[Dovecot] auth, partially resolved
Hello people,
After a lot of wading through the dovecot documentation (which btw, is excellent !, everything lies under "dovecot/doc/wiki"), I managed to authenticate a couple of accounts.
For starters, I want dovecot to work as an imap/imaps box and nothing else.
So , I went ahead and created a "passwd" file with two users. One user being my name (spyros) and plaintext password and the other user "postmaster" with encrypted password ("/etc/dovecot/passwd" shown) :
spyros@webmail.domain.gr:{PLAIN}plainpassword postmaster@webmail.domain.gr:{SSHA}SSHAPassword
Now, if I telnet to port 143 with both users, the system comes back with the following :
[root@webmail dovecot]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Dovecot ready . login spyros@webmail.domain.gr password . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH] Logged in
As I said, it allows login on port 143 for both users. So, the same for "postmaster".
Now for port 993 :
[root@webmail dovecot]# openssl s_client -connect webmail.domain.gr:993 [lots of SSL-related certificate information]
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready . login spyros@webmail.domain.gr password . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH] Logged in
Again, the same for user "postmaster". I don't paste.
So, everything is fine. However, I have an issue with the (?!) issued certificate. If I check the dovecot logs I find nothing.
If on the other hand, I do the same check on the Horde application, It comes back with the following :
* Trying protocol imap/notls, Port 143:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
* Trying protocol imap/ssl, Port 993:
ERROR - The server returned the following error message:
SECURITY PROBLEM: insecure server advertised AUTH=PLAIN[SERVERBUG] Internal error occurred. Refer to server log for more
information. [2010-01-05 13:30:12]Certificate failure for localhost: self signed certificate:
/C=GR/ST=Kerkyra/L=Kerkyra/O=Tourist Enterprizes/OU=IMAP
server/CN=webmail.domain.gr/emailAddress=postmaster@webmail.domain.gr
* Trying protocol imap/ssl/novalidate-cert, Port 993:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
* Trying protocol imap/tls/novalidate-cert, Port 143:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
Now, I know I am not supposed to ask you chaps about this, but direct my questions to the horde mailing list. However, I would like an opinion before I go ahead and bug them with this.
Certificate was created with "dovecot/doc/mkcert.sh" and the relevant certificate file (can't recall its name at the moment).
Any help would be appreciated. On the other hand, If I went too far with this I apologize and I'll try to find another way to resolve this.
Thank you people,
s.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 5 Jan 2010, Spyros Tsiolis wrote:
If on the other hand, I do the same check on the Horde application, It comes back with the following :
Trying protocol imap/notls, Port 143:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
Trying protocol imap/ssl, Port 993:
ERROR - The server returned the following error message: SECURITY PROBLEM: insecure server advertised AUTH=PLAIN[SERVERBUG] Internal error occurred. Refer to server log for more information. [2010-01-05 13:30:12]Certificate failure for localhost: self signed certificate: /C=GR/ST=Kerkyra/L=Kerkyra/O=Tourist Enterprizes/OU=IMAP server/CN=webmail.domain.gr/emailAddress=postmaster@webmail.domain.gr
You access the cert of webmail.domain.gr via a host named localhost. If Horde runs on the same host, just disable SSL :-)
Trying protocol imap/ssl/novalidate-cert, Port 993:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
Trying protocol imap/tls/novalidate-cert, Port 143:
SUCCESS - INBOX has 0 messages (0 new 0 recent)
There is missing:
imap/tls, Port 143
but I suppose it will bark as well.
Actually, it looks like a Dovecot message ("Refer to server log for more information"), but then the error message should be in the log for the openssl test as well, I guess.
Do you have the SSL cert in the cert store of OpenSSL, usually /etc/ssl/certs ? That way you trust the cert. If Horde barks on the cert, this should help (first part of error message: "PROBLEM: insecure server advertised").
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS0XgS7+Vh58GPL/cAQLfngf/dVhUMzUF0vjkVEDhaLVk/lUDwmpsz6Ni q8lBHicqhvMJMbGlU3B9/9uKq/PMSQhu2vQyijaDWyNlRDoVjFdBSzy2++nq/sPk qoPJlqkuVf9cpZo8iq6jf5fGU5EwnPlYNWa2W8SanZGHDGf0DkoLFUiwIYmiJVOq WZuqd1vrrzkOQzrdMdeUGeKWq3Kw9X3xShTPnczG97nfa2iznLCzX4pmDmCRDHHd NH2WH3Fu/SLTZBTaAJNm4kvkcjfE3roo5ZPTwCz8+7TkK2AuUb4RVs3CzRhjn+NH EzKxVBAZjj57JmdILYCC+iuo2xOsv0vYnO9Gtx69uNSxAe98cdlzjg== =xl0l -----END PGP SIGNATURE-----
participants (2)
-
Spyros Tsiolis
-
Steffen Kaiser