Why does dovecot reject password when authorizing by a certificate?
yuryb
yuryb at ukr.net
Thu Feb 1 12:08:14 EET 2018
I have added "auth_debug_password=yes" to "10-logging.conf" and restarted dovecot. But I do not see any information about the password in the logs. Does this mean that the thunderbird does not send the password? Although it asks for the password and I enter one.
New log:
dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0 code=kill)
dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7>
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7>
dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>): Password mismatch
dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<pOTtkSNkxNoKAQE7>
Try adding auth_debug_password=yes
Aki
On 01.02.2018 10:27, yuryb wrote:
We have FreeBSD-server with dovecot installed on it as IMAP-server. My user and password database is a text file with plaintext passwords. Clients connect to imap-server via TLS protocol and plaintext password. All works fine. But I want to configure ability to authorize with a client certificates. I have generated a client certificate and imported it to email-client. Also I have configured dovecot to verify client certificates. But email-client cannot authorize: Password mismatch. Why dovecot reject my password in this case? Please help!
My log: dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>
dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>
dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch
dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
My configuration:
# 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.2-RELEASE-p20 amd64 ufs
auth_debug = yes
auth_mechanisms = plain login external
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_username_format = %Ln
auth_verbose = yes
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
mail_debug = yes
mail_gid = 999
mail_location = maildir:/mnt/mail/%n
mail_uid = 999
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /usr/local/etc/dovecot/users
driver = passwd-file
}
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service imap-login {
inet_listener imaps {
ssl = yes
}
}
ssl_ca = </etc/ssl/cacert.pem
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/dovecot.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_require_crl = no
ssl_verify_client_cert = yes
userdb {
args = /usr/local/etc/dovecot/users
driver = passwd-file
}
verbose_ssl = yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/0dbcd8b2/attachment.html>
More information about the dovecot
mailing list