[Dovecot] Question about auth multiple configuration

Fabrice MATHIEU simpsons_bart_cs at hotmail.com
Wed Apr 28 20:12:31 EEST 2010


My mail system is build with postfix, dovecot and roundcube.
In first time users can view and "manage" their mail only on the webmail.
So this one (webmail) use IMAP (no tls/ssl at all) authentication to give access to users maildir. This connection is made on the 'loopback' interface and use PLAIN method.
This works fine (configuration below without ssl parameters).

Now I want to see and send my mail with a MUA (thunderbird).
As my system is on an Internet provider I want to add more security "solutions".
I use smtps with postfix and SASL/auth by dovecot socket mechanism to send mail.
I use imaps with dovecot for managing my maildir.

I have added ssl parameters to the configuration file (see below) and I required certificate from the client (to avoid man in the middle attack and to get access only for client with user certificate).
To get this "ssl_require_client_cert" is set to yes.
Ok, now imaps works perfectly.
But since a certificate is required webmail authentication (localhost) and SASL (postfix auth trough dovecot socket mechanism) don't work.

Webmail => dovecot: imap-login: Disconnected (cert required, client didn't start TLS): method=PLAIN, rip=, lip=, secured
Postfix => postfix/smtpd[71640]: warning: TOTO[X.A.B.C]: SASL PLAIN authentication failed: Client didn't present valid SSL certificate

That's normal. But client(network) is considered by dovecot as secure, so won't the auth possible without certificate ?

Can't we make two auth policy to make secure (client crt require) for public IP/client and less "secure" (without crt client) for local process (postfix) and local newtwork( for roundcube ?
I see section "auth default { ... }" and is used by ... default ! But can we make an other one to make this two particular authentication on the same "instance" ?

Thank you.

   And then my configuration :

operating system => FreeBSD 7.1

dovecot --version => 1.2.8

dovecot -n =>
# 1.2.8: /usr/local/etc/dovecot.conf
# OS: FreeBSD 7.1-RELEASE i386  ufs
protocols: imap
ssl_listen: X.Y.Z.T
ssl: yes
ssl_ca_file: /usr/local/etc/dovecot/CAclient.pem
ssl_cert_file: /usr/local/etc/dovecot/imaps.pem
ssl_key_file: /usr/local/etc/dovecot/imaps.key
ssl_verify_client_cert: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:/jails/mails/%d/%n
imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep
  postmaster_address: postmaster at SOMETHING
  hostname: SOMETHING_ELSE
  sendmail_path: /usr/sbin/sendmail
auth default:
  mechanisms: plain login
  username_format: %Lu
    driver: passwd-file
    args: username_format=%n /jails/mails/dov_pass/%d/usr_pas
    driver: passwd-file
    args: username_format=%n /jails/mails/dov_pass/%d/usr_pas
  ssl_require_client_cert = yes
  ssl_username_from_cert = no
    type: listen
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: wheel
      path: /var/run/dovecot/auth-master
      mode: 384

Best regards,

Consultez gratuitement vos emails Orange, Gmail, Free, ... directement dans HOTMAIL !

More information about the dovecot mailing list