[Dovecot] Thunderbird SSL/TLS client authentication fails - solved with workaround
rhunen at xs4all.nl
Mon Dec 3 14:41:11 EET 2012
On 2012/12/02 22:18, Daniel Parthey wrote:
> Roger Hunen wrote:
>> I am seeking your help with SSL/TLS client authentication.
>> Unfortunately the authentication fails :(
> http://wiki2.dovecot.org/SSL/DovecotConfiguration states:
> "You may also want to disable the password checking completely. Doing this
> currently circumvents Dovecot's security model so it's not recommended to use
> it, but it is possible by making the passdb allow logins using any password
> (typically requiring "nopassword" extra field to be returned)."
> See http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
This sounded like a bad idea at first as it would allow webmail users
to logon without entering a password. However, your suggestion made me
think (and go!) in a direction that I would not have gone on my own.
Thank you for that!
First things first: the solution/workaround :)
* Create two passwd style files
- mailusers.143 with password and without 'nopassword' extra field
- mailusers.993 without password but with 'nopassword' extra field
* Configure a passdb (driver=passwd-file) that selects the password
database file using the %a variable (local port): mailusers.%a
My Dovecot setup now
* does not require a valid password for connections to the imaps
port (993); the username is taken from the certificate that is
issued by a trusted CA.
* does require a password for connections to the imap port (143).
Currently the system supports very few users, so working with two
passwd files is not a problem. For the future I plan to use a mysql
database with two different queries on the same table based on the
local port number.
For those who are interested: read on for some more findings...
* As far as I can tell (from docs and source) Dovecot supports only
username/password based authentication schemes. There is no such
thing as certificate based authentication (unless I have overlooked
something or it is undocumented).
* Even if 'auth_ssl_username_from_cert=yes' Dovecot will only take
the username from the certificate if the client sends username and
password to logon.
* When configured to use "TLS Certificate" authentication Thunderbird
will not send a username/password to logon. Thunderbird considers
the authentication done once the SSL handshake has completed. Given
the above this is a recipe for failure.
* With 'auth_ssl_username_from_cert=yes' Dovecot will ignore the given
username and use the designated field in the certificate instead
(usually commonName). Together with the 'nopasswd' extra field a
certificate based authentication scheme can be implemented. The
client must be configured to use username and password (which will
be completely ignored by Dovecot as intended in such a setup).
* Dovecot will log an error if a passwd file record has a non-empty
password and the 'nopassword' extra field is present. Either can
be present but not both.
* Dovecot will log an error "input is missing end-of-settings line"
if the configuration contains a setting with a name that is not
valid in the given context. Something like "Invalid setting 'x'
at line y" would be more helpful to pinpoint the problem.
* Dovecot documentation is sparse in many respects which makes it
difficult to use Dovecot to its full potential. I realize though
that resources are at a premium and that writing documentation
is not everybody's cup of tea. From a documentation point of view
Exim4 is an excellent example.
More information about the dovecot