-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Sam, I'm trying to get this running, but I fear I won't get any furter without your feedback. Logging in with a certificate just doesn't work. :(
I have created a CA certificate and a client certificate. The CA has signed itself and the client: > openssl verify -verbose -CAfile courier-ca.crt *.crt > courier-ca.crt: OK t...@lenzw.de.crt: OK my userdb contains a line for that login and I have run makeuserdb. > t...@lenzw.de mail=/var/vmail/lenzw.de/mail/|uid=5000|gid=5000 imapd is configured accordingly: (the certificate exists and has world-read permissions) > TLS_TRUSTCERTS=/etc/ssl/certs/mail-ca.crt TLS_VERIFYPEER=PEER > TLS_EXTERNAL=emailaddress I tested connecting on port 143 with STARTTLS as well as port 993. > openssl s_client -connect umask.pw:993 -cert t...@lenzw.de.crt > -key t...@lenzw.de.key > ... Acceptable client certificate CA names /C=DE/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.fw.umask.pw > Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested > Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ SHA1:DSA+SHA1:ECDSA+SHA1 > Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ SHA1:DSA+SHA1:ECDSA+SHA1 > ... So the cert I am using should work okay: > Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, > ST=Some-State, O=Internet Widgits Pty Ltd, CN=mail.fw.umask.pw > Validity Not Before: Jul 23 21:10:50 2015 GMT Not After : Aug 1 > 21:10:50 2016 GMT Subject: C=DE, ST=Some-State, O=Internet Widgits > Pty Ltd, CN=mail.fw.umask.pw/emailAddress=t...@lenzw.de When I try to login with Thunderbird, it lets me choose my key+certificate, but login doesn't work: > 1196[129a4bc0]: try to log in 1196[129a4bc0]: IMAP auth: server > caps 0x204c3325, pref 0x20000000, failed 0x0, avail caps 0x20000000 > 1196[129a4bc0]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000) > 1196[129a4bc0]: trying auth method 0x20000000 1196[129a4bc0]: IMAP: > trying auth method 0x20000000 1196[129a4bc0]: > 13ba0800:umask.pw:NA:SendData: 3 authenticate EXTERNAL dGVzdEBsZW56dy5kZQ== > > 1196[129a4bc0]: ReadNextLine [stream=18445650 nb=20 needmore=0] > 1196[129a4bc0]: 13ba0800:umask.pw:NA:CreateNewLineFromSocket: 3 NO Login failed. > > 1196[129a4bc0]: authlogin failed Unfortunately, I don't get much more information from Courier: > Jul 23 23:58:03 localhost imapd-ssl: Connection, ip=[::ffff:...] > Jul 23 23:58:06 localhost imapd-ssl: LOGIN FAILED, > method=EXTERNAL, ip=[::ffff:...] > Jul 23 23:58:12 localhost imapd-ssl: Disconnected, > ip=[::ffff:...], time=9, starttls=1 Are there any more logging options in COURIER that I can enable? This mode seems to bypass authdaemon and I haven't find any log level options besides authdaemon. Sorry for the long mail and thank you for reading it, Lenz Am 22.07.2015 um 14:21 schrieb Sam Varshavchik: > Sam Varshavchik writes: > >> Lenz Weber writes: >> >>> Hi, sorry, but I have not found any documentation on this: >>> >>> I see that I can add a CA certificate to TLS_TRUSTCERTS and >>> then set TLS_VERIFYPEER to PEER to enable certificate >>> authentication. >>> >>> But with just that setup, if one client key is compromised, I >>> have to change the complete CA. Is there a way to revoke a >>> single certificate? >> >> Nope. There is no support for revocation lists at this time. > > Note, though, that you can achieve pretty much the same thing via > authentication. > > Client certificates work by having the code fish out the > emailAddress attribute from the client's certificate and using it > to log in. So, to effectively revoke the certificate, remove the > login, and create another one, with a new certificate. > > Even with /etc/passwd, you can have two entries in /etc/passwd > with different login names, but same userid, groupid, and home > directory. One is the public email address, the second one is for > logging in. To effectively revoke a cert, the second one is > removed, and replaced. So, one would have <u...@example.com> as > their public email address, and their certificate reads > <mb2...@example.com>, which logs into this mailbox. Left to its own > devices, mail to either address would end up in the same mailbox, > but so what. To "remove" the certificate, the <mb2...@example.com> > login gets deleted, and replaced with <mb2...@example.com>, the > public email address is unaffected. > > > ---------------------------------------------------------------------- - -------- > > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support > that you need to offload your IT needs and focus on growing your > business. Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > > > > _______________________________________________ Courier-imap > mailing list Courier-imap@lists.sourceforge.net Unsubscribe: > https://lists.sourceforge.net/lists/listinfo/courier-imap > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVsWaOAAoJED87gGHnFM0sprMH+wcC4KwwE0vn4t7N38QJMSEr F0SA/vdQ0sB9YsXgolae9iNDWzzMQvNDmGhmkVRGYIrsZVz1IY16RggWAzs3R7GX rjBT1yzkeG5BZBXNJN27RpVDlQuw6y8fqF0ytTpf9SglsApY89iwo2RU0rv9HZVP xtO2YTdEqvoAGXJo5frXUfeG898sV+hzR39x3WDsaYdgLBBdBZeEs3o02PalkNLm 8NU+zLso8fogdqP7d0No+QUQsFumvbtlDHZ6bVf06v1yLvjcbrx7grHepx57Lih6 x1y+wdmF+kGmAClfa1qgwlOTVZ/d1Pw6FyRqoBZEuOxa3l5lHD4OdnQpvTJoasg= =7JbI -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
