[Dovecot] Dovecot 2.2, Thunderbird And Client Certificates -> Login fails

Christian Felsing hostmaster at taunusstein.net
Fri Mar 22 20:37:28 EET 2013 

Hello,

I stucked in Thunderbird authentication with X.509 client certs.

This is my config (dovecot -n):

$ /opt/dovecot/sbin/dovecot -n
# 2.2.rc3: /opt/dovecot-2.2.rc3/etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.0
auth_debug = yes
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_verbose = yes
base_dir = /home/dovecot/
hostname = mail.ip6.li
instance_name = dovecot-01
lda_mailbox_autocreate = yes
mail_gid = dovecot
mail_uid = dovecot
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = scheme=CRYPT username_format=%u
/opt/dovecot/etc/dovecot/mailusers.993
  driver = passwd-file
}
plugin {
  acl = vfile:/etc/dovecot/global-acls:cache_secs=300
  acl_shared_dict = file:/home/dovecot/shared-mailboxes
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster at ip6.li
protocols = imap pop3 lmtp sieve
quota_full_tempfail = yes
sendmail_path = /usr/lib/sendmail
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
}
ssl_ca = </opt/dovecot/etc/dovecot/ip6li-user-ca.pem
ssl_cert = </opt/dovecot/etc/dovecot/mail.taunusstein.net.crt
ssl_cert_username_field = emailAddress
ssl_key = </opt/dovecot/etc/dovecot/mail.taunusstein.net.key
ssl_require_crl = no
ssl_verify_client_cert = yes
userdb {
  args = username_format=%u /opt/dovecot/etc/dovecot/mailusers.993
  driver = passwd-file
}
verbose_ssl = yes
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  mail_plugin_dir = /opt/dovecot/lib/dovecot/lda
  mail_plugins =
}
protocol imap {
  mail_plugins =
}
protocol lmtp {
  mail_plugins =
}
protocol sieve {
  managesieve_implementation_string = Dovecot Pigeonhole
  managesieve_logout_format = bytes ( in=%i : out=%o )
}
protocol pop3 {
  mail_plugins =
  pop3_uidl_format = %08Xu%08Xv
}


Logfile shows this after Thunderbirds tries to get access:

Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x10,
ret=1: before/accept initialization [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: before/accept initialization [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read client hello A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write server hello A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write certificate A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: auth: Debug: Loading modules from
directory: /opt/dovecot-2.2.rc3/lib/dovecot/auth
Mar 22 19:22:32 dovecot dovecot: auth: Debug: Read auth token secret
from /home/dovecot//auth-token-secret.dat
Mar 22 19:22:32 dovecot dovecot: auth: Debug: passwd-file
/opt/dovecot/etc/dovecot/mailusers.993: Read 1 users in 0 secs
Mar 22 19:22:32 dovecot dovecot: auth: Debug: auth client connected
(pid=20082)
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write key exchange A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write certificate request A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 flush data [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Valid certificate:
/CN=IP6LI Root Certification Authority
Mar 22 19:22:32 dovecot dovecot: imap-login: Valid certificate:
/CN=Intermediate CA for ip6.li users/OU=ip6.li Certificates/O=ip6.li/C=DE
Mar 22 19:22:32 dovecot dovecot: imap-login: Valid certificate:
/emailAddress=christian at felsing.lan/CN=Christian Felsing/OU=ip6.li
Certificates/O=ip6.li/C=DE
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read client certificate A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read client key exchange A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read certificate verify A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read finished A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write change cipher spec A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write finished A [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 flush data [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x20,
ret=1: SSL negotiation finished successfully [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Debug: SSL: where=0x2002,
ret=1: SSL negotiation finished successfully [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Warning: SSL alert:
where=0x4004, ret=256: warning close notify [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=256: warning close notify [192.168.200.6]
Mar 22 19:22:32 dovecot dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=192.168.200.6, lip=192.168.200.22,
TLS, session=<EfvjiYfYrgCwxigG>

seems client cert is ok, but Dovecot does not like Thunderbirds method
to handle TLS-Cert login w/o username and password.

Hint http://dovecot.org/list/dovecot/2012-December/069771.html does not
seem to be valid for Dovecot 2.2

On the other hand I think it is not a suitable method to include CRLs
into CA file. Certificate should include a link to CRL or - better - an
URL to OCSP. Does Dovecot support OCSP?

best regards
Christian

More information about the dovecot mailing list