Try adding auth_debug_password=yes Aki
On 01.02.2018 10:27, yuryb wrote: > We have FreeBSD-server with dovecot installed on it as IMAP-server. My > user and password database is a text file with plaintext passwords. > Clients connect to imap-server via TLS protocol and plaintext > password. All works fine. But I want to configure ability to authorize > with a client certificates. I have generated a client certificate and > imported it to email-client. Also I have configured dovecot to verify > client certificates. But email-client cannot authorize: Password > mismatch. Why dovecot reject my password in this case? Please help! > > My log: > dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/L=Kyiv/O=Contoso > Ltd: user=<>, rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, > session=<fp5P5SBkhtMKAQE7> > dovecot: imap-login: Valid certificate: /C=UA/ST=Kyiv/O=Contoso > Ltd/OU=IT/CN=sysadmin/emailAddress=sysad...@contoso.ua: user=<>, > rip=10.1.1.59, lip=10.1.1.99, TLS handshaking, session=<fp5P5SBkhtMKAQE7> > dovecot: auth: passwd-file(sysadmin,10.1.1.59,<fp5P5SBkhtMKAQE7>): > Password mismatch > dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): > user=<sysadmin>, method=EXTERNAL, rip=10.1.1.59, lip=10.1.1.99, TLS, > session=<fp5P5SBkhtMKAQE7> > > My configuration: > # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf > # OS: FreeBSD 10.2-RELEASE-p20 amd64 ufs > auth_debug = yes > auth_mechanisms = plain login external > auth_ssl_require_client_cert = yes > auth_ssl_username_from_cert = yes > auth_username_format = %Ln > auth_verbose = yes > disable_plaintext_auth = no > lda_mailbox_autocreate = yes > mail_debug = yes > mail_gid = 999 > mail_location = maildir:/mnt/mail/%n > mail_uid = 999 > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > args = /usr/local/etc/dovecot/users > driver = passwd-file > } > protocols = imap pop3 > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-userdb { > group = vmail > mode = 0660 > user = vmail > } > } > service imap-login { > inet_listener imaps { > ssl = yes > } > } > ssl_ca = </etc/ssl/cacert.pem > ssl_cert = </etc/ssl/certs/dovecot.pem > ssl_dh_parameters_length = 2048 > ssl_key = </etc/ssl/private/dovecot.pem > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 > ssl_require_crl = no > ssl_verify_client_cert = yes > userdb { > args = /usr/local/etc/dovecot/users > driver = passwd-file > } > verbose_ssl = yes >