[Dovecot] Secure Sockets Layer client certificate authentication
Stephen Feyrer
steve at toth.org.uk
Mon May 25 16:51:22 EEST 2009
Hi everyone.
Please note, I've asked a very similar question before and I apologize
for sounding like a broken record. Well here it goes.
What I want to do is authenticate my users using a certificate. Thereby
authenticating both the user and server with strong tokens that are
centrally managed. In the worst case scenario the user should only need
to enter a password for the certificate store and then the certificate
should trigger the appropriate level of access to their account.
Is Dovecot the correct tool for the job?
If yes then, how?
Else if not, then what would you recommend?
I have tried setting the auth mechanism to anonymous without any joy.
My password file is set with nopassword. All my certificates work well
with the Secure Sockets Layer system.
This is the configuration I am currently running:
# 1.2.beta1: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl
log_path: /opt/var/log/dovecot.log
info_log_path: /opt/var/log/dovecot-info.log
protocols: imaps
ssl_ca_file: /opt/etc/ssl.ca/cacrl.pem
ssl_cert_file: /opt/etc/ssl.ca/newcerts/imap.cer
ssl_key_file: /opt/etc/ssl.ca/private/imap.key
ssl_parameters_regenerate: 24
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
disable_plaintext_auth: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_user: guest
login_processes_count: 2
login_max_processes_count: 4
mbox_write_locks: fcntl
mail_process_size: 512
imap_client_workarounds: outlook-idle tb-negative-fetch
auth default:
user: admin
verbose: yes
debug: yes
ssl_require_client_cert: yes
ssl_username_from_cert: yes
passdb:
driver: passwd-file
args: /opt/etc/dovecot/h.org/passwd
userdb:
driver: passwd
This is a log of a login attempt:
dovecot: May 25 11:55:58 Info: auth(default): new auth connection: pid=22556
dovecot: May 25 11:56:08 Info: imap-login: Valid certificate:
/O=home.org/emailAddress=admin at nas2.h.org/L=W/ST=C/C=G/CN=h.org
dovecot: May 25 11:56:08 Info: imap-login: Valid certificate:
/C=G/ST=C/O=h.org/OU=K F/CN=k
dovecot: May 25 11:56:10 Info: auth(default): new auth connection: pid=22585
dovecot: May 25 11:56:16 Info: auth(default): client in: AUTH 1 PLAIN
service=imap secured valid-client-cert cert_username=k lip=10.1.1.245
rip=10.1.1.1 lport=993 rport=53430
dovecot: May 25 11:56:16 Info: auth(default): client out: CONT 1
dovecot: May 25 11:56:16 Info: auth(default): client in: CONT<hidden>
dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1):
lookup: user=k file=/opt/etc/dovecot/h.org/passwd
dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1):
No password
dovecot: May 25 11:56:16 Info: auth(default): client out: OK 1 user=k
dovecot: May 25 11:56:16 Info: auth(default): master in: REQUEST 6 22164 1
dovecot: May 25 11:56:16 Info: auth(default): passwd(k,10.1.1.1): lookup
dovecot: May 25 11:56:16 Info: auth(default): master out: USER 6 k
system_user=k uid=500 gid=100 home=/
dovecot: May 25 11:56:16 Info: imap-login: Login: user=<k>,
method=PLAIN, rip=10.1.1.1, lip=10.1.1.245, TLS
With this configuration the client will connect over ssl and identify
itself with a certificate but a client password is still required.
--
Regards
Stephen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3322 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20090525/9f8b46da/attachment-0001.bin
More information about the dovecot
mailing list