[Dovecot] Testing EXTERNAL AUTHENTICATION

Stephen Feyrer steve at toth.org.uk
Wed Mar 17 00:04:09 EET 2010 

Hi.

The tests using SASL and SASL-IR in Thunderbird both fail to  
authenticate.  I have tried using openssl s_client with the same result.   
I've run the auth command in three ways just to be sure I got the second  
example right.  I even checked to make sure I've spelt my name right and  
the case of the letters.


# dovecot -n
# 1.2.10: /opt/etc/dovecot/dovecot.conf
# OS: Linux 2.6.12.6-arm1 armv5tejl  ext3
base_dir: /opt/var/run/dovecot/
log_path: /opt/var/log/dovecot/messages
info_log_path: /opt/var/log/dovecot/info
protocols: imaps
listen: [::]
ssl_ca_file: /opt/etc/domain.ca/cacrl.pem
ssl_cert_file: /opt/etc/domain.ca/newcerts/mail.cer
ssl_key_file: /opt/etc/domain.ca/private/mail.key
ssl_cipher_list: ALL:!LOW:!SSLv2
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /opt/var/run/dovecot/login
login_executable: /opt/libexec/dovecot/imap-login
login_process_size: 32
mail_location: dbox:/share/MD0_DATA/mail/%u
mail_debug: yes
dbox_rotate_days: 0
imap_id_send: *
imap_id_log: *
lda:
   postmaster_address: postmaster at ksudra.net
auth default:
   mechanisms: EXTERNAL
   realms: ksudra.net
   default_realm: ksudra.net
   user: admin
   verbose: yes
   debug: yes
   ssl_require_client_cert: yes
   ssl_username_from_cert: yes
   passdb:
     driver: passwd-file
     args: /opt/etc/dovecot/passwd
   userdb:
     driver: passwd

/opt/etc/dovecot/passwd
Stephen:{EXTERNAL}


$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE  
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL =
01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE

$ tail /opt/var/log/info.log
Mar 16 21:37:18 auth(default): Info: new auth connection: pid=10161
Mar 16 21:37:19 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:37:19 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:37:39 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=55745     resp=<hidden>
Mar 16 21:37:39 auth(default): Info: passwd-file(Stephen,10.1.1.4):  
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:37:41 auth(default): Info: client out: FAIL   1        
user=Stephen
Mar 16 21:38:52 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,  
lip=10.1.1.245, TLS


$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE  
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+

01 NO [AUTHENTICATIONFAILED] Authentication failed.
DONE

Mar 16 21:40:24 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,  
lip=10.1.1.245, TLS
Mar 16 21:40:26 auth(default): Info: new auth connection: pid=10173
Mar 16 21:40:28 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:40:28 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:40:38 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=35721
Mar 16 21:40:38 auth(default): Info: client out: CONT   1
Mar 16 21:40:40 auth(default): Info: client in: CONT<hidden>
Mar 16 21:40:40 auth(default): Info: passwd-file(Stephen,10.1.1.4):  
lookup: user=Stephen file=/opt/etc/dovecot/passwd
Mar 16 21:40:42 auth(default): Info: client out: FAIL   1        
user=Stephen
Mar 16 21:40:47 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): user=<Stephen>, method=EXTERNAL, rip=10.1.1.4,  
lip=10.1.1.245, TLS


$ openssl s_client -cert Stephen.pem -connect 10.1.1.245:993

---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE  
AUTH=EXTERNAL] Dovecot ready.
01 AUTHENTICATE EXTERNAL
+
01 =
01 NO [ALERT] Invalid base64 data in continued response
DONE

Mar 16 21:42:04 auth(default): Info: new auth connection: pid=10178
Mar 16 21:42:06 imap-login: Info: Valid certificate:  
/O=ksudra.net/OU=Ksudra  
CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net
Mar 16 21:42:06 imap-login: Info: Valid certificate:  
/C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen
Mar 16 21:42:31 auth(default): Info: client in: AUTH    1        
EXTERNAL        service=imap    secured valid-client-cert        
cert_username=Stephen       lip=10.1.1.245  rip=10.1.1.4     
lport=993       rport=35725
Mar 16 21:42:31 auth(default): Info: client out: CONT   1
Mar 16 21:42:35 auth(default): Info: client in: CONT<hidden>
Mar 16 21:42:35 auth(default): Info: EXTERNAL(Stephen,10.1.1.4): Invalid  
base64 data in continued response
Mar 16 21:42:35 auth(default): Info: client out: FAIL   1        
reason=Invalid base64 data in continued response
Mar 16 21:42:55 imap-login: Info: Disconnected (cert required, client  
didn't start TLS): method=EXTERNAL, rip=10.1.1.4, lip=10.1.1.245, TLS

--
Thanks

Stephen Feyrer.


On Tue, 16 Mar 2010 18:03:38 -0000, Timo Sirainen <tss at iki.fi> wrote:

> On Tue, 2010-03-16 at 18:01 +0000, Stephen Feyrer wrote:
>
>> How can I use SASL-IR with dovecot?
>
> It's client that uses it by sending:
>
> AUTHENTICATE EXTERNAL =
>
> instead of:
>
> AUTHENTICATE EXTERNAL
> <wait for reply>
> =
>
> so nothing really you can do about it..
>

More information about the dovecot mailing list