[Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail -> auth_ssl_require_client_cert problem
Hello,
I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend.
For now Dovecot works with client certificates issued by my CA and Horde authenticates also with same client certs. Due to protocol it is impossible to use client certs presented by user to Horde for authentication at Dovecot, so Horde should be allowed to authenticate itself without or an arbitrary password to Dovecot. Horde and Dovecot are running in same protected LAN.
Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes
}
Result is "doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert"
Replacing "auth_ssl_require_client_cert = no" by "ssl_verify_client_cert = no" does not yield in an error, but it does nothing, Dovecot still insists for a client certificate.
I afraid that I am trapped by this problem: http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certifica...
Is there any way to turn off client certs for specific local or remote IP addresses?
best regards Christian
On 27.3.2013, at 10.49, Christian Felsing hostmaster@taunusstein.net wrote:
I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend. .. Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes
}
Result is "doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert"
Right. Would be nice to support at some point, but not that easy to implement.
Is there any way to turn off client certs for specific local or remote IP addresses?
In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables
Hi Timo,
thank you for that hint.
SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is:
password_query = SELECT MD5('%w') AS password, userid AS user FROM users WHERE (userid = '%u') and (('%k' = 'valid') or ('%r' = '192.168.116.30'));
so Dovecot accepts any password provided by user. This solution works now for users which are directily using imap or pop3 _and_ for users which are using Horde webmail frontend backed by Dovecot. This is now a configuration which does not need any passwords stored on server which provides IMHO more security.
best regards Christian
Am 31.03.2013 10:29, schrieb Timo Sirainen:
Is there any way to turn off client certs for specific local or remote IP addresses?
In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables
On 31.3.2013, at 15.47, Christian Felsing hostmaster@taunusstein.net wrote:
thank you for that hint.
SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is:
I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
There were log entries regarding that problem:
Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011valid-client-cert#011sessi on=J8pV8bzYIACwxigG#011cert_username=user@example.net#011lip=192.168.200.22#011rip=192.168.200.6#011lport=993#011rport=8480 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client passdb out: CONT#0111#011 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONT<hidden> Mar 25 11:05:21 dovecot dovecot: auth: Debug: sql(user@example.net,192.168.200.6,<J8pV8bzYIACwxigG>): query: SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = 'user@example.net' Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONT<hidden> Mar 25 11:05:21 dovecot dovecot: auth: sql(user@example.net,192.168.200.6,<J8pV8bzYIACwxigG>): Empty password returned without nopassword Mar 25 11:05:23 dovecot dovecot: auth: Debug: client passdb out: FAIL#0111#011user=user@example.net
Dovecot got nopassword but does still not accept an empty password.
Christian
Am 31.03.2013 15:18, schrieb Timo Sirainen:
On 31.3.2013, at 15.47, Christian Felsing hostmaster@taunusstein.net wrote:
thank you for that hint.
SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is:
I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
On 31.3.2013, at 17.38, Christian Felsing hostmaster@taunusstein.net wrote:
There were log entries regarding that problem:
Ah, you were using PostgreSQL and I tested MySQL. They are handled somewhat differently. This should fix it: http://hg.dovecot.org/dovecot-2.2/rev/37cd62516b37
Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011valid-client-cert#011sessi on=J8pV8bzYIACwxigG#011cert_username=user@example.net#011lip=192.168.200.22#011rip=192.168.200.6#011lport=993#011rport=8480 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client passdb out: CONT#0111#011 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONT<hidden> Mar 25 11:05:21 dovecot dovecot: auth: Debug: sql(user@example.net,192.168.200.6,<J8pV8bzYIACwxigG>): query: SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = 'user@example.net' Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONT<hidden> Mar 25 11:05:21 dovecot dovecot: auth: sql(user@example.net,192.168.200.6,<J8pV8bzYIACwxigG>): Empty password returned without nopassword Mar 25 11:05:23 dovecot dovecot: auth: Debug: client passdb out: FAIL#0111#011user=user@example.net
Dovecot got nopassword but does still not accept an empty password.
Christian
Am 31.03.2013 15:18, schrieb Timo Sirainen:
On 31.3.2013, at 15.47, Christian Felsing hostmaster@taunusstein.net wrote:
thank you for that hint.
SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is:
I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
Thank you, works now with 'Y' as nopassword :-)
best regards Christian
Am 31.03.2013 17:16, schrieb Timo Sirainen:
On 31.3.2013, at 17.38, Christian Felsing hostmaster@taunusstein.net wrote:
There were log entries regarding that problem:
Ah, you were using PostgreSQL and I tested MySQL. They are handled somewhat differently. This should fix it: http://hg.dovecot.org/dovecot-2.2/rev/37cd62516b37
unsubscribe
On Wed, Mar 27, 2013 at 1:49 AM, Christian Felsing < hostmaster@taunusstein.net> wrote:
Hello,
I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend.
For now Dovecot works with client certificates issued by my CA and Horde authenticates also with same client certs. Due to protocol it is impossible to use client certs presented by user to Horde for authentication at Dovecot, so Horde should be allowed to authenticate itself without or an arbitrary password to Dovecot. Horde and Dovecot are running in same protected LAN.
Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes
}
Result is "doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert"
Replacing "auth_ssl_require_client_cert = no" by "ssl_verify_client_cert = no" does not yield in an error, but it does nothing, Dovecot still insists for a client certificate.
I afraid that I am trapped by this problem:
http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certifica...
Is there any way to turn off client certs for specific local or remote IP addresses?
best regards Christian
participants (3)
-
Christian Felsing
-
Jake Johnson
-
Timo Sirainen