<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Try adding auth_debug_password=yes</p>
    <p>Aki<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 01.02.2018 10:27, yuryb wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:1517472359.496050302.m53l6szs@frv51.fwdcdn.com"><span
        class="xfm_51868779">We have FreeBSD-server with dovecot
        installed on it as IMAP-server. My user and password database is
        a text file with plaintext passwords. Clients connect to
        imap-server via TLS protocol and plaintext password. All works
        fine. But I want to configure ability to authorize with a client
        certificates. I have generated a client certificate and imported
        it to email-client. Also I have configured dovecot to verify
        client certificates. But email-client cannot authorize: Password
        mismatch. Why dovecot reject my password in this case? Please
        help!<br>
        <br>
        My log:
        <div>
          <div>dovecot: imap-login: Valid certificate:
            /C=UA/ST=Kyiv/L=Kyiv/O=Contoso Ltd: user=<>,
            rip=10.1.1.59, lip=10.1.1.99, TLS handshaking,
            session=<fp5P5SBkhtMKAQE7></div>
          <div>dovecot: imap-login: Valid certificate:
            /C=UA/ST=Kyiv/O=Contoso
            <a class="moz-txt-link-abbreviated" href="mailto:Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua">Ltd/OU=IT/CN=sysadmin/emailAddress=sysadmin@contoso.ua</a>:
            user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS
            handshaking, session=<fp5P5SBkhtMKAQE7></div>
          <div>dovecot: auth:
            passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>):
            Password mismatch</div>
          <div>dovecot: imap-login: Disconnected (auth failed, 1
            attempts in 6 secs): user=<sysadmin>, method=EXTERNAL,
            rip=10.1.1.59, lip=10.1.1.99, TLS,
            session=<fp5P5SBkhtMKAQE7></div>
          <div><br>
          </div>
          <div>My configuration:</div>
          <div>
            <div># 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf</div>
            <div># OS: FreeBSD 10.2-RELEASE-p20 amd64  ufs</div>
            <div>auth_debug = yes</div>
            <div>auth_mechanisms = plain login external</div>
            <div>auth_ssl_require_client_cert = yes</div>
            <div>auth_ssl_username_from_cert = yes</div>
            <div>auth_username_format = %Ln</div>
            <div>auth_verbose = yes</div>
            <div>disable_plaintext_auth = no</div>
            <div>lda_mailbox_autocreate = yes</div>
            <div>mail_debug = yes</div>
            <div>mail_gid = 999</div>
            <div>mail_location = maildir:/mnt/mail/%n</div>
            <div>mail_uid = 999</div>
            <div>namespace inbox {</div>
            <div>  inbox = yes</div>
            <div>  location =</div>
            <div>  mailbox Drafts {</div>
            <div>    special_use = \Drafts</div>
            <div>  }</div>
            <div>  mailbox Junk {</div>
            <div>    special_use = \Junk</div>
            <div>  }</div>
            <div>  mailbox Sent {</div>
            <div>    special_use = \Sent</div>
            <div>  }</div>
            <div>  mailbox "Sent Messages" {</div>
            <div>    special_use = \Sent</div>
            <div>  }</div>
            <div>  mailbox Trash {</div>
            <div>    special_use = \Trash</div>
            <div>  }</div>
            <div>  prefix =</div>
            <div>}</div>
            <div>passdb {</div>
            <div>  args = /usr/local/etc/dovecot/users</div>
            <div>  driver = passwd-file</div>
            <div>}</div>
            <div>protocols = imap pop3</div>
            <div>service auth {</div>
            <div>  unix_listener /var/spool/postfix/private/auth {</div>
            <div>    group = postfix</div>
            <div>    mode = 0660</div>
            <div>    user = postfix</div>
            <div>  }</div>
            <div>  unix_listener auth-userdb {</div>
            <div>    group = vmail</div>
            <div>    mode = 0660</div>
            <div>    user = vmail</div>
            <div>  }</div>
            <div>}</div>
            <div>service imap-login {</div>
            <div>  inet_listener imaps {</div>
            <div>    ssl = yes</div>
            <div>  }</div>
            <div>}</div>
            <div>ssl_ca = </etc/ssl/cacert.pem</div>
            <div>ssl_cert = </etc/ssl/certs/dovecot.pem</div>
            <div>ssl_dh_parameters_length = 2048</div>
            <div>ssl_key = </etc/ssl/private/dovecot.pem</div>
            <div>ssl_prefer_server_ciphers = yes</div>
            <div>ssl_protocols = !SSLv2 !SSLv3 !TLSv1</div>
            <div>ssl_require_crl = no</div>
            <div>ssl_verify_client_cert = yes</div>
            <div>userdb {</div>
            <div>  args = /usr/local/etc/dovecot/users</div>
            <div>  driver = passwd-file</div>
            <div>}</div>
            <div>verbose_ssl = yes</div>
          </div>
          <div><br>
          </div>
        </div>
      </span>
    </blockquote>
    <br>
  </body>
</html>