Re: [PLUG] imap server that allows ssl certificate based authentication?
> So, you seem also to be using mutt with dovecot > > User-Agent: Mutt/1.5.24 (2015-08-30) Well, not quite... I found Mutt's IMAP support was lacking. Also, since I run a business off of my mail infrastructure, I am forced to use things like Thunderbird to manage meeting invites and the like, etc. So mutt is for personal mail via SSH, and IMAP is for work stuff. > Agreed! I love socat! > > It does not support client SSL certificate handling, but it is a > wonderful and lightweight CLI and can also function in a pinch as a > capable, if modest server. I love that it can connect to just about > any kind of file or socket. So much more flexible than 'nc'. Ok, good to know about the lack of client cert handling. tim ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
> Personally, I like combining passwords and tokens (the old "what I have and > what I know" combo). I've been using password-based IMAP transported over > certificate-based OpenVPN, which does the trick for me. > > I readily acknowledge that my solution isn't really what you're hoping to > use. Still, it's flexible enough so that all sorts of services that > traditionally rely on passwords (SMTP AUTH, web services, plus IMAP) can be > wrapped in a certificate-authenticated connection. I made this same decision about authenticated IMAP. I run OpenVPN on my laptop and it works fine. It is usually quite good about recovering when network connectivity comes and goes. If you're already using OpenVPN for other things, it is a logical choice to skip using certificates with each individual service. The trouble I ran into, though, was with OpenVPN on my Android. I can't get it working at all, and I've spent countless hours trying to debug it (with root access on my phone, sniffing at both ends, etc). The OpenVPN client connects, successfully authenticates, and then nothing happens. No packets at all are transmitted over the established connection. It is super frustrating, and no OpenVPN folks stepped up to help me figure it out. I'm just hoping with the next Android phone it will magically work... Ok, enough venting. > It has the further benefit that you only need to contact one remote port, > reducing the chance that a local firewall will become an obstacle to your > session. Yup. You can run OpenVPN on unusual ports (e.g. 53/UDP) that are often allowed outbound without filtering. In addition, if you use the tls-auth option with a UDP port, attackers can't even tell the OpenVPN service is running on you rserver unless they know the pre-auth symmetric key. (This is kinda like a group password checked on the very first packet before certificate authentication is performed.) tim ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
On Mon, 26 Oct 2015, Michael Rasmussen wrote: I was conflating use of ssh and SSL certs. One can put your password in .muttrc but clear text passwords are a bad habit. So I was exploring a way to use public key to authenticate the imap session. Courier is v4.9.1 - it was chosen years ago and the decision has not be revisited. Not that I'm adverse to doing so. stunnel would work, I'll weigh it vs coercing imap server to fit my whim. Personally, I like combining passwords and tokens (the old "what I have and what I know" combo). I've been using password-based IMAP transported over certificate-based OpenVPN, which does the trick for me. I readily acknowledge that my solution isn't really what you're hoping to use. Still, it's flexible enough so that all sorts of services that traditionally rely on passwords (SMTP AUTH, web services, plus IMAP) can be wrapped in a certificate-authenticated connection. It has the further benefit that you only need to contact one remote port, reducing the chance that a local firewall will become an obstacle to your session. -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
Tim and Michael, > > Courier is v4.9.1 - it was chosen years ago and the decision has > > not be revisited. Not that I'm adverse to doing so. > > I recently chose dovecot over courier and it has been working out > pretty well. If it has integrated certificate support and isn't > too hard to set up, that might be your best option. I considered > doing that as well, but since my cell phone email client didn't > support client certificates at the time, I never followed through. So, you seem also to be using mutt with dovecot User-Agent: Mutt/1.5.24 (2015-08-30) > > stunnel would work, I'll weigh it vs coercing imap server to fit my whim. > > In past projects I've always found stunnel to be confusing and buggy. > There are several versions of it and the newer versions just seemed to > confuse things more. Noted. I, myself, haven't used it in a few years, but found it fairly reliable and flexible when I did use it (though that was a few years back). > Recently I've switched to socat for similar features. It's far > more of a swiss army knife, but also more intuitive for me. Agreed! I love socat! It does not support client SSL certificate handling, but it is a wonderful and lightweight CLI and can also function in a pinch as a capable, if modest server. I love that it can connect to just about any kind of file or socket. So much more flexible than 'nc'. > I've never looked into using it for IMAP access (and how you'd > handle user identity info, or whatever) so it would be a DIY > project of sorts, but it is worth looking into. > > I now have a working system and the improvements will be incremental. > > > > FWIW - this all started when I wanted to run mutt from my laptop > > instead of sshing to my server for email. In past trials I've > > found Thunderbird to be slow and ugly and web mail options to be > > cumbersome. I can't necessarily corroborate on the sluggishness point, Michael, but I also love console IMAP and mutt is my preferred MUA (even if I'm using alpine at the moment). > sshfs might be an option, though probably slow... Another viable option for a single user -Martin -- Martin A. Brown http://linux-ip.net/ ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
> Courier is v4.9.1 - it was chosen years ago and the decision has not be > revisited. Not that I'm adverse to doing so. I recently chose dovecot over courier and it has been working out pretty well. If it has integrated certificate support and isn't too hard to set up, that might be your best option. I considered doing that as well, but since my cell phone email client didn't support client certificates at the time, I never followed through. > stunnel would work, I'll weigh it vs coercing imap server to fit my whim. In past projects I've always found stunnel to be confusing and buggy. There are several versions of it and the newer versions just seemed to confuse things more. Recently I've switched to socat for similar features. It's far more of a swiss army knife, but also more intuitive for me. I've never looked into using it for IMAP access (and how you'd handle user identity info, or whatever) so it would be a DIY project of sorts, but it is worth looking into. > I now have a working system and the improvements will be incremental. > > FWIW - this all started when I wanted to run mutt from my laptop instead of > sshing to my server for email. > In past trials I've found Thunderbird to be slow and ugly and web mail > options to be cumbersome. sshfs might be an option, though probably slow... HTH, tim ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
On Mon, Oct 26, 2015 at 03:55:29PM -0700, Martin A. Brown wrote: > > Good afternoon, > > >> > My current imap server is Courier. And having finally set up > >> > mutt to use imap based message stores I'd like to also use my > >> > ssl shared key for authentication. Courier does not support > >> > this. What imap servers do? > >> > > >> > (currently searching Dovecot references...) > [snip] > > You appear to be asking about SSL in the subject line, but referring > to a 'shared key stored in ~/.ssh' in the body. It is unclear from > this whether you mean ssh or client-identifying SSL certificates. > > That is probably immaterial given that you simply want to use mutt > to talk to your (courier) imapd. > > Given: > > A) your question sounds like you are asking only for yourself > B) theconvenient factor that courier-imap functions as a forked > one-process-per-connection service > C) you already have shell access to the remote server (sounds like > it is yours) > > Then: > > Why not use ssh as the transport instead of bothering with SSL? > > In that case you could use a force-command option in > ~/.ssh/authorized_keys (server side): > > command='/usr/lib/courier-imap/bin/imapd Maildir' > > If you need to set a bunch of environment variables ahead of time, > then simply replace that command='' with the path to a shell script > that sets the appropriate envars and ends with: > > exec \ > /usr/lib/courier-imap/bin/imapd Maildir > > Or whatever suits your fancy. > > >Much like being able to ssh to another server when you have the > >keys set up. > > If you actually meant that you want your server (couriertls) to > validate an offered client certificate, then you could also use an > SSL-capable transport layer shim like stunnel [0] (cf. Bri Hatch > from Seattle's gslug). > > That's all, > > -Martin > > P.S. What versions of the various courier tools are you using in > order to get mutt to communicate happily with the imapd? > > [0] https://www.stunnel.org/features.html I was conflating use of ssh and SSL certs. One can put your password in .muttrc but clear text passwords are a bad habit. So I was exploring a way to use public key to authenticate the imap session. Courier is v4.9.1 - it was chosen years ago and the decision has not be revisited. Not that I'm adverse to doing so. stunnel would work, I'll weigh it vs coercing imap server to fit my whim. I now have a working system and the improvements will be incremental. FWIW - this all started when I wanted to run mutt from my laptop instead of sshing to my server for email. In past trials I've found Thunderbird to be slow and ugly and web mail options to be cumbersome. -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity I'm talking about large trends here, and therefore when I say things like "nobody" I really mean "fewer than 10,000,000 people." ~ Joel Spolsky ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
Good afternoon, >> > My current imap server is Courier. And having finally set up >> > mutt to use imap based message stores I'd like to also use my >> > ssl shared key for authentication. Courier does not support >> > this. What imap servers do? >> > >> > (currently searching Dovecot references...) >> >> I've used both dovecot and courier with SSL certificates so i'm >> not sure why you are not able to. >> >> I might be misunderstanding what an SSL shared key is. > >This is for client authentication when connecting to the imap >server. So, you would like to use a client-side SSL certificate and you want the server to validate that certificate? https://www.stunnel.org/features.html >Rather than checking my password against /etc/shadow I want >it to request my shared key stored in ~/.ssh and compare to the >public version in ~/.ssh on the mail server. You appear to be asking about SSL in the subject line, but referring to a 'shared key stored in ~/.ssh' in the body. It is unclear from this whether you mean ssh or client-identifying SSL certificates. That is probably immaterial given that you simply want to use mutt to talk to your (courier) imapd. Given: A) your question sounds like you are asking only for yourself B) theconvenient factor that courier-imap functions as a forked one-process-per-connection service C) you already have shell access to the remote server (sounds like it is yours) Then: Why not use ssh as the transport instead of bothering with SSL? In that case you could use a force-command option in ~/.ssh/authorized_keys (server side): command='/usr/lib/courier-imap/bin/imapd Maildir' If you need to set a bunch of environment variables ahead of time, then simply replace that command='' with the path to a shell script that sets the appropriate envars and ends with: exec \ /usr/lib/courier-imap/bin/imapd Maildir Or whatever suits your fancy. >Much like being able to ssh to another server when you have the >keys set up. If you actually meant that you want your server (couriertls) to validate an offered client certificate, then you could also use an SSL-capable transport layer shim like stunnel [0] (cf. Bri Hatch from Seattle's gslug). That's all, -Martin P.S. What versions of the various courier tools are you using in order to get mutt to communicate happily with the imapd? [0] https://www.stunnel.org/features.html -- Martin A. Brown http://linux-ip.net/ ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
On Mon, Oct 26, 2015 at 03:13:48PM -0700, n...@aliens.la wrote: > Wow! I never knew that existed for email servers. I'll be interested > to note the result when you've finished researching it. With the world filled with lazy people? It has to be. One option seems to be Dovecot. http://wiki2.dovecot.org/SSL/DovecotConfiguration Scroll down to "Client certificate verification/authentication" > On 2015-10-26 14:54, Michael Rasmussen wrote: > > On Mon, Oct 26, 2015 at 02:43:34PM -0700, n...@aliens.la wrote: > >> > >> I've used both dovecot and courier with SSL certificates so i'm not > >> sure > >> why you are not able to. > >> > >> I might be misunderstanding what an SSL shared key is. > > > > This is for client authentication when connecting to the imap server. > > Rather than checking my password against /etc/shadow I want it to > > request > > my shared key stored in ~/.ssh and compare to the public version in > > ~/.ssh on the mail server. > > > > Much like being able to ssh to another server when you have the keys > > set up. > > > > > > > >> On 2015-10-26 14:40, Michael Rasmussen wrote: > >> > My current imap server is Courier. And having finally set up mutt to > >> > use imap based message stores I'd like to also use my ssl shared key > >> > for authentication. Courier does not support this. What imap servers > >> > do? > >> > > >> > (currently searching Dovecot references...) > >> ___ > >> PLUG mailing list > >> PLUG@lists.pdxlinux.org > >> http://lists.pdxlinux.org/mailman/listinfo/plug > >> > ___ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity Never turn down a conversation. ~ http://someoneoncetoldme.com/gallery/21012009 ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
Wow! I never knew that existed for email servers. I'll be interested to note the result when you've finished researching it. Neil On 2015-10-26 14:54, Michael Rasmussen wrote: > On Mon, Oct 26, 2015 at 02:43:34PM -0700, n...@aliens.la wrote: >> >> I've used both dovecot and courier with SSL certificates so i'm not >> sure >> why you are not able to. >> >> I might be misunderstanding what an SSL shared key is. > > This is for client authentication when connecting to the imap server. > Rather than checking my password against /etc/shadow I want it to > request > my shared key stored in ~/.ssh and compare to the public version in > ~/.ssh on the mail server. > > Much like being able to ssh to another server when you have the keys > set up. > > > >> On 2015-10-26 14:40, Michael Rasmussen wrote: >> > My current imap server is Courier. And having finally set up mutt to >> > use imap based message stores I'd like to also use my ssl shared key >> > for authentication. Courier does not support this. What imap servers >> > do? >> > >> > (currently searching Dovecot references...) >> ___ >> PLUG mailing list >> PLUG@lists.pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
On Mon, Oct 26, 2015 at 02:43:34PM -0700, n...@aliens.la wrote: > > I've used both dovecot and courier with SSL certificates so i'm not sure > why you are not able to. > > I might be misunderstanding what an SSL shared key is. This is for client authentication when connecting to the imap server. Rather than checking my password against /etc/shadow I want it to request my shared key stored in ~/.ssh and compare to the public version in ~/.ssh on the mail server. Much like being able to ssh to another server when you have the keys set up. > On 2015-10-26 14:40, Michael Rasmussen wrote: > > My current imap server is Courier. And having finally set up mutt to > > use imap based message stores I'd like to also use my ssl shared key > > for authentication. Courier does not support this. What imap servers > > do? > > > > (currently searching Dovecot references...) > ___ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity It's not your beauty that makes you beautiful ~ it's your dreams, your soul and the way you love. ~ http://someoneoncetoldme.com/gallery/20012008 ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] imap server that allows ssl certificate based authentication?
I've used both dovecot and courier with SSL certificates so i'm not sure why you are not able to. I might be misunderstanding what an SSL shared key is. On 2015-10-26 14:40, Michael Rasmussen wrote: > My current imap server is Courier. And having finally set up mutt to > use imap based message stores I'd like to also use my ssl shared key > for authentication. Courier does not support this. What imap servers > do? > > (currently searching Dovecot references...) ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug