[Dovecot] IMAPS: Disable SSL connection without client certificate
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate:
openssl s_client -connect server:993 (...)
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
Luckily, after connecting without a certificate logging fails:
a001 login iszczesniak password a001 NO [ALERT] Client didn't present valid SSL certificate
*QUESTION: Is there a way in Dovecot to disable establishing an SSL connection without a client certificate?*
My complete config is :
# dovecot -n # 2.1.8: /etc/dovecot/dovecot.conf # OS: OpenBSD 5.2 i386 auth_ssl_require_client_cert = yes mail_location = maildir:~/archive/mail mbox_write_locks = fcntl mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Sent { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = bsdauth } protocols = imap service imap-login { inet_listener imap { port = 0 } } ssl_ca = </etc/ssl/certs/cacertcrl.pem ssl_cert = </etc/ssl/cert.pem ssl_key = </etc/ssl/private/key.pem ssl_verify_client_cert = yes userdb { driver = passwd } verbose_ssl = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh }
-- Ireneusz (Irek) Szczesniak http://www.irkos.org
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate
google "dovecot ssl client certificate" leads to http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings:
ssl_ca_file = /etc/ssl/ca.pem ssl_verify_client_cert = yes auth default { ssl_require_client_cert = yes .. }
Thanks for your email. Yes, I looked before at that website before. I'm using these options with Dovecot 2.1.8, among others:
auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca = </etc/ssl/certs/cacertcrl.pem
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate
google "dovecot ssl client certificate" leads to http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings:
ssl_ca_file = /etc/ssl/ca.pem ssl_verify_client_cert = yes auth default { ssl_require_client_cert = yes .. }
-- Ireneusz (Irek) Szczesniak http://www.irkos.org
Please do not top-post in an inline thread...
On 2013-06-29 2:38 AM, Ireneusz Szcześniak <irek.szczesniak@gmail.com> wrote:
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate
google "dovecot ssl client certificate" leads to http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings:
ssl_ca_file = /etc/ssl/ca.pem ssl_verify_client_cert = yes auth default { ssl_require_client_cert = yes .. }
Thanks for your email. Yes, I looked before at that website before. I'm using these options with Dovecot 2.1.8, among others:
auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca = </etc/ssl/certs/cacertcrl.pem
I'm not sure why Reindl pointed you to the 1.x docs when you are using 2.x...
The setting has apparently changed in 2.x (note the addition of 'auth_' to the 'require' setting):
From the wiki2 page:
"Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate, you'll need these settings:
ssl_ca = </etc/ssl/ca.pem ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes #ssl_username_from_cert = yes"
Linked: http://wiki2.dovecot.org/SSL/DovecotConfiguration
--
Best regards,
Charles
Am 29.06.2013 15:54, schrieb Charles Marcus:
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings:
ssl_ca_file = /etc/ssl/ca.pem ssl_verify_client_cert = yes auth default { ssl_require_client_cert = yes .. }
Thanks for your email. Yes, I looked before at that website before. I'm using these options with Dovecot 2.1.8, among others:
auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca = </etc/ssl/certs/cacertcrl.pem
I'm not sure why Reindl pointed you to the 1.x docs when you are using 2.x...
because it is a good start-point and i do not need the feature and in this case it should be enough that i start to google for others at all
however, if you would have followed this thread you would have realized that the OP demaned technical impossible things like "uhm openssl should reject the connction without cert before running any dovecot code"
Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem. I have got the SSL working with the config presented in my first post. The problem is that I'm surprised that Dovecot lets clients establish an SSL connection even when the client doesn't present a certificate. I don't want clients without a valid certificate even establish an SSL connection.
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate
google "dovecot ssl client certificate" leads to http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings:
ssl_ca_file = /etc/ssl/ca.pem ssl_verify_client_cert = yes auth default { ssl_require_client_cert = yes .. }
-- Ireneusz (Irek) Szczesniak http://www.irkos.org
Am 29.06.2013 21:54, schrieb Ireneusz Szcześniak:
Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem. I have got the SSL working with the config presented in my first post. The problem is that I'm surprised that Dovecot lets clients establish an SSL connection even when the client doesn't present a certificate. I don't want clients without a valid certificate even establish an SSL connection.
what the hell - you can reject them after not present a cert but how do you imagine technically to smell this fact before connect?
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate
google "dovecot ssl client certificate" leads to http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings
With my config, Dovecot disallows logging in when the SSL connection was established by a client without a certificate. In this case the client gets to talk to Dovecot. The client could exploit potential Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the client doesn't authenticate with a certificate, and so the client doesn't get to talk with Dovecot. This is safer, because the client is dropped by the well-tested OpenSSL.
On 29.06.2013 22:03, Reindl Harald wrote:
Am 29.06.2013 21:54, schrieb Ireneusz Szcześniak:
Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem. I have got the SSL working with the config presented in my first post. The problem is that I'm surprised that Dovecot lets clients establish an SSL connection even when the client doesn't present a certificate. I don't want clients without a valid certificate even establish an SSL connection.
what the hell - you can reject them after not present a cert but how do you imagine technically to smell this fact before connect?
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate
google "dovecot ssl client certificate" leads to http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings
-- Ireneusz (Irek) Szczesniak http://www.irkos.org
why are you refusing to understand that this is technical *nonsense*
how do you imagine that "and so the client doesn't get to talk with Dovecot" by respect the dovecot configuration? damned inform you about network basics and do not demand impossible things like "the daemon listens to a port but the client must not talk to the daemon by magic without before authenticate against magic"
Am 29.06.2013 22:39, schrieb Ireneusz Szcześniak:
With my config, Dovecot disallows logging in when the SSL connection was established by a client without a certificate. In this case the client gets to talk to Dovecot. The client could exploit potential Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the client doesn't authenticate with a certificate, and so the client doesn't get to talk with Dovecot. This is safer, because the client is dropped by the well-tested OpenSSL.
On 29.06.2013 22:03, Reindl Harald wrote:
Am 29.06.2013 21:54, schrieb Ireneusz Szcześniak:
Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem. I have got the SSL working with the config presented in my first post. The problem is that I'm surprised that Dovecot lets clients establish an SSL connection even when the client doesn't present a certificate. I don't want clients without a valid certificate even establish an SSL connection.
what the hell - you can reject them after not present a cert but how do you imagine technically to smell this fact before connect?
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month. It works great. Dovecot serves IMAPS only, and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid certificate when establishing SSL connection. I configure my Thunderbird for SSL/TLS connection with normal password. It works fine.
However, with my config anybody can connect to my server without presenting a certificate
google "dovecot ssl client certificate" leads to http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication If you want to require clients to present a valid SSL certificate, you'll need these settings
On 29.6.2013, at 23.39, Ireneusz Szcześniak <irek.szczesniak@gmail.com> wrote:
With my config, Dovecot disallows logging in when the SSL connection was established by a client without a certificate. In this case the client gets to talk to Dovecot. The client could exploit potential Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the client doesn't authenticate with a certificate, and so the client doesn't get to talk with Dovecot.
OpenSSL can't really drop the connection. Dovecot could do it earlier, but that would complicate the code. I'm not planning on adding such extra code, since the current way works as well.
This is safer, because the client is dropped by the well-tested OpenSSL.
One of the main reasons for Dovecot's pre-login and post-login privilege separation was so that OpenSSL could be separated into Dovecot's untrusted pre-login sandboxed process :) OpenSSL is a highly complex piece of software compared to what Dovecot has to do.
The one thing I have been considering is that Dovecot's pre-login process would present the client's SSL certificate to Dovecot's auth process, which would independently verify that it's correct. That could be useful I think, although it would also present an additional attack layer to the auth process in case there are OpenSSL vulnerabilities (and auth process may run with more privileges than login process).
Thank you, Timo, for your detailed and authoritative response.
Now I know that my config is fine, and that I didn't miss some option.
Thanks again!
On 29.06.2013 23:25, Timo Sirainen wrote:
On 29.6.2013, at 23.39, Ireneusz Szcześniak<irek.szczesniak@gmail.com> wrote:
With my config, Dovecot disallows logging in when the SSL connection was established by a client without a certificate. In this case the client gets to talk to Dovecot. The client could exploit potential Dovecot vulnerabilities.
Instead, I want the SSL connection to be dropped by OpenSSL when the client doesn't authenticate with a certificate, and so the client doesn't get to talk with Dovecot.
OpenSSL can't really drop the connection. Dovecot could do it earlier, but that would complicate the code. I'm not planning on adding such extra code, since the current way works as well.
This is safer, because the client is dropped by the well-tested OpenSSL.
One of the main reasons for Dovecot's pre-login and post-login privilege separation was so that OpenSSL could be separated into Dovecot's untrusted pre-login sandboxed process :) OpenSSL is a highly complex piece of software compared to what Dovecot has to do.
The one thing I have been considering is that Dovecot's pre-login process would present the client's SSL certificate to Dovecot's auth process, which would independently verify that it's correct. That could be useful I think, although it would also present an additional attack layer to the auth process in case there are OpenSSL vulnerabilities (and auth process may run with more privileges than login process).
-- Ireneusz (Irek) Szczesniak http://www.irkos.org
Ireneusz Szcześniak skrev den 2013-06-29 22:39:
With my config, Dovecot disallows logging in when the SSL connection was established by a client without a certificate. In this case the client gets to talk to Dovecot. The client could exploit potential Dovecot vulnerabilities.
fair
Instead, I want the SSL connection to be dropped by OpenSSL when the client doesn't authenticate with a certificate, and so the client doesn't get to talk with Dovecot. This is safer, because the client is dropped by the well-tested OpenSSL.
so far only a dream
-- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Ireneusz Szcześniak skrev den 2013-06-29 21:54:
Reindl, thanks again for your email, but now I realize that perhaps you misunderstood my problem. I have got the SSL working with the config presented in my first post. The problem is that I'm surprised that Dovecot lets clients establish an SSL connection even when the client doesn't present a certificate. I don't want clients without a valid certificate even establish an SSL connection.
its a chicken and egg problem to get resolved, you cant drop the eggs if the chicken dont create them, that might be why dovecot have no solution on this problem
-- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
participants (5)
-
Benny Pedersen
-
Charles Marcus
-
Ireneusz Szcześniak
-
Reindl Harald
-
Timo Sirainen