[Dovecot] Testing EXTERNAL AUTHENTICATION

Stephen Feyrer steve at toth.org.uk
Tue Mar 16 18:57:16 EET 2010


Hi.

I'm trying to test EXTERNAL AUTHENTICATION in Dovecot.  To do this I first  
configured Thunderbird and Opera to use my server, neither of them were  
successful.  As a result I contacted both organisations to enquire if they  
supported EXTERNAL AUTHENTICATION in their products.  Thunderbird  
responded and said yes.  However, on closer inspection my contact at  
Thunderbird identified that support for EXTERNAL AUTHENTICATION was poor  
at best and then only in SMTP.  From that point on, my contact has been  
trying to implement support in Thunderbird.

I've also try to test using openssl s_client which is detailed below.  As  
far as I can tell my problems appear after the authentication.  I don't  
know what the problem is only that there is one.

[~] # dovecot -n
# 1.2.10: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl  ext3
base_dir: /opt/var/run/dovecot/
log_path: /opt/var/log/dovecot/messages
info_log_path: /opt/var/log/dovecot/info
protocols: imaps
listen: [::]
ssl_ca_file: /opt/etc/domain.ca/cacrl.pem
ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer
ssl_key_file: /opt/etc/domain.ca/private/mail.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot//login
login_executable: /opt/libexec/dovecot/imap-login
login_process_size: 32
mail_location: dbox:/share/MD0_DATA/mail/%u
mail_debug: yes
dbox_rotate_days: 0
imap_id_send: *
imap_id_log: *
lda:
   postmaster_address: postmaster at ksudra.net
auth default:
   mechanisms: EXTERNAL
   realms: ksudra.net
   default_realm: ksudra.net
   user: admin
   verbose: yes
   debug: yes
   ssl_require_client_cert: yes
   ssl_username_from_cert: yes
   passdb:
     driver: passwd-file
     args: /opt/etc/dovecot/passwd
   userdb:
     driver: passwd


[~] # openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

                    <--  snip  -->

SSL handshake has read 4460 bytes and written 2451 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: [...]
     Session-ID-ctx:
     Master-Key: [...]
     Key-Arg   : None
     Krb5 Principal: None
     Start Time: 1268756439
     Timeout   : 300 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE  
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+
01 list "" *
01 NO [ALERT] Invalid base64 data in continued response
01 select inbox
01 BAD Error in IMAP command received by server.
02 select inbox
02 BAD Error in IMAP command received by server.
DONE

[~] # tail -f /opt/var/log/dovecot/info
Mar 16 16:51:14 auth(default): Info: new auth connection: pid=9176
Mar 16 16:51:16 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:51:16 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:52:06 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=45379
Mar 16 16:52:06 auth(default): Info: client out: CONT   1
Mar 16 16:52:42 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:52:42 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:52:42 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=45381
Mar 16 16:52:42 auth(default): Info: client out: CONT   1
Mar 16 16:52:42 auth(default): Info: client in: CONT<hidden>
Mar 16 16:52:42 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid  
base64 data in continued response
Mar 16 16:52:42 auth(default): Info: client out: FAIL   1        
reason=Invalid base64 data in continued response
Mar 16 16:52:42 auth(default): Info: new auth connection: pid=9182
Mar 16 16:52:45 auth(default): Info: client in: CONT<hidden>
Mar 16 16:52:45 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid  
base64 data in continued response
Mar 16 16:52:45 auth(default): Info: client out: FAIL   1        
reason=Invalid base64 data in continued response
Mar 16 16:52:47 imap-login: Info: Aborted login (cert required, client  
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
Mar 16 16:54:36 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 16:54:36 auth(default): Info: new auth connection: pid=9188
Mar 16 16:54:37 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=49113
Mar 16 16:54:37 auth(default): Info: client out: CONT   1
Mar 16 16:54:37 auth(default): Info: client in: CONT<hidden>
Mar 16 16:54:37 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid  
base64 data in continued response
Mar 16 16:54:37 auth(default): Info: client out: FAIL   1        
reason=Invalid base64 data in continued response
Mar 16 16:54:42 imap-login: Info: Aborted login (cert required, client  
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS
Mar 16 16:54:49 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 16:54:49 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen

--
kind regards

Stephen Feyrer.


More information about the dovecot mailing list