Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
On 27.3.2013, at 10.49, Christian Felsing hostmas...@taunusstein.net wrote:
I would like to set up a Dovecot based mail system which uses X.509
Client Certificates for authentication. A webmail system based on Horde5
should use Dovecot as backend.
..
Unfortunately Dovecot does not support different authentication methods
on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 {
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = yes
disable_plaintext_auth = no
ssl = yes
}
Result is doveconf: Fatal: Error in configuration file
/opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth
settings not supported inside local/remote blocks:
auth_ssl_require_client_cert
Right. Would be nice to support at some point, but not that easy to implement.
Is there any way to turn off client certs for specific local or remote
IP addresses?
In your passdb you can use %r = remote IP and %k = certificate valid to figure
out if the user is allowed or not. For example with SQL passdb that would be
possible, or checkpassword. http://wiki2.dovecot.org/Variables
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
Hi Timo,
thank you for that hint.
SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users
WHERE userid = '%u'
does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is:
password_query = SELECT MD5('%w') AS password, userid AS user FROM users
WHERE (userid = '%u') and (('%k' = 'valid') or ('%r' = '192.168.116.30'));
so Dovecot accepts any password provided by user. This solution works
now for users which are directily using imap or pop3 _and_ for users
which are using Horde webmail frontend backed by Dovecot. This is now a
configuration which does not need any passwords stored on server which
provides IMHO more security.
best regards
Christian
Am 31.03.2013 10:29, schrieb Timo Sirainen:
Is there any way to turn off client certs for specific local or remote
IP addresses?
In your passdb you can use %r = remote IP and %k = certificate valid to
figure out if the user is allowed or not. For example with SQL passdb that
would be possible, or checkpassword. http://wiki2.dovecot.org/Variables
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
On 31.3.2013, at 15.47, Christian Felsing hostmas...@taunusstein.net wrote: thank you for that hint. SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is: I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
There were log entries regarding that problem: Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011valid-client-cert#011sessi on=J8pV8bzYIACwxigG#011cert_username=u...@example.net#011lip=192.168.200.22#011rip=192.168.200.6#011lport=993#011rport=8480 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client passdb out: CONT#0111#011 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: Debug: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): query: SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = 'u...@example.net' Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): Empty password returned without nopassword Mar 25 11:05:23 dovecot dovecot: auth: Debug: client passdb out: FAIL#0111#011user=u...@example.net Dovecot got nopassword but does still not accept an empty password. Christian Am 31.03.2013 15:18, schrieb Timo Sirainen: On 31.3.2013, at 15.47, Christian Felsing hostmas...@taunusstein.net wrote: thank you for that hint. SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is: I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
On 31.3.2013, at 17.38, Christian Felsing hostmas...@taunusstein.net wrote: There were log entries regarding that problem: Ah, you were using PostgreSQL and I tested MySQL. They are handled somewhat differently. This should fix it: http://hg.dovecot.org/dovecot-2.2/rev/37cd62516b37 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011valid-client-cert#011sessi on=J8pV8bzYIACwxigG#011cert_username=u...@example.net#011lip=192.168.200.22#011rip=192.168.200.6#011lport=993#011rport=8480 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client passdb out: CONT#0111#011 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: Debug: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): query: SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = 'u...@example.net' Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): Empty password returned without nopassword Mar 25 11:05:23 dovecot dovecot: auth: Debug: client passdb out: FAIL#0111#011user=u...@example.net Dovecot got nopassword but does still not accept an empty password. Christian Am 31.03.2013 15:18, schrieb Timo Sirainen: On 31.3.2013, at 15.47, Christian Felsing hostmas...@taunusstein.net wrote: thank you for that hint. SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is: I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
unsubscribe
On Wed, Mar 27, 2013 at 1:49 AM, Christian Felsing
hostmas...@taunusstein.net wrote:
Hello,
I would like to set up a Dovecot based mail system which uses X.509
Client Certificates for authentication. A webmail system based on Horde5
should use Dovecot as backend.
For now Dovecot works with client certificates issued by my CA and Horde
authenticates also with same client certs. Due to protocol it is
impossible to use client certs presented by user to Horde for
authentication at Dovecot, so Horde should be allowed to authenticate
itself without or an arbitrary password to Dovecot. Horde and Dovecot
are running in same protected LAN.
Unfortunately Dovecot does not support different authentication methods
on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 {
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = yes
disable_plaintext_auth = no
ssl = yes
}
Result is doveconf: Fatal: Error in configuration file
/opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth
settings not supported inside local/remote blocks:
auth_ssl_require_client_cert
Replacing auth_ssl_require_client_cert = no by ssl_verify_client_cert =
no does not yield in an error, but it does nothing, Dovecot still
insists for a client certificate.
I afraid that I am trapped by this problem:
http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certificates-for-external-connections-tp475.html
Is there any way to turn off client certs for specific local or remote
IP addresses?
best regards
Christian
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem [solved]
Thank you, works now with 'Y' as nopassword :-) best regards Christian Am 31.03.2013 17:16, schrieb Timo Sirainen: On 31.3.2013, at 17.38, Christian Felsing hostmas...@taunusstein.net wrote: There were log entries regarding that problem: Ah, you were using PostgreSQL and I tested MySQL. They are handled somewhat differently. This should fix it: http://hg.dovecot.org/dovecot-2.2/rev/37cd62516b37
[Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
Hello,
I would like to set up a Dovecot based mail system which uses X.509
Client Certificates for authentication. A webmail system based on Horde5
should use Dovecot as backend.
For now Dovecot works with client certificates issued by my CA and Horde
authenticates also with same client certs. Due to protocol it is
impossible to use client certs presented by user to Horde for
authentication at Dovecot, so Horde should be allowed to authenticate
itself without or an arbitrary password to Dovecot. Horde and Dovecot
are running in same protected LAN.
Unfortunately Dovecot does not support different authentication methods
on different IP addresses or ports. This does not work:
remote 192.168.116.28/32 {
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = yes
disable_plaintext_auth = no
ssl = yes
}
Result is doveconf: Fatal: Error in configuration file
/opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth
settings not supported inside local/remote blocks:
auth_ssl_require_client_cert
Replacing auth_ssl_require_client_cert = no by ssl_verify_client_cert =
no does not yield in an error, but it does nothing, Dovecot still
insists for a client certificate.
I afraid that I am trapped by this problem:
http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certificates-for-external-connections-tp475.html
Is there any way to turn off client certs for specific local or remote
IP addresses?
best regards
Christian
