Why does dovecot reject password when authorizing by a certificate?

Aki Tuomi aki.tuomi at dovecot.fi
Thu Feb 1 12:09:04 EET 2018 

You probably need to also enable

auth_debug=yes

auth_verbose=yes

also, are you sure you just don't have wrong password?


Aki


On 01.02.2018 12:08, yuryb wrote:
> I have added "auth_debug_password=yes" to "10-logging.conf" and
> restarted dovecot. But I do not see any information about the password
> in the logs. Does this mean that the thunderbird does not send the
> password? Although it asks for the password and I enter one.
> New log:
> dovecot: master: Warning: Killed with signal 15 (by pid=19769 uid=0
> code=kill)
> dovecot: master: Dovecot v2.2.24 (a82c823) starting up for imap, pop3
> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso
> Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
> session=<pOTtkSNkxNoKAQE7>
> dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso
> Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua: user=<>,
> rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<pOTtkSNkxNoKAQE7>
> dovecot: auth: passwd-file(sysadmin,10.1.1.59,<pOTtkSNkxNoKAQE7>):
> Password mismatch
> dovecot: imap-login: Disconnected (auth failed, 1 attempts in 99
> secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99,
> TLS, session=<pOTtkSNkxNoKAQE7>
>
>     Try adding auth_debug_password=yes
>
>     Aki
>
>
>     On 01.02.2018 10:27, yuryb wrote:
>>     We have FreeBSD-server with dovecot installed on it as
>>     IMAP-server. My user and password database is a text file with
>>     plaintext passwords. Clients connect to imap-server via TLS
>>     protocol and plaintext password. All works fine. But I want to
>>     configure ability to authorize with a client certificates. I have
>>     generated a client certificate and imported it to email-client.
>>     Also I have configured dovecot to verify client certificates. But
>>     email-client cannot authorize: Password mismatch. Why dovecot
>>     reject my password in this case? Please help!
>>
>>     My log:
>>     dovecot: imap-login: Valid certificate:
>>     /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>, rip=10.1.1.59,
>>     lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7>
>>     dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso
>>     Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua
>>     <mailto:Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin at contoso.ua>:
>>     user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
>>     session=<fp5P5SBkhtMKAQE7>
>>     dovecot: auth:
>>     passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): Password mismatch
>>     dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6
>>     secs): user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59,
>>     lip=10.1.1.99, TLS, session=<fp5P5SBkhtMKAQE7>
>>
>>     My configuration:
>>     # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf
>>     # OS: FreeBSD 10.2-RELEASE-p20 amd64  ufs
>>     auth_debug = yes
>>     auth_mechanisms = plain login external
>>     auth_ssl_require_client_cert = yes
>>     auth_ssl_username_from_cert = yes
>>     auth_username_format = %Ln
>>     auth_verbose = yes
>>     disable_plaintext_auth = no
>>     lda_mailbox_autocreate = yes
>>     mail_debug = yes
>>     mail_gid = 999
>>     mail_location = maildir:/mnt/mail/%n
>>     mail_uid = 999
>>     namespace inbox {
>>       inbox = yes
>>       location =
>>       mailbox Drafts {
>>         special_use = \Drafts
>>       }
>>       mailbox Junk {
>>         special_use = \Junk
>>       }
>>       mailbox Sent {
>>         special_use = \Sent
>>       }
>>       mailbox "Sent Messages" {
>>         special_use = \Sent
>>       }
>>       mailbox Trash {
>>         special_use = \Trash
>>       }
>>       prefix =
>>     }
>>     passdb {
>>       args = /usr/local/etc/dovecot/users
>>       driver = passwd-file
>>     }
>>     protocols = imap pop3
>>     service auth {
>>       unix_listener /var/spool/postfix/private/auth {
>>         group = postfix
>>         mode = 0660
>>         user = postfix
>>       }
>>       unix_listener auth-userdb {
>>         group = vmail
>>         mode = 0660
>>         user = vmail
>>       }
>>     }
>>     service imap-login {
>>       inet_listener imaps {
>>         ssl = yes
>>       }
>>     }
>>     ssl_ca = </etc/ssl/cacert.pem
>>     ssl_cert = </etc/ssl/certs/dovecot.pem
>>     ssl_dh_parameters_length = 2048
>>     ssl_key = </etc/ssl/private/dovecot.pem
>>     ssl_prefer_server_ciphers = yes
>>     ssl_protocols = !SSLv2 !SSLv3 !TLSv1
>>     ssl_require_crl = no
>>     ssl_verify_client_cert = yes
>>     userdb {
>>       args = /usr/local/etc/dovecot/users
>>       driver = passwd-file
>>     }
>>     verbose_ssl = yes
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180201/16bc4b3c/attachment-0001.html>

More information about the dovecot mailing list