Problem with requiring client certificates for external connections

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with requiring client certificates for external connections

Frank Crawford
Folks,
        I'm trying to configure my dovecot installation to require client
certificates for external/Internet connections, while still allowing my
local network to not need certificates.

        This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've
tried to use the "remote" block to give different definitions for my
local network vs the defaults.  While most options seem to be set fine,
if I set "auth_ssl_require_client_cert" to yes as the default, and reset
it to no for my local network, dovecot still requests a client
certificate and fails as one is not supplied.

        Am I correct that it can be reset in a "remote" block, or is it treated
differently to other options?  In fact do I have the configuration
correct, as there doesn't really seem to be anything documenting
"remote" or "remote_ip" or related items for Dovecot 2.

        Related to this, much of the documentation states that the variable is
"ssl_require_client_cert", seems to be accepted by ignored, vs
"auth_ssl_require_client_cert" which does have some effects.

        Also, in the configuration dump, it duplicates the netmask.

        The configuration is below, as generated with "dovecot -n".

Regards
Frank

# 2.0.8: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.36.1 x86_64 Fedora release 14 (Laughlin) ext4
auth_ssl_require_client_cert = yes
mail_location = maildir:/var/spool/maildir/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
mbox_write_locks = fcntl
passdb {
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = [hidden email]
ssl = required
ssl_ca = </etc/pki/CA/cacert.pem
ssl_cert = </etc/pki/tls/certs/dovecot.crt
ssl_key = </etc/pki/tls/private/dovecot.key
ssl_verify_client_cert = yes
userdb {
  driver = passwd
}
protocol pop3 {
  pop3_uidl_format = %v.%u
}
remote 203.16.204.0/24/24 {
  auth_ssl_require_client_cert = no
  disable_plaintext_auth = no
  ssl = no
  ssl_verify_client_cert = no
}
remote fdd2:7aad:d478:1::/64/64 {
  auth_ssl_require_client_cert = no
  disable_plaintext_auth = no
  ssl = no
  ssl_verify_client_cert = no
}
remote 2001:44b8:62:140::/64/64 {
  auth_ssl_require_client_cert = no
  disable_plaintext_auth = no
  ssl = no
  ssl_verify_client_cert = no
}

Reply | Threaded
Open this post in threaded view
|

Re: Problem with requiring client certificates for external connections

Bojan Smojver
Frank Crawford <frank <at> crawford.emu.id.au> writes:

> I'm trying to configure my dovecot installation to require client
> certificates for external/Internet connections, while still allowing
> my local network to not need certificates.

Exactly the same problem here on exactly the same platform (F-14), although I
used a slightly different config directives (local <remoteIP>).

First, the docs for dovecot 2 don't mention auth_ssl_require_client_cert at
all. However, it seems to be important.

Second, if I set the above three for external IP, one can still log in (after
being prompted for the client cert) by cancelling on the client side. It just
goes straight through, no cert required.

On the other hand, if I put those three in the global section but then turn
them off in local <localIP>, then local clients get asked for cert no matter
what. Any client that doesn't have a valid client cert will fail.

So, this part of dovecot 2 is buggy. I tried downgrading back to 2.0.1. Same
result.

With dovecot 1 in F-13 I could at least run two daemons side by side easily.
Not possible any more, it seems (pid location hardcoded).

--
Bojan

Reply | Threaded
Open this post in threaded view
|

Re: Problem with requiring client certificates for external connections

Frank Crawford
In reply to this post by Frank Crawford
Oh well, since I didn't get a response to this query, I might try a
related one.

What is the definition for the "remote" command, where should it be used
and what commands can be used within it?

Is it documented anywhere?

This is for dovecot 2.0.8, with a configuration as listed below.

Thanks
Frank

On Sun, 2010-12-19 at 13:12 +1100, Frank Crawford wrote:

> Folks,
> I'm trying to configure my dovecot installation to require client
> certificates for external/Internet connections, while still allowing my
> local network to not need certificates.
>
> This configuration is for Dovecot 2 (2.0.8 in Fedora 14), and I've
> tried to use the "remote" block to give different definitions for my
> local network vs the defaults.  While most options seem to be set fine,
> if I set "auth_ssl_require_client_cert" to yes as the default, and reset
> it to no for my local network, dovecot still requests a client
> certificate and fails as one is not supplied.
>
> Am I correct that it can be reset in a "remote" block, or is it treated
> differently to other options?  In fact do I have the configuration
> correct, as there doesn't really seem to be anything documenting
> "remote" or "remote_ip" or related items for Dovecot 2.
>
> Related to this, much of the documentation states that the variable is
> "ssl_require_client_cert", seems to be accepted by ignored, vs
> "auth_ssl_require_client_cert" which does have some effects.
>
> Also, in the configuration dump, it duplicates the netmask.
>
> The configuration is below, as generated with "dovecot -n".
>
> Regards
> Frank
>
> # 2.0.8: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.36.1 x86_64 Fedora release 14 (Laughlin) ext4
> auth_ssl_require_client_cert = yes
> mail_location = maildir:/var/spool/maildir/%u
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date
> mbox_write_locks = fcntl
> passdb {
>   driver = pam
> }
> plugin {
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
> }
> postmaster_address = [hidden email]
> ssl = required
> ssl_ca = </etc/pki/CA/cacert.pem
> ssl_cert = </etc/pki/tls/certs/dovecot.crt
> ssl_key = </etc/pki/tls/private/dovecot.key
> ssl_verify_client_cert = yes
> userdb {
>   driver = passwd
> }
> protocol pop3 {
>   pop3_uidl_format = %v.%u
> }
> remote 203.16.204.0/24/24 {
>   auth_ssl_require_client_cert = no
>   disable_plaintext_auth = no
>   ssl = no
>   ssl_verify_client_cert = no
> }
> remote fdd2:7aad:d478:1::/64/64 {
>   auth_ssl_require_client_cert = no
>   disable_plaintext_auth = no
>   ssl = no
>   ssl_verify_client_cert = no
> }
> remote 2001:44b8:62:140::/64/64 {
>   auth_ssl_require_client_cert = no
>   disable_plaintext_auth = no
>   ssl = no
>   ssl_verify_client_cert = no
> }
>


Reply | Threaded
Open this post in threaded view
|

Re: Problem with requiring client certificates for external connections

Timo Sirainen
In reply to this post by Bojan Smojver
On Sat, 2010-12-25 at 11:38 +0000, Bojan Smojver wrote:
> Frank Crawford <frank <at> crawford.emu.id.au> writes:
>
> > I'm trying to configure my dovecot installation to require client
> > certificates for external/Internet connections, while still allowing
> > my local network to not need certificates.
>
> Exactly the same problem here on exactly the same platform (F-14), although I
> used a slightly different config directives (local <remoteIP>).

I already answered Bojan privately, here's for Frank & others too:

This is more of a missing feature than a bug.. Combined with not being
very obvious that it won't work.. I'll try to figure out what to do
about it, but the problem anyway is that auth settings aren't currently
supported inside local/remote {} blocks, and ssl_require_client_cert is
an auth setting (but ssl_verify_client_cert is handled by login process,
so that works).

I'll either implement local/remote blocks to work with auth settings, or
make it fail with an error that it won't work.


signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with requiring client certificates for external connections

Frank Crawford
Timo,
        Thanks, while I'd like it to work in a remote block, knowing the limits
one way or the other is more important.

        BTW, what is the difference between "ssl_require_client_cert" and
"auth_ssl_require_client_cert", since both are known to Dovecot.

Thanks
Frank

On Wed, 2010-12-29 at 19:52 +0200, Timo Sirainen wrote:

> On Sat, 2010-12-25 at 11:38 +0000, Bojan Smojver wrote:
> > Frank Crawford <frank <at> crawford.emu.id.au> writes:
> >
> > > I'm trying to configure my dovecot installation to require client
> > > certificates for external/Internet connections, while still allowing
> > > my local network to not need certificates.
> >
> > Exactly the same problem here on exactly the same platform (F-14), although I
> > used a slightly different config directives (local <remoteIP>).
>
> I already answered Bojan privately, here's for Frank & others too:
>
> This is more of a missing feature than a bug.. Combined with not being
> very obvious that it won't work.. I'll try to figure out what to do
> about it, but the problem anyway is that auth settings aren't currently
> supported inside local/remote {} blocks, and ssl_require_client_cert is
> an auth setting (but ssl_verify_client_cert is handled by login process,
> so that works).
>
> I'll either implement local/remote blocks to work with auth settings, or
> make it fail with an error that it won't work.
>


Reply | Threaded
Open this post in threaded view
|

Re: Problem with requiring client certificates for external connections

Timo Sirainen
On Thu, 2010-12-30 at 16:33 +1100, Frank Crawford wrote:
> Timo,
> Thanks, while I'd like it to work in a remote block, knowing the limits
> one way or the other is more important.

I'll implement it some day, but now it gives a clear error:

doveconf: Fatal: Error in configuration file dovecot.conf line 3: Auth
settings not supported inside local/remote blocks:
auth_ssl_require_client_cert

> BTW, what is the difference between "ssl_require_client_cert" and
> "auth_ssl_require_client_cert", since both are known to Dovecot.

That was a bug too, fixed:
http://hg.dovecot.org/dovecot-2.0/rev/fd9c01323475


signature.asc (205 bytes) Download Attachment