[Dovecot] Dovecot with SSL Client Certification
Hi,
i am trying to setup dovecot over ssl in the last couple days unsuccessfully
My notes are from here: http://wiki.dovecot.org/SSL
My OpenSSL commands are:
mkdir -pv /opt/certificates/dovecot/ cd !$
(just to prevent questions about Common Name) [ebal@myhome:~]€ hostname myhome
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825
# Country Name (2 letter code) [AU]:GR # State or Province Name (full name) [Some-State]:Athens # Locality Name (eg, city) []:Aigaleo # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr # Organizational Unit Name (eg, section) []:Mail Apps # Common Name (eg, YOUR name) []:myhome # Email Address []:ebalaskas@ebalaskas.gr
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key
-name "dovecot Certificate Client" -out dovecot.p12
openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out dovecot.crl -selfsign
I've imported the dovecot.p12 to thunderbird certificates and dovecot.crt to thunderbird authorities (i've tried claws mail too - same errors)
My dovecot.conf is this:
[root@myhome dovecot]# dovecot -n # 1.2.2: /usr/local/etc/dovecot.conf # OS: Linux 2.6.30-ARCH i686 ext4 info_log_path: /var/log/dovecot.log protocols: imaps ssl: required ssl_ca_file: /opt/certificates/dovecot/dovecot.crl ssl_cert_file: /opt/certificates/dovecot/dovecot.crt ssl_key_file: /opt/certificates/dovecot/dovecot.key ssl_cipher_list: ALL:!LOW:!SSLv2 ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /usr/local/var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login first_valid_uid: 300 mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/%u/.INBOX mail_debug: yes lda: postmaster_address: ebalaskas@ebalaskas.gr auth default: verbose: yes debug: yes debug_passwords: yes ssl_require_client_cert: yes passdb: driver: pam userdb: driver: passwd
My /var/log/dovecot.log:
Jul 30 20:14:52 Info: Dovecot v1.2.2 starting up (core dumps disabled) Jul 30 20:14:52 Info: Generating Diffie-Hellman parameters for the first time. This may take a while.. Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5872 Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5873 Jul 30 20:14:53 auth(default): Info: new auth connection: pid=5874 Jul 30 20:15:16 ssl-build-param: Info: SSL parameters regeneration completed Jul 30 20:15:17 auth(default): Info: new auth connection: pid=5898 Jul 30 20:15:18 imap-login: Info: Disconnected (client didn't send a cert): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
Any ideas?
Evaggelos Balaskas Unix System Engineer - http://ebalaskas.gr/wiki Informatics Engineer Technological Education
On Thu, 2009-07-30 at 20:37 +0300, Evaggelos Balaskas wrote:
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825
I guess this is ok, but to prevent confusion let's say these were client.crt and client.key instead.
# Country Name (2 letter code) [AU]:GR # State or Province Name (full name) [Some-State]:Athens # Locality Name (eg, city) []:Aigaleo # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr # Organizational Unit Name (eg, section) []:Mail Apps # Common Name (eg, YOUR name) []:myhome # Email Address []:ebalaskas@ebalaskas.gr
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key
-name "dovecot Certificate Client" -out dovecot.p12
Again client.crt, client.key here.
openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out dovecot.crl -selfsign
What do you do with the dovecot.crl here? It's a client CRL and unless you add it to the Dovecot's CRL list it's not necessary. Also the -selfsign is ignored..
I've imported the dovecot.p12 to thunderbird certificates and dovecot.crt to thunderbird authorities (i've tried claws mail too - same errors)
OK.
ssl_ca_file: /opt/certificates/dovecot/dovecot.crl
This is probably where the problem is. This file must contain the CA certificate and the CRL, not just the CRL. And initially the CRL should be empty.
ssl_cert_file: /opt/certificates/dovecot/dovecot.crt ssl_key_file: /opt/certificates/dovecot/dovecot.key
And I hope these dovecot.* files aren't the same you just generated for the client?
Indeed the problem was with ssl_ca_file. After your reply, i was able to fully understand how ssl authentication with x509 certificates works with dovecot.
Timo keep up the great job you are doing with dovecot. Thank you very much for your answer.
PS: I am working on a mini howto on this, and i would be happy to announce it on the list when it's complete (if that's ok with you)
Timo Sirainen wrote:
... openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out dovecot.crl -selfsign
What do you do with the dovecot.crl here? It's a client CRL and unless you add it to the Dovecot's CRL list it's not necessary. Also the -selfsign is ignored..
... ssl_ca_file: /opt/certificates/dovecot/dovecot.crl
This is probably where the problem is. This file must contain the CA certificate and the CRL, not just the CRL. And initially the CRL should be empty.
...
Evaggelos Balaskas Unix System Engineer - http://ebalaskas.gr/wiki Informatics Engineer Technological Education
participants (2)
-
Evaggelos Balaskas
-
Timo Sirainen