Dovecot & OAuth

Stephan Bosch stephan at rename-it.nl
Tue Dec 10 18:00:28 EET 2019 


Op 10-12-2019 om 16:44 schreef mizuki:
> Thank you Stephan,
>
> I'm wondering if I can read the track of the status of bug reports? 
> Could you please advice?

No, this is for our own internal reference.

> Thanks.
> Mizuki
>
> On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <stephan at rename-it.nl 
> <mailto:stephan at rename-it.nl>> wrote:
>
>
>
>     On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:
>     > Hi!
>     >
>     > It seems there is a bug in the oauth2 driver, it loads the cert
>     files wrong way. I'll make an internal bug report of this.
>
>     Tracking as DOP-1590.
>
>     Regards,
>
>     Stephan.
>
>
>     >> On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com
>     <mailto:mizuki0621 at gmail.com>> wrote:
>     >>
>     >>
>     >> Hi,
>     >>
>     >> For troubleshooting purposes, I change the read/write
>     permissions on the certs and confirmed 'dovecot' can read them w/o
>     problem, but still seeing the same errors. :(
>     >> Mizuki
>     >>
>     >>
>     >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi
>     <aki.tuomi at open-xchange.com <mailto:aki.tuomi at open-xchange.com>>
>     wrote:
>     >>>
>     >>> Is the key/cert pair readable by dovecot user? auth process
>     does not run as root.
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> You can add
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> service auth {
>     >>>
>     >>> extra_groups = ssl_cert
>     >>>
>     >>> }
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> and chgrp the cert to ssl_cert to allow access to the cert.
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> Aki
>     >>>
>     >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org
>     <mailto:dovecot at dovecot.org>> wrote:
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> I changed some of the tls options following the document, now
>     config is following:
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> tokeninfo_url =
>     https://keycloak.com/auth/realms/mail/protocol/openid-connect/token
>     >>>> introspection_url =
>     https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect
>     >>>> introspection_mode = post
>     >>>> debug = yes
>     >>>> rawlog_dir = /tmp/oauth2
>     >>>> #force_introspection = yes
>     >>>> username_attribute = username
>     >>>> #active_attribute = active
>     >>>> #active_value = true
>     >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt
>     >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
>     >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem
>     >>>>
>     >>>>
>     >>>> ---------------
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> The debug log is showing now slightly different msg ex:
>     >>>>
>     >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error:
>     oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed:
>     Couldn't initialize SSL context: Can't load SSL certificate: There
>     is no valid PEM certificate.
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> Still not able to connect to the keyclaok server. :(
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> PS: Dovecot & Keycloak severs are both using the same legit
>     cert/key pair with CA file configured.
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> Thanks!
>     >>>>
>     >>>> Mizuki
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi <
>     aki.tuomi at open-xchange.com <mailto:aki.tuomi at open-xchange.com>> wrote:
>     >>>>
>     >>>>
>     >>>>> Before declaring it not ready for prime time, did you try
>     setting
>     >>>>>
>     >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
>     >>>>>
>     >>>>> In the oauth2 configuration file as documented in
>     https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
>     >>>>>
>     >>>>> Aki
>     >>>>>
>     >>>>>> On 05/12/2019 21:58 mizuki via dovecot <
>     dovecot at dovecot.org <mailto:dovecot at dovecot.org>> wrote:
>     >>>>>>
>     >>>>>>
>     >>>>>> Hi all,
>     >>>>>>
>     >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after
>     enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online
>     document, I can confirm Dovecot is ready for OAuth using openssl
>     command, however when the auth request comes in, it failed in
>     establishing a SSL connection with Keycloak server on port 443,
>     shown as following in debug logs. I can confirming using commands
>     'openssl s_client -connect <keycloak_server>:443' or 'curl -v
>     https://<keycloak_server/' all returns normal and no errors.
>     Altering some of the SSL options in dovecot such as 'ssl_ca =
>     </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file =
>     </etc/pki/CA/certs/root_ca.pem' does not help either. The
>     certificate are NOT self-signed but signed the legit authorities.
>     So I'm not sure why dovecot could not establish the connections.
>     >>>>>>
>

More information about the dovecot mailing list