Why does dovecot reject password when authorizing by a certificate?

[Aki Tuomi]

Try adding auth_debug_password=yes

Aki


On 01.02.2018 10:27, yuryb wrote:
> We have FreeBSD-server with dovecot installed on it as IMAP-server. My
> user and password database is a text file with plaintext passwords.
> Clients connect to imap-server via TLS protocol and plaintext
> password. All works fine. But I want to configure ability to authorize
> with a client certificates. I have generated a client certificate and
> imported it to email-client. Also I have configured dovecot to verify
> client certificates. But email-client cannot authorize: Password
> mismatch. Why dovecot reject my password in this case? Please help!
>
> My log:
> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso
> Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
> session=<fp5P5SBkhtMKAQE7>
> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso
> Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>,
> rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>
> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>):
> Password mismatch
> dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs):
> user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS,
> session=<fp5P5SBkhtMKAQE7>
>
> My configuration:
> # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 10.2-RELEASE-p20 amd64  ufs
> auth_debug = yes
> auth_mechanisms = plain login external
> auth_ssl_require_client_cert = yes
> auth_ssl_username_from_cert = yes
> auth_username_format = %Ln
> auth_verbose = yes
> disable_plaintext_auth = no
> lda_mailbox_autocreate = yes
> mail_debug = yes
> mail_gid = 999
> mail_location = maildir:/mnt/mail/%n
> mail_uid = 999
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /usr/local/etc/dovecot/users
>   driver = passwd-file
> }
> protocols = imap pop3
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0660
>     user = vmail
>   }
> }
> service imap-login {
>   inet_listener imaps {
>     ssl = yes
>   }
> }
> ssl_ca = </etc/ssl/cacert.pem
> ssl_cert = </etc/ssl/certs/dovecot.pem
> ssl_dh_parameters_length = 2048
> ssl_key = </etc/ssl/private/dovecot.pem
> ssl_prefer_server_ciphers = yes
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1
> ssl_require_crl = no
> ssl_verify_client_cert = yes
> userdb {
>   args = /usr/local/etc/dovecot/users
>   driver = passwd-file
> }
> verbose_ssl = yes
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/9039939a/attachment.html>