot 2.2.7 and port 993 only. This should not make a difference but I will recompile 2.2.6 right after sending this posting.

Kind regards and thank you very much for this wonderful IMAP server

Peter Koch

current dovecot.conf:

# Dovecot configuration file

default_process_limit = 2048 protocols = imap listen = * base_dir = /var/dovecot/

mail_location = maildir:/mail/%u:LAYOUT=fs

ssl_cert = </etc/ssl/certs/imap.crt ssl_key = </etc/ssl/private/imap.key ssl_ca = </etc/ssl/certs/imap-ca.crt ssl_verify_client_cert = yes ssl_cert_username_field = x500UniqueIdentifier

service imap-login { inet_listener imap { port = 0 } } service auth { client_limit = 4096 } service anvil { client_limit = 5000 } passdb { driver = checkpassword args = /usr/dovecot/bin/checkpassword } userdb { driver = passwd override_fields = home=/mail/%u } protocol imap { mail_max_userip_connections = 1000 }