[Dovecot] Question about auth multiple configuration
Hello,
My mail system is build with postfix, dovecot and roundcube. In first time users can view and "manage" their mail only on the webmail. So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method. This works fine (configuration below without ssl parameters).
Now I want to see and send my mail with a MUA (thunderbird). As my system is on an Internet provider I want to add more security "solutions". I use smtps with postfix and SASL/auth by dovecot socket mechanism to send mail. I use imaps with dovecot for managing my maildir.
I have added ssl parameters to the configuration file (see below) and I required certificate from the client (to avoid man in the middle attack and to get access only for client with user certificate). To get this "ssl_require_client_cert" is set to yes. Ok, now imaps works perfectly. But since a certificate is required webmail authentication (localhost) and SASL (postfix auth trough dovecot socket mechanism) don't work.
Webmail => dovecot: imap-login: Disconnected (cert required, client didn't start TLS): method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Postfix => postfix/smtpd[71640]: warning: TOTO[X.A.B.C]: SASL PLAIN authentication failed: Client didn't present valid SSL certificate
That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?
Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ? I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ?
Thank you.
And then my configuration :
operating system => FreeBSD 7.1
dovecot --version => 1.2.8
dovecot -n => # 1.2.8: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.1-RELEASE i386 ufs protocols: imap listen: 127.0.0.1 ssl_listen: X.Y.Z.T ssl: yes ssl_ca_file: /usr/local/etc/dovecot/CAclient.pem ssl_cert_file: /usr/local/etc/dovecot/imaps.pem ssl_key_file: /usr/local/etc/dovecot/imaps.key ssl_verify_client_cert: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login verbose_proctitle: yes first_valid_uid: 1000 first_valid_gid: 1000 mail_privileged_group: mail mail_location: maildir:/jails/mails/%d/%n imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep lda: postmaster_address: postmaster@SOMETHING hostname: SOMETHING_ELSE sendmail_path: /usr/sbin/sendmail auth default: mechanisms: plain login username_format: %Lu passdb: driver: passwd-file args: username_format=%n /jails/mails/dov_pass/%d/usr_pas userdb: driver: passwd-file args: username_format=%n /jails/mails/dov_pass/%d/usr_pas ssl_require_client_cert = yes ssl_username_from_cert = no socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: wheel master: path: /var/run/dovecot/auth-master mode: 384
Best regards,
Consultez gratuitement vos emails Orange, Gmail, Free, ... directement dans HOTMAIL ! http://www.windowslive.fr/hotmail/agregation/
Fabrice MATHIEU simpsons_bart_cs@hotmail.com (Mi 28 Apr 2010 19:12:31 CEST):
Hello,
My mail system is build with postfix, dovecot and roundcube. In first time users can view and "manage" their mail only on the webmail. So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method. This works fine (configuration below without ssl parameters).
(…)
That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?
Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ? I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ? (…)
If I understood well, you're looking for the config option like login_trusted_networks (as available in 1.2.11, I don't know since when).
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann HS12-RIPE ----------------------------------------- gnupg encrypted messages are welcome - key ID: 48D0359B --------------- gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
Date: Wed, 28 Apr 2010 21:34:03 +0200 From: hs@schlittermann.de To: dovecot@dovecot.org Subject: Re: [Dovecot] Question about auth multiple configuration
Fabrice MATHIEU simpsons_bart_cs@hotmail.com (Mi 28 Apr 2010 19:12:31 CEST):
Hello,
My mail system is build with postfix, dovecot and roundcube. In first time users can view and "manage" their mail only on the webmail. So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method. This works fine (configuration below without ssl parameters).
(…)
That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?
Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ? I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ? (…)
If I understood well, you're looking for the config option like login_trusted_networks (as available in 1.2.11, I don't know since when).
Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann HS12-RIPE ----------------------------------------- gnupg encrypted messages are welcome - key ID: 48D0359B --------------- gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
First, thank you for your answer.
I suppose this version is available in version 1.2.8, I have got it (commented) in the default configuration file.
### begin COTE
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
### end COTE
I guess that IPs listed here can "bypass" some check. ssl_require_client_cert too ?
I will try it.
More information if it can help !
Here an example of my configuration :
|---------------| |---------------|
|--------------------------------------------------------------|
| workstation | | |
| mail - server
|
| with MUA |-------->| ISP1 - modem |
|------------------| |--------------|
|
| (thunderbird) | |
|-----------(smtp)--- port 2025 ----------> | smtpds - postfix
|-------------------> |UNIX socket | |
|---------------| |---------------|
|------------------| |
| |
|
| |"dovecot auth"| |
|
|-------------------------| |
| |
|----------(imaps)--- port 993 ----------> |dovecot imaps (public IP) | -------------> | internal cnx ?| |
|------------------------ | |
| |
|
| | |
| |-------------------------| | | |
|---------------| |---------------|
| | dovecot imap
(127.0.0.1) |----> | internal cnx ?| |
| workstation | | |
|
|--------------------------| | | |
| with browser |------- >| ISP2 - modem |
|
^ |--------------| |
| (FireFox) | | |
|---------------------|
| |
|---------------| |---------------|--------(https)--- port 443 -------------> | httpd - roundcube |----| |-------------- |
|---------------------| |smtpd normal |
|---------------------------------------------------------------|
IPs is the server public IP IPm is the workstation public IP (which is visible by public station) which has the MUA
IPb is the workstation public IP (which is visible by public station) which has the Internet browser
IPlb is the loopback IP (127.0.0.1)
Their is three case :
A) User send/manage his mail via the webmail
B) User manage his mail via MUA by imaps
C) User send mail via MUA by smtps
A) - User get access to the webmail site (not need to describe it here)
- Username/password written in the login page are used by the webmail program which try to login/auth on the imap service via the IPlb (port
This connection must be "clear" => no ssl handshake needed
if "ssl_require_client_cer" is set to "yes" => dovecot say that a client certificated is needed and login fails (see description in the first thread)
Grant access depend of the imap service response
B) - User use his MUA to check the mailbox
the software connect to the imaps services (IPs port 993). Before anything it start with an ssl handshake. The imaps service require one client certificate issued by a specified Certificate Authority (which is known by dovecot).
If the client cert is not valid, session should end up ! That's why "ssl_require_client_cert" is set to "yes".
If it is valid, then client (MUA) run the login process and client get access.
C) - User use his MUA, too, to send an email.
the software try to connect to the smtpds (IPs port 2025) service (which is configured to require a TLS session to get smtp relay access ).
the MUA ask to begin TLS (starttls)
the handshake is made and MUA send his client certificate (as same as imaps).
Now, sasl authentication is needed. So MUA send the user/pass know by dovecot
postfix use the dovecot auth unix socket to submit the client credential
if "ssl_require_client_cer" is set to "yes" => login fails and say that client cert is not valid (see description in the first thread)
if "ssl_require_client_cer" is set to "no" => login success and client can send mails
Depending the value of "ssl_require_client_cer" :
Set to "no" => I can access to webmail and send mail via smtps but not get imaps access (more precisely yes but without client cert needed (it is less secure))
Set to "yes" => I can not access to webmail/smtps but I can use imaps with strong authentication (client cert required)
An other point : As postfix sasl mechanism use unix socket to check user/pass why a client certificate is needed ? I suppose it don't work like IP connection...
The question is :
With dovecot configuration (multiple auth YYY { ... } bloc ?) or anything else, can I force SSL/client certificate for imaps connections and "clear" (no SSL) connection for local imap/unix socket ?
Tank you.
Best regards,
Hotmail et MSN dans la poche? HOTMAIL et MSN sont dispo gratuitement sur votre téléphone! http://www.messengersurvotremobile.com/?d=Hotmail
Hello,
The scheme seems to not pass correctly.
So this represent chains : A) webmail browser => https(IPpub:443) and roundcube => imap (127.0.0.1:143) => dovecot auth mechanism (internal ?)
B) MUA and imaps MUA => imaps service (IPpub:993) => dovecot auth mechanism (internal ?)
C) MUA and smtps MUA => smtpds (IPpub:2025) with SASL => dovecot auth mechanism (unix socket)
If "ssl_require_client_cert" is set to "yes" connection to dovecot auth fails for A) and B) but work for C) If not, A) and B) success but C) fail (client cert is not required in this case, I won't it to be required)
Best regards,
Consultez vos emails Orange, Gmail, Yahoo!, Free ... directement depuis HOTMAIL ! http://www.windowslive.fr/hotmail/agregation/
Hello,
I have tested "login_trusted_networks = 127.0.0.1". But it still refuse to authenticated without any client certificate.
dovecot: imap-login: Disconnected (cert required, client didn't start TLS): method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, securedThank you.
Best regards,
Hotmail arrive sur votre téléphone ! Compatible Iphone, Windows Phone, Blackberry, … http://www.messengersurvotremobile.com/?d=Hotmail
On Wed, 2010-04-28 at 19:12 +0200, Fabrice MATHIEU wrote:
That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?
It's considered secure against man-in-the-middle attacks, but requiring SSL cert is more about authentication. I know in some setups people don't use passwords at all, only the SSL cert. So if I did this change, in such setups localhost could log in as any user, which is clearly pretty bad.
Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ?
Only way I can think of is to run two Dovecots, one listening for localhost and another listening for external IP, both using different config files.
I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ?
auth sections won't help. v2.0 makes this almost possible, it just doesn't yet have per-IP settings support for auth settings.
Helo,
Thank you for your answer. I will wait for v2.0.
I will try to make two dovecot configuration but can this make problems to make concurrent access (process) to the maildir ? Thank you.
Best regards,
That's normal. But 127.0.0.1 client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?
It's considered secure against man-in-the-middle attacks, but requiring SSL cert is more about authentication. I know in some setups people don't use passwords at all, only the SSL cert. So if I did this change, in such setups localhost could log in as any user, which is clearly pretty bad.
Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork(127.0.0.1) for roundcube ?
Only way I can think of is to run two Dovecots, one listening for localhost and another listening for external IP, both using different config files.
I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ?
auth sections won't help. v2.0 makes this almost possible, it just doesn't yet have per-IP settings support for auth settings.
Hotmail et MSN dans la poche? HOTMAIL et MSN sont dispo gratuitement sur votre téléphone! http://www.messengersurvotremobile.com/?d=Hotmail
On Thu, 2010-04-29 at 19:31 +0200, Fabrice MATHIEU wrote:
I will try to make two dovecot configuration but can this make problems to make concurrent access (process) to the maildir ?
No problems with concurrent access. The processes are already independently accessing maildir. But see http://wiki.dovecot.org/RunningDovecot#Running_Multiple_Invocations_of_Dovec...
Hello,
Okay now all works as we which.
Two dovecot instance are running : one for imaps with client crt required, and one for local imap only (webmail and client socket for sasl)
I have just make two new directory for base_dir and login_dir. (/var/run/dovecot_secure/ && /var/run/dovecot_secure/login) Owner and mod are same as the default dovecot directory (/var/run/dovecot)
Then just copy the default dovecot.conf to dovecot_secure.conf (for example). Settings are shown below.
Now has the link below start the second instance with -c flag. On freeBSD (from 6.3 and 7) the rc.d/dovecot start script includes abilities to start multiples instances. Just add "dovecot_config" in your rc.conf. Like this : dovecot_enable="YES" dovecot_config="/path/to/etc/dovecot.conf /path/to/etc/dovecot_secure.conf"
And enjoy ^^
Thank you for your help.
Best regards,
On Thu, 2010-04-29 at 19:31 +0200, Fabrice MATHIEU wrote:
I will try to make two dovecot configuration but can this make problems to make concurrent access (process) to the maildir ?
No problems with concurrent access. The processes are already independently accessing maildir. But see http://wiki.dovecot.org/RunningDovecot#Running_Multiple_Invocations_of_Dovec...
### Dovecot.conf ### protocols = imap listen = 127.0.0.1 disable_plaintext_auth = yes ssl = no mail_location = maildir:/X/Y/%d/%n mail_privileged_group = mail dotlock_use_excl = yes verbose_proctitle = yes first_valid_uid = 1000 first_valid_gid = 1000 maildir_copy_with_hardlinks = yes protocol imap { imap_client_workarounds = delay-newmail netscape-eoh tb-extra-mailbox-sep }
protocol pop3 { pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } protocol managesieve { } protocol lda { postmaster_address = postmaster@ola hostname = fqdn_host sendmail_path = /usr/sbin/sendmail } auth_username_format = %Lu auth_verbose = no auth_debug = no auth default { mechanisms = plain login passdb passwd-file { args = username_format=%n /X/Y/Z/%d/usr_pas } userdb passwd-file { args = username_format=%n /X/Y/Z/%d/usr_pas } user = root socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = wheel } } }
### Dovecot_secure.conf ### base_dir = /var/run/dovecot_secure/ protocols = imaps disable_plaintext_auth = yes ssl_listen = x.y.z.w ssl = required ssl_cert_file = /usr/local/etc/dovecot/dovecot.pem ssl_key_file = /usr/local/etc/dovecot/dovecot.pem ssl_ca_file = /usr/local/etc/dovecot/dovecot_ca.pem ssl_verify_client_cert = yes ssl_cert_username_field = commonName login_dir = /var/run/dovecot_secure/login mail_location = maildir:/X/Y/%d/%n mail_privileged_group = asyouwish dotlock_use_excl = yes verbose_proctitle = yes first_valid_uid = 1000 first_valid_gid = 1000 maildir_copy_with_hardlinks = yes protocol imap { imap_client_workarounds = delay-newmail netscape-eoh tb-extra-mailbox-sep }
protocol pop3 { pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } protocol managesieve { } auth_username_format = %Lu auth_verbose = no auth_debug = no auth default { mechanisms = plain login passdb passwd-file { args = username_format=%n /X/Y/Z/%d/usr_pas } userdb passwd-file { args = username_format=%n /X/Y/Z/%d/usr_pas } user = root ssl_require_client_cert = yes ssl_username_from_cert = no }
Consultez vos emails Orange, Gmail, Yahoo!, Free ... directement depuis HOTMAIL ! http://www.windowslive.fr/hotmail/agregation/
participants (3)
-
Fabrice MATHIEU
-
Heiko Schlittermann
-
Timo Sirainen