Dovecot & OAuth

mizuki mizuki0621 at gmail.com
Tue Dec 10 17:44:54 EET 2019


Thank you Stephan,

I'm wondering if I can read the track of the status of bug reports? Could
you please advice?
Thanks.
Mizuki

On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <stephan at rename-it.nl> wrote:

>
>
> On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:
> > Hi!
> >
> > It seems there is a bug in the oauth2 driver, it loads the cert files
> wrong way. I'll make an internal bug report of this.
>
> Tracking as DOP-1590.
>
> Regards,
>
> Stephan.
>
>
> >> On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com> wrote:
> >>
> >>
> >> Hi,
> >>
> >> For troubleshooting purposes, I change the read/write permissions on
> the certs and confirmed 'dovecot' can read them w/o problem, but still
> seeing the same errors. :(
> >> Mizuki
> >>
> >>
> >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi at open-xchange.com>
> wrote:
> >>>
> >>> Is the key/cert pair readable by dovecot user? auth process does not
> run as root.
> >>>
> >>>
> >>>
> >>>
> >>> You can add
> >>>
> >>>
> >>>
> >>>
> >>> service auth {
> >>>
> >>> extra_groups = ssl_cert
> >>>
> >>> }
> >>>
> >>>
> >>>
> >>>
> >>> and chgrp the cert to ssl_cert to allow access to the cert.
> >>>
> >>>
> >>>
> >>>
> >>> Aki
> >>>
> >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org> wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> I changed some of the tls options following the document, now config
> is following:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> tokeninfo_url =
> https://keycloak.com/auth/realms/mail/protocol/openid-connect/token
> >>>> introspection_url =
> https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect
> >>>> introspection_mode = post
> >>>> debug = yes
> >>>> rawlog_dir = /tmp/oauth2
> >>>> #force_introspection = yes
> >>>> username_attribute = username
> >>>> #active_attribute = active
> >>>> #active_value = true
> >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt
> >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem
> >>>>
> >>>>
> >>>> ---------------
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> The debug log is showing now slightly different msg ex:
> >>>>
> >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error:
> oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't
> initialize SSL context: Can't load SSL certificate: There is no valid PEM
> certificate.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Still not able to connect to the keyclaok server. :(
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> PS: Dovecot & Keycloak severs are both using the same legit cert/key
> pair with CA file configured.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Thanks!
> >>>>
> >>>> Mizuki
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi at open-xchange.com>
> wrote:
> >>>>
> >>>>
> >>>>> Before declaring it not ready for prime time, did you try setting
> >>>>>
> >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
> >>>>>
> >>>>> In the oauth2 configuration file as documented in
> https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
> >>>>>
> >>>>> Aki
> >>>>>
> >>>>>> On 05/12/2019 21:58 mizuki via dovecot < dovecot at dovecot.org>
> wrote:
> >>>>>>
> >>>>>>
> >>>>>> Hi all,
> >>>>>>
> >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after enabling
> 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm
> Dovecot is ready for OAuth using openssl command, however when the auth
> request comes in, it failed in establishing a SSL connection with Keycloak
> server on port 443, shown as following in debug logs. I can confirming
> using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl
> -v https://<keycloak_server/' all returns normal and no errors. Altering
> some of the SSL options in dovecot such as 'ssl_ca =
> </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file =
> </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are
> NOT self-signed but signed the legit authorities. So I'm not sure why
> dovecot could not establish the connections.
> >>>>>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191210/e48966f2/attachment.html>


More information about the dovecot mailing list