Cannot load key: Invalid dovecot key version
I am trying to use a newly added Local Validation functionality in dovecot version 2.3.11. I am running dovecot inside a Docker container With base image " debian:buster-slim". When I try to login through below command , a crash is seen. Algorithm Used is RS256 and certificate is self-signed.
''' a1 login admin eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsIm5hbWUiOiJKb2huIERvZSIsImV4cCI6MTcwMDIyNDg3MiwiaWF0IjoxNTE2MjM5MDIyfQ.gCXOiUDKV5Bjxp_Vkd-I76A86qxxsCCm5YTtvoLhS5CwOV5rBQozcvnkAOkaIEWWMQqFqEIdA6V9RBztl0XlMe5tyil-2NFaXiKsbv6aYmNnBgX678MZlXRi8UFrIK1ymc4ya7Xi11hV5tuTQHAqi6MPEOdB9zTrFBa9CPCKU25G458cd8SMy7t6i_pb-CrBKCA0KKLFF-SJyz4gSu4ce9FFBTx8oYS1lDaQvf6drNw-_N6FfA1k4HVgEK9bU-SEZkeqE0t5nsFA-7V1-BgYvNaR5-tpzOjymeJP7dZ7rJzUqchVz-Z9V3hONGJEuromcEzgve_r9NSBlUTZlcT8Eg ''''
dovecot_1 | Sep 16 03:29:36 auth-worker(25): Info: pam(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): pam_authenticate() failed: Authenticat ion failure (Password mismatch?) dovecot_1 | Sep 16 03:29:36 auth-worker(25): Debug: pam(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): Finished passdb lookup dovecot_1 | Sep 16 03:29:36 auth-worker(25): Debug: conn unix:auth-worker (pid=24,uid=101): auth-worker<1>: Finished dovecot_1 | Sep 16 03:29:36 auth: Debug: pam(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): Finished passdb lookup dovecot_1 | Sep 16 03:29:36 auth: Debug: oauth2(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): Performing passdb lookup dovecot_1 | Sep 16 03:29:36 auth: Debug: oauth2(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): Attempting to locally validate token dovecot_1 | Sep 16 03:29:36 auth: Debug: oauth2(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): callback(result: password_mismatch, error: Ca nnot load key: Invalid dovecot key version) dovecot_1 | Sep 16 03:29:36 auth: Info: oauth2(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): oauth2 failed: Cannot load key: Invalid doveco t key version dovecot_1 | Sep 16 03:29:36 auth: Debug: oauth2(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): Finished passdb lookup dovecot_1 | Sep 16 03:29:36 auth: Debug: auth(admin,172.18.0.1,<Q5Bc4GWv9tqsEgAB>): Auth request finished
dovecot --version 2.3.11.3 (502c39af9)
dovecot -n # 2.3.11.3 (502c39af9): /etc/dovecot/dovecot.conf # OS: Linux 4.19.76-linuxkit x86_64 Debian 10.5 fuse.grpcfuse # Hostname: 45e39b46f6ab auth_debug = yes auth_mechanisms = plain oauthbearer xoauth2 auth_verbose = yes disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it log_path = /dev/stdout mail_debug = yes mail_location = maildir:/data/imap_store/%n mail_plugins = " quota" namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Greeting { auto = create } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = no special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-oauth2.plain.conf.ext driver = oauth2 mechanisms = plain login } plugin { quota = maildir:User quota quota_rule = *:storage=5MB quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO } protocols = imap lmtp service doveadm { inet_listener http { port = 80 } } service lmtp { inet_listener lmtp { address = * port = 24 } process_min_avail = 5 } ssl = no userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = quota postmaster_address = postmaster@domainname } protocol lda { mail_plugins = " quota notify push_notification" } protocol imap { imap_metadata = yes mail_plugins = " quota imap_quota quota" }
Any help would be appreciated.
Thanks, Mrinal
On 16/09/2020 06:38 Mrinal Sharma <msharma@smithmicro.com> wrote:
I am trying to use a newly added Local Validation functionality in dovecot version 2.3.11. I am running dovecot inside a Docker container With base image " debian:buster-slim". When I try to login through below command , a crash is seen. Algorithm Used is RS256 and certificate is self-signed.
Did you provide the validation key in what format? I would recommend using JWK format.
Aki
Thank you for this valuable suggestion. Validation worked with JWK format. I feel documentation should be updated with this information. Also "username_attribute" field in dovecot-oauth2.plain.conf.ext is need to be set for username validation.
My configuration: File: dovecot-oauth2.plain.conf.ext introspection_mode = local use_grant_password = no debug = yes username_attribute = user_name local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/
Copy .JWK public key to folder /etc/dovecot/keys/default/RS256/default if there is no azp element in token body, then default is used and there is no kid element in token header.
Thanks, Mrinal
-----Original Message----- From: Aki Tuomi <aki.tuomi@open-xchange.com> Sent: Wednesday, September 16, 2020 2:15 AM To: Mrinal Sharma <msharma@smithmicro.com>; dovecot@dovecot.org Subject: Re: Cannot load key: Invalid dovecot key version
CAUTION - EXTERNAL EMAIL This email originated from outside of Smith Micro Software. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 16/09/2020 06:38 Mrinal Sharma <msharma@smithmicro.com> wrote:
I am trying to use a newly added Local Validation functionality in dovecot version 2.3.11. I am running dovecot inside a Docker container With base image " debian:buster-slim". When I try to login through below command , a crash is seen. Algorithm Used is RS256 and certificate is self-signed.
Did you provide the validation key in what format? I would recommend using JWK format.
Aki
participants (2)
-
Aki Tuomi
-
Mrinal Sharma