Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
On 27.3.2013, at 10.49, Christian Felsing hostmas...@taunusstein.net wrote: I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend. .. Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work: remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes } Result is doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert Right. Would be nice to support at some point, but not that easy to implement. Is there any way to turn off client certs for specific local or remote IP addresses? In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
Hi Timo, thank you for that hint. SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is: password_query = SELECT MD5('%w') AS password, userid AS user FROM users WHERE (userid = '%u') and (('%k' = 'valid') or ('%r' = '192.168.116.30')); so Dovecot accepts any password provided by user. This solution works now for users which are directily using imap or pop3 _and_ for users which are using Horde webmail frontend backed by Dovecot. This is now a configuration which does not need any passwords stored on server which provides IMHO more security. best regards Christian Am 31.03.2013 10:29, schrieb Timo Sirainen: Is there any way to turn off client certs for specific local or remote IP addresses? In your passdb you can use %r = remote IP and %k = certificate valid to figure out if the user is allowed or not. For example with SQL passdb that would be possible, or checkpassword. http://wiki2.dovecot.org/Variables
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
On 31.3.2013, at 15.47, Christian Felsing hostmas...@taunusstein.net wrote: thank you for that hint. SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is: I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
There were log entries regarding that problem: Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011valid-client-cert#011sessi on=J8pV8bzYIACwxigG#011cert_username=u...@example.net#011lip=192.168.200.22#011rip=192.168.200.6#011lport=993#011rport=8480 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client passdb out: CONT#0111#011 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: Debug: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): query: SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = 'u...@example.net' Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): Empty password returned without nopassword Mar 25 11:05:23 dovecot dovecot: auth: Debug: client passdb out: FAIL#0111#011user=u...@example.net Dovecot got nopassword but does still not accept an empty password. Christian Am 31.03.2013 15:18, schrieb Timo Sirainen: On 31.3.2013, at 15.47, Christian Felsing hostmas...@taunusstein.net wrote: thank you for that hint. SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is: I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
On 31.3.2013, at 17.38, Christian Felsing hostmas...@taunusstein.net wrote: There were log entries regarding that problem: Ah, you were using PostgreSQL and I tested MySQL. They are handled somewhat differently. This should fix it: http://hg.dovecot.org/dovecot-2.2/rev/37cd62516b37 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011valid-client-cert#011sessi on=J8pV8bzYIACwxigG#011cert_username=u...@example.net#011lip=192.168.200.22#011rip=192.168.200.6#011lport=993#011rport=8480 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client passdb out: CONT#0111#011 Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: Debug: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): query: SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = 'u...@example.net' Mar 25 11:05:21 dovecot dovecot: auth: Debug: client in: CONThidden Mar 25 11:05:21 dovecot dovecot: auth: sql(u...@example.net,192.168.200.6,J8pV8bzYIACwxigG): Empty password returned without nopassword Mar 25 11:05:23 dovecot dovecot: auth: Debug: client passdb out: FAIL#0111#011user=u...@example.net Dovecot got nopassword but does still not accept an empty password. Christian Am 31.03.2013 15:18, schrieb Timo Sirainen: On 31.3.2013, at 15.47, Christian Felsing hostmas...@taunusstein.net wrote: thank you for that hint. SELECT NULL AS password, 'Y' as nopassword, userid AS user FROM users WHERE userid = '%u' does not work, seems Dovecot 2.2rc3 ignores nopassword, so my solution is: I don't understand. I remember some other mail about this as well. It works fine with my tests.. What does it log with you?
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
unsubscribe On Wed, Mar 27, 2013 at 1:49 AM, Christian Felsing hostmas...@taunusstein.net wrote: Hello, I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend. For now Dovecot works with client certificates issued by my CA and Horde authenticates also with same client certs. Due to protocol it is impossible to use client certs presented by user to Horde for authentication at Dovecot, so Horde should be allowed to authenticate itself without or an arbitrary password to Dovecot. Horde and Dovecot are running in same protected LAN. Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work: remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes } Result is doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert Replacing auth_ssl_require_client_cert = no by ssl_verify_client_cert = no does not yield in an error, but it does nothing, Dovecot still insists for a client certificate. I afraid that I am trapped by this problem: http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certificates-for-external-connections-tp475.html Is there any way to turn off client certs for specific local or remote IP addresses? best regards Christian
Re: [Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem [solved]
Thank you, works now with 'Y' as nopassword :-) best regards Christian Am 31.03.2013 17:16, schrieb Timo Sirainen: On 31.3.2013, at 17.38, Christian Felsing hostmas...@taunusstein.net wrote: There were log entries regarding that problem: Ah, you were using PostgreSQL and I tested MySQL. They are handled somewhat differently. This should fix it: http://hg.dovecot.org/dovecot-2.2/rev/37cd62516b37
[Dovecot] Dovecot 2.2rc3 Client Cert Auth and Webmail - auth_ssl_require_client_cert problem
Hello, I would like to set up a Dovecot based mail system which uses X.509 Client Certificates for authentication. A webmail system based on Horde5 should use Dovecot as backend. For now Dovecot works with client certificates issued by my CA and Horde authenticates also with same client certs. Due to protocol it is impossible to use client certs presented by user to Horde for authentication at Dovecot, so Horde should be allowed to authenticate itself without or an arbitrary password to Dovecot. Horde and Dovecot are running in same protected LAN. Unfortunately Dovecot does not support different authentication methods on different IP addresses or ports. This does not work: remote 192.168.116.28/32 { auth_ssl_require_client_cert = no auth_ssl_username_from_cert = yes disable_plaintext_auth = no ssl = yes } Result is doveconf: Fatal: Error in configuration file /opt/dovecot-2.2.rc3/etc/dovecot/conf.d/10-auth.conf line 103: Auth settings not supported inside local/remote blocks: auth_ssl_require_client_cert Replacing auth_ssl_require_client_cert = no by ssl_verify_client_cert = no does not yield in an error, but it does nothing, Dovecot still insists for a client certificate. I afraid that I am trapped by this problem: http://dovecot.2317879.n4.nabble.com/Problem-with-requiring-client-certificates-for-external-connections-tp475.html Is there any way to turn off client certs for specific local or remote IP addresses? best regards Christian