Re: gssapi considered as PLAIN?
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:15 (localtime): > On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote: >> Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime): >>> On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): > On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: >> as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes >> from capabilities. > Try setting login_trusted_networks to something you trust. >>> root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms >>> auth_mechanisms = plain login gssapi >>> root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth >>> disable_plaintext_auth = yes >>> root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks >>> login_trusted_networks = >>> >>> >>> a CAPABILITY >>> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE >>> AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI >> You don't see LOGINDISABLED, so I guess rip==lip (you tested >> @localhost), right? > No, but I didn't show all of it ;-). Here it is: > > jbehrend@jb1:~$ gnutls-cli --starttls > --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143 > imap.mpifr-bonn.mpg.de > Processed 1 CA certificate(s). > Resolving 'imap.mpifr-bonn.mpg.de'... > Connecting to '134.104.18.77:143'... > > - Simple Client Mode: > > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > IDLE STARTTLS LOGINDISABLED] Dovecot ready. > a starttls > a OK Begin TLS negotiation now. > *** Starting TLS handshake > - Ephemeral Diffie-Hellman parameters > - Using prime: 1024 bits > - Secret key: 1023 bits > - Peer's public key: 1023 bits > - Certificate type: X.509 > - Got a certificate list of 1 certificates. > - Certificate[0] info: > - subject > `C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut > fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuer > `C=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg...@mpg.de', RSA key 4096 > bits, signed using RSA-SHA1, activated `2014-05-06 11:17:21 UTC', expires > `2019-05-05 11:17:21 UTC', SHA-1 fingerprint > `c0b4fb497ac212f0e05de24f2c097a0b712435cc' > - The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'. > - Peer's certificate is trusted > - Version: TLS1.2 > - Key Exchange: DHE-RSA > - Cipher: AES-128-CBC > - MAC: SHA1 > - Compression: NULL > a CAPABILITY > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI > a OK Pre-login capabilities listed, post-login capabilities have more. Sorry, I might have been unclear. Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is to prevent PLAIN if _no_ encryption level was negotiated. So you see LOGINDISABLED before TLS session and also _no_ GSSAPI! At that point (no encryption negotiated) I want to be able to get my kerberos ticket validated :-) disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it doesn't offer until encryption successfully took place. But I don't expect GSSAPI also beeing disabled (regardless if encryption is available or not). I have no idea why this could be the intended behaviour, and hope somebody can enlighten me :-) Thanks, -Harry
Re: gssapi considered as PLAIN?
On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote: > Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime): > > On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: > >> Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): > >>> On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: > as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes > from capabilities. > >>> Try setting login_trusted_networks to something you trust. > > root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms > > auth_mechanisms = plain login gssapi > > root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth > > disable_plaintext_auth = yes > > root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks > > login_trusted_networks = > > > > > > a CAPABILITY > > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > > AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI > > You don't see LOGINDISABLED, so I guess rip==lip (you tested > @localhost), right? No, but I didn't show all of it ;-). Here it is: jbehrend@jb1:~$ gnutls-cli --starttls --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143 imap.mpifr-bonn.mpg.de Processed 1 CA certificate(s). Resolving 'imap.mpifr-bonn.mpg.de'... Connecting to '134.104.18.77:143'... - Simple Client Mode: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. a starttls a OK Begin TLS negotiation now. *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1023 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuer `C=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg...@mpg.de', RSA key 4096 bits, signed using RSA-SHA1, activated `2014-05-06 11:17:21 UTC', expires `2019-05-05 11:17:21 UTC', SHA-1 fingerprint `c0b4fb497ac212f0e05de24f2c097a0b712435cc' - The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'. - Peer's certificate is trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL a CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI a OK Pre-login capabilities listed, post-login capabilities have more. Cheers Jan -- MAX-PLANCK-INSTITUT fuer Radioastronomie Jan Behrend - Rechenzentrum Auf dem Huegel 69, D-53121 Bonn Tel: +49 (228) 525 359, Fax: +49 (228) 525 229 jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de smime.p7s Description: S/MIME cryptographic signature
Re: gssapi considered as PLAIN?
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime): > On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: >> Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): >>> On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes from capabilities. >>> Try setting login_trusted_networks to something you trust. > root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms > auth_mechanisms = plain login gssapi > root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth > disable_plaintext_auth = yes > root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks > login_trusted_networks = > > > a CAPABILITY > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI You don't see LOGINDISABLED, so I guess rip==lip (you tested @localhost), right? Thanks, -Harry
Re: gssapi considered as PLAIN?
On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote:
> Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
> > On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
> >> as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes
> >> from capabilities.
> > Try setting login_trusted_networks to something you trust.
>
root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms
auth_mechanisms = plain login gssapi
root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth
disable_plaintext_auth = yes
root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks
login_trusted_networks =
a CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
Must be something else ...
Check my attached config for differences.
Cheer Jan
--
MAX-PLANCK-INSTITUT fuer Radioastronomie
Jan Behrend - Rechenzentrum
Auf dem Huegel 69, D-53121 Bonn
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehr...@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.7 xfs
auth_gssapi_hostname = imap.mpifr-bonn.mpg.de
auth_krb5_keytab = /etc/krb5-ha.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
default_process_limit = 1024
default_vsz_limit = 512 M
dict {
acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
doveadm_password = xxx
doveadm_port = 50222
listen = 134.104.18.77
lmtp_save_to_detail_mailbox = yes
mail_location = mdbox:/var/mail/%Ln/maildrop
mail_plugins = acl zlib notify replication
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave imapflags notify
mdbox_rotate_size = 10 M
namespace mpifr_private {
inbox = yes
location =
prefix =
separator = .
}
namespace mpifr_shared {
inbox = no
list = children
location = mdbox:/var/mail/%%n/maildrop
prefix = shared.%%n.
separator = .
subscriptions = no
type = shared
}
passdb {
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
driver = ldap
}
plugin {
acl = vfile
acl_defaults_from_inbox = yes
acl_shared_dict = proxy::acl
mail_replica = tcp:192.168.42.173:50222
sieve = ~/.dovecot.sieve
sieve_after = /var/mail/global-after.sieve
sieve_dir = ~/sieve
sieve_extensions = +notify +imapflags
sieve_global_dir = /var/mail
zlib_save = gz
zlib_save_level = 6
}
protocols = " imap lmtp sieve pop3"
replication_dsync_parameters = -d -l 30 -U -n mpifr_private -n mpifr_shared
replication_max_conns = 6
service aggregator {
fifo_listener replication-notify-fifo {
user = vmail
}
unix_listener replication-notify {
user = vmail
}
}
service anvil {
client_limit = 8192
}
service auth {
client_limit = 8192
unix_listener auth-userdb {
group = vmail
user = vmail
}
}
service dict {
unix_listener dict {
group = vmail
user = vmail
}
}
service doveadm {
inet_listener {
address = 192.168.42.105
port = 50222
}
}
service imap-login {
process_min_avail = 5
service_count = 1
}
service imap {
vsz_limit = 512 M
}
service indexer-worker {
client_limit = 1
process_limit = 10
user = root
}
service lmtp {
inet_listener lmtp {
address = 134.104.18.105
port = 24
}
}
service managesieve-login {
inet_listener sieve {
address = 134.104.18.77
port = 4190
}
service_count = 1
}
service pop3-login {
process_min_avail = 5
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0666
}
}
ssl = required
ssl_cert =
smime.p7s
Description: S/MIME cryptographic signature
Re: gssapi considered as PLAIN?
Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): > On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: >> as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes >> from capabilities. > Try setting login_trusted_networks to something you trust. Thanks for the hint, but I don't want to offer PLAIN to my whole LAN. while I do want to offer GSSAPI to my whole LAN. Unfortunately that's not a workarround for me. Thanks, -Harry
Re: gssapi considered as PLAIN?
On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: > as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes > from capabilities. Try setting login_trusted_networks to something you trust. hmk
