Disable auth_ssl_require_client_cert for SASL

damir damir at cargosoft.ru
Fri Jul 22 09:29:36 UTC 2016 

Hello!

Dovecot version - 2.2.6
Postfix version - 2.10.2
OS: Mageia Linux 4 x86_64

I have configured Dovecot imaps-server on 993 port to authenticate users 
via private certificates:
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = no
Users' database is in OpenLDAP and in dovecot-ldap.conf.ext checking of 
users' passwords is disabled:
pass_attrs = uid=%n, mail=%n@%d, =nopassword=1
It all works fine.

I have configured Postfix submission-service on 587 port to connect 
users via StartTLS:
submission      inet    n       -       y       -       - smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_enforce_tls=yes
   -o smtpd_tls_req_ccert=yes
   -o smtpd_tls_ask_ccert=yes
   -o smtpd_client_restrictions=permit_tls_all_clientcerts,reject
   -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject
   -o smtpd_helo_restrictions=permit_tls_all_clientcerts,reject
It works fine.

And now I have a new task: I also need Postfix to authenticate 
OpenLDAP-users using SASL on smtps-port 465. I need it for using on 
mobile devices, which don't support StartTLS. So I have configured smtps 
in Postfix:
smtps   inet    n       -       y       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_enforce_tls=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_path=private/auth
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
   -o smtpd_helo_restrictions=permit_sasl_authenticated,reject

While trying to connect to smtps, clients get an error: "Client didn't 
present valid SSL certificate", and this is clear. The question is: how 
to configure an additional auth-service in dovecot, which doesn't 
require private certificates and authenticates users using login/password?

Configuration-files:
dovecot -n:
# 2.2.6: /etc/dovecot/dovecot.conf
# OS: Linux 3.14.43-server-1.mga4 x86_64 Mageia 4 ext4
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
base_dir = /var/run/dovecot/
first_valid_gid = 12
first_valid_uid = 8
hostname = myexample.com
last_valid_gid = 12
last_valid_uid = 8
listen = *
login_greeting = Dovecot L ready.
login_trusted_networks = 127.0.0.0/8 10.62.0.0/16
mail_debug = yes
mail_gid = 12
mail_home = /home/mail/%d/%n
mail_location = maildir:/home/mail/%d/%n
mail_uid = 8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
   type = private
}
passdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   default_fields = homeDirectory=/home/mail/%d/%n
   driver = ldap
}
plugin {
   sieve = /home/mail/%d/%n/sieve/UsersActiveScript.sieve
   sieve_before = /var/spool/mail/dovecot.sieve
   sieve_default = /var/spool/mail/dovecot.sieve
   sieve_dir = /home/mail/%d/%n/sieve
}
postmaster_address = admin at myexample.com
protocols = imap
service anvil {
   type = anvil
   unix_listener anvil-auth-penalty {
     group = mail
     mode = 0600
     user = mail
   }
   unix_listener anvil {
     mode = 0600
     user = mail
   }
}
service auth-worker {
   user = $default_internal_user
}
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0660
     user = postfix
   }
   unix_listener auth-userdb {
     group = mail
     mode = 0600
     user = mail
   }
}
service imap-login {
   inet_listener imap {
     port = 0
     ssl = no
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
service pop3-login {
   inet_listener pop3 {
     port = 0
   }
   inet_listener pop3s {
     port = 0
   }
}
ssl_ca = </etc/pki/CA/private/dovecot-ca.pem

grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf.ext:

uris = ldap://localhost
dn = cn=service,ou=Systems,dc=myexample,dc=com
dnpass = SeCrEt
auth_bind = no
ldap_version = 3
base = ou=People,dc=myexample,dc=com
deref = never
scope = subtree
user_attrs = homeDirectory=home
user_filter = (&(mail=%n@%d)(uid=%n))
pass_attrs = uid=%n, mail=%n@%d, =nopassword=1
pass_filter = (&(mail=%n@%d)(uid=%n))

Kind regards, Damir

More information about the dovecot mailing list