Disable auth_ssl_require_client_cert for SASL
Hello!
Dovecot version - 2.2.6 Postfix version - 2.10.2 OS: Mageia Linux 4 x86_64
I have configured Dovecot imaps-server on 993 port to authenticate users via private certificates: auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = no Users' database is in OpenLDAP and in dovecot-ldap.conf.ext checking of users' passwords is disabled: pass_attrs = uid=%n, mail=%n@%d, =nopassword=1 It all works fine.
I have configured Postfix submission-service on 587 port to connect users via StartTLS: submission inet n - y - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_enforce_tls=yes -o smtpd_tls_req_ccert=yes -o smtpd_tls_ask_ccert=yes -o smtpd_client_restrictions=permit_tls_all_clientcerts,reject -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject -o smtpd_helo_restrictions=permit_tls_all_clientcerts,reject It works fine.
And now I have a new task: I also need Postfix to authenticate OpenLDAP-users using SASL on smtps-port 465. I need it for using on mobile devices, which don't support StartTLS. So I have configured smtps in Postfix: smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination -o smtpd_helo_restrictions=permit_sasl_authenticated,reject
While trying to connect to smtps, clients get an error: "Client didn't present valid SSL certificate", and this is clear. The question is: how to configure an additional auth-service in dovecot, which doesn't require private certificates and authenticates users using login/password?
Configuration-files: dovecot -n: # 2.2.6: /etc/dovecot/dovecot.conf # OS: Linux 3.14.43-server-1.mga4 x86_64 Mageia 4 ext4 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes base_dir = /var/run/dovecot/ first_valid_gid = 12 first_valid_uid = 8 hostname = myexample.com last_valid_gid = 12 last_valid_uid = 8 listen = * login_greeting = Dovecot L ready. login_trusted_networks = 127.0.0.0/8 10.62.0.0/16 mail_debug = yes mail_gid = 12 mail_home = /home/mail/%d/%n mail_location = maildir:/home/mail/%d/%n mail_uid = 8 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = homeDirectory=/home/mail/%d/%n driver = ldap } plugin { sieve = /home/mail/%d/%n/sieve/UsersActiveScript.sieve sieve_before = /var/spool/mail/dovecot.sieve sieve_default = /var/spool/mail/dovecot.sieve sieve_dir = /home/mail/%d/%n/sieve } postmaster_address = admin@myexample.com protocols = imap service anvil { type = anvil unix_listener anvil-auth-penalty { group = mail mode = 0600 user = mail } unix_listener anvil { mode = 0600 user = mail } } service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = mail mode = 0600 user = mail } } service imap-login { inet_listener imap { port = 0 ssl = no } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 0 } } ssl_ca =
grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf.ext:
uris = ldap://localhost dn = cn=service,ou=Systems,dc=myexample,dc=com dnpass = SeCrEt auth_bind = no ldap_version = 3 base = ou=People,dc=myexample,dc=com deref = never scope = subtree user_attrs = homeDirectory=home user_filter = (&(mail=%n@%d)(uid=%n)) pass_attrs = uid=%n, mail=%n@%d, =nopassword=1 pass_filter = (&(mail=%n@%d)(uid=%n))
Kind regards, Damir
participants (1)
-
damir