[Dovecot] Incompatibility Thunderbirds Auth Mech TLS-Certificate <-> Dovecot

Christian Felsing pug at felsing.net
Fri Apr 25 12:56:13 UTC 2014


Hello,

it seems there there is an issue regarding "TLS-Certtificate"
authentication in Thunderbird and Dovecot. Obviously client certificate
is recognized by Dovecot:

Apr 25 14:29:01 dovecot dovecot: imap-login: Valid certificate:
/emailAddress=christian.felsing at example.net/CN=Christian Felsing
(Test)/OU=CF Certificates/O=example.net/C=DE

AFAIK Dovecot always requires IMAP login, even in "static" passdb
config. Static means arbitrary password is ok, but not "no login"

I hope, I am wrong, following log entry gave a hint, what Thunderbird
does or more precisely - not do:

Apr 25 14:29:01 dovecot dovecot: imap-login: Disconnected (no auth
attempts in 5 secs): user=<>, rip=192.168.1.99, lip=192.168.42.1, TLS,
session=<3+1THN33NQBtWq5D>

Dovecot wants an IMAP login, but Thunderbird does not so. I am not sure
if that is a bug (or feature) of Dovecot or Thunderbird. Thunderbird
does several strange things on client certificates:

1st) If Dovecot is configured to request a client certificate and
Thunderbird is configured to use plain text auth, Thunderbird offers a
client certificate and login succeeds as configured in Dovecot.
Unfortunately Thunderbird uses same certificate for all configured
accounts to that host. Very bad if Dovecot reads username from
certificate attributes.

2nd) If Dovecot is configured to request a client certificate and
Thunderbird is configured to use TLS-Certificate, Thunderbird also
offers a client certificate, but Dovecot requests login from
Thunderbird. That fails, because Thunderbird assumes TLS-Certificate is
enough for successful log.

If it is true that Dovecot is not compatible to Thunderbirds way of
TLS-Certificate Authentication, I consider to set up a proxy, which
supports that way. May be Nginx would be a solution, it supports IMAP
and LUA module plus some LUA code will fake the authentication. This is
an ugly hack so I would like to avoid that, if anybody has a better
solution. Thunderbird is a very widespread IMAP client so it should not
be ignored.

best regards
Christian

---Dovecot config---

# /opt/dovecot/bin/doveconf -n

# 2.2.12: /opt/dovecot/etc/dovecot-cert/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.4
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#"
auth_username_translation = "@#"
base_dir = /var/run/dovecot-cert
first_valid_uid = 124
last_valid_uid = 124
listen = 192.168.42.1
log_timestamp = %Y-%m-%d %H:%M:%S
login_greeting = example.net imap4/pop3 (cert only) ready.
mail_gid = 124
mail_location = maildir:~/Maildir
mail_privileged_group = vmail
mail_uid = 124
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave imapflags notify
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  list = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = password=test
  driver = static
}
plugin {
  acl = vfile:/etc/dovecot/global-acls:cache_secs=300
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
  autocreate = Trash
  autocreate2 = Drafts
  autosubscribe = Trash
  autosubscribe2 = Drafts
  quota = maildir:User quota
  quota_rule = *:storage=500M
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  recipient_delimiter = +
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags
}
protocols = imap pop3 lmtp sieve
service anvil {
  client_limit = 4000
}
service auth-worker {
  group = vmail
}
service auth {
  client_limit = 8000
  unix_listener auth-master {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = dovecot
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_limit = 1024
}
service imap-postlogin {
  executable = script-login /opt/cfbin/lastlogin.sh
}
service imap {
  executable = imap imap-postlogin
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
  process_limit = 1024
}
service pop3-postlogin {
  executable = script-login /opt/cfbin/lastlogin.sh
}
service pop3 {
  executable = pop3 pop3-postlogin
}
service quota-warning {
  executable = script /opt/cfbin/quota-warning.sh
  user = vmail
}
ssl_ca = </opt/dovecot/etc/dovecot/client-ca.pem
ssl_cert = </opt/dovecot/etc/dovecot/example.net.pem
ssl_cipher_list =
kEECDH:kEDH:AESGCM:ALL:+3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl_dh_parameters_length = 4096
ssl_key = </opt/dovecot/etc/dovecot/example.net.key
ssl_prefer_server_ciphers = yes
ssl_verify_client_cert = yes
verbose_ssl = yes
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_max_userip_connections = 20
  mail_plugins = quota imap_quota acl imap_acl
}
protocol sieve {
  managesieve_logout_format = bytes ( in=%i : out=%o )
}
protocol pop3 {
  mail_plugins = quota
  pop3_uidl_format = %08Xu%08Xv
}



More information about the dovecot mailing list