Hello Lenz, which version of Thunderbird are you using? Thunderbird 38.1.0 for Windows and Thunderbird 37.8.0 for Linux (Ubuntu) are not compatible anymore to some POP3/IMAP Server when using SSL/TLS security.
https://bugzilla.mozilla.org/show_bug.cgi?id=1183650 https://www.thunderbird-mail.de/index.php/Thread/70861-Verbindungssicherheit-STARTTLS-funktioniert-seit-TB-38-1-0-nicht-mehr In Ubuntu I switched to the eMail-Client Evolution and in Windows I reinstalled Thunderbird 38.0.1 and disabled the automatic update function. Am 24.07.2015 um 00:11 schrieb Lenz Weber: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi Sam, > I'm trying to get this running, but I fear I won't get any furter > without your feedback. > Logging in with a certificate just doesn't work. :( > > I have created a CA certificate and a client certificate. The CA has > signed itself and the client: > >> openssl verify -verbose -CAfile courier-ca.crt *.crt >> courier-ca.crt: OK t...@lenzw.de.crt: OK > my userdb contains a line for that login and I have run makeuserdb. > >> t...@lenzw.de mail=/var/vmail/lenzw.de/mail/|uid=5000|gid=5000 > > imapd is configured accordingly: (the certificate exists and has > world-read permissions) > >> TLS_TRUSTCERTS=/etc/ssl/certs/mail-ca.crt TLS_VERIFYPEER=PEER >> TLS_EXTERNAL=emailaddress > I tested connecting on port 143 with STARTTLS as well as port 993. > >> openssl s_client -connect umask.pw:993 -cert t...@lenzw.de.crt >> -key > t...@lenzw.de.key >> ... Acceptable client certificate CA names > /C=DE/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.fw.umask.pw >> Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested >> Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ > SHA1:DSA+SHA1:ECDSA+SHA1 >> Shared Requested Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ > SHA1:DSA+SHA1:ECDSA+SHA1 >> ... > So the cert I am using should work okay: > >> Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, >> ST=Some-State, O=Internet Widgits Pty Ltd, > CN=mail.fw.umask.pw >> Validity Not Before: Jul 23 21:10:50 2015 GMT Not After : Aug 1 >> 21:10:50 2016 GMT Subject: C=DE, ST=Some-State, O=Internet Widgits >> Pty Ltd, > CN=mail.fw.umask.pw/emailAddress=t...@lenzw.de > > When I try to login with Thunderbird, it lets me choose my > key+certificate, but login doesn't work: > >> 1196[129a4bc0]: try to log in 1196[129a4bc0]: IMAP auth: server >> caps 0x204c3325, pref 0x20000000, > failed 0x0, avail caps 0x20000000 >> 1196[129a4bc0]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = > 0x100000, MSN = 0x200000, PLAIN = 0x1000, > LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = > 0x20000000, OAUTH2 = 0x800000000) >> 1196[129a4bc0]: trying auth method 0x20000000 1196[129a4bc0]: IMAP: >> trying auth method 0x20000000 1196[129a4bc0]: >> 13ba0800:umask.pw:NA:SendData: 3 authenticate > EXTERNAL dGVzdEBsZW56dy5kZQ== >> 1196[129a4bc0]: ReadNextLine [stream=18445650 nb=20 needmore=0] >> 1196[129a4bc0]: 13ba0800:umask.pw:NA:CreateNewLineFromSocket: 3 NO > Login failed. >> 1196[129a4bc0]: authlogin failed > Unfortunately, I don't get much more information from Courier: > >> Jul 23 23:58:03 localhost imapd-ssl: Connection, ip=[::ffff:...] >> Jul 23 23:58:06 localhost imapd-ssl: LOGIN FAILED, >> method=EXTERNAL, > ip=[::ffff:...] >> Jul 23 23:58:12 localhost imapd-ssl: Disconnected, >> ip=[::ffff:...], > time=9, starttls=1 > > Are there any more logging options in COURIER that I can enable? This > mode seems to bypass authdaemon and I haven't find any log level > options besides authdaemon. > > Sorry for the long mail and thank you for reading it, > Lenz > > > > Am 22.07.2015 um 14:21 schrieb Sam Varshavchik: >> Sam Varshavchik writes: >> >>> Lenz Weber writes: >>> >>>> Hi, sorry, but I have not found any documentation on this: >>>> >>>> I see that I can add a CA certificate to TLS_TRUSTCERTS and >>>> then set TLS_VERIFYPEER to PEER to enable certificate >>>> authentication. >>>> >>>> But with just that setup, if one client key is compromised, I >>>> have to change the complete CA. Is there a way to revoke a >>>> single certificate? >>> Nope. There is no support for revocation lists at this time. >> Note, though, that you can achieve pretty much the same thing via >> authentication. >> >> Client certificates work by having the code fish out the >> emailAddress attribute from the client's certificate and using it >> to log in. So, to effectively revoke the certificate, remove the >> login, and create another one, with a new certificate. >> >> Even with /etc/passwd, you can have two entries in /etc/passwd >> with different login names, but same userid, groupid, and home >> directory. One is the public email address, the second one is for >> logging in. To effectively revoke a cert, the second one is >> removed, and replaced. So, one would have <u...@example.com> as >> their public email address, and their certificate reads >> <mb2...@example.com>, which logs into this mailbox. Left to its own >> devices, mail to either address would end up in the same mailbox, >> but so what. To "remove" the certificate, the <mb2...@example.com> >> login gets deleted, and replaced with <mb2...@example.com>, the >> public email address is unaffected. >> >> >> ---------------------------------------------------------------------- > - -------- >> > Don't Limit Your Business. Reach for the Cloud. >> GigeNET's Cloud Solutions provide you with the tools and support >> that you need to offload your IT needs and focus on growing your >> business. Configured For All Businesses. Start Your Cloud Today. >> https://www.gigenetcloud.com/ >> >> >> >> _______________________________________________ Courier-imap >> mailing list Courier-imap@lists.sourceforge.net Unsubscribe: >> https://lists.sourceforge.net/lists/listinfo/courier-imap >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJVsWaOAAoJED87gGHnFM0sprMH+wcC4KwwE0vn4t7N38QJMSEr > F0SA/vdQ0sB9YsXgolae9iNDWzzMQvNDmGhmkVRGYIrsZVz1IY16RggWAzs3R7GX > rjBT1yzkeG5BZBXNJN27RpVDlQuw6y8fqF0ytTpf9SglsApY89iwo2RU0rv9HZVP > xtO2YTdEqvoAGXJo5frXUfeG898sV+hzR39x3WDsaYdgLBBdBZeEs3o02PalkNLm > 8NU+zLso8fogdqP7d0No+QUQsFumvbtlDHZ6bVf06v1yLvjcbrx7grHepx57Lih6 > x1y+wdmF+kGmAClfa1qgwlOTVZ/d1Pw6FyRqoBZEuOxa3l5lHD4OdnQpvTJoasg= > =7JbI > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > _______________________________________________ > Courier-imap mailing list > Courier-imap@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap ------------------------------------------------------------------------------ _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
