在Nginx Web服务器上实现证书authentication后,我想在Dovecot邮件服务器上做同样的事情。 这个想法是创build自己的CA和pipe理证书(发行和撤销)。 要validation客户端证书,您需要您的根CA证书和CRL。 为了build立安全连接,可以使用由真实CA签名的证书(如果您不想在每个工作站上导入您自己的根CA证书)。
到目前为止,我已经从Dovecot官方维基阅读这些页面:
哪些让我到这个configuration文件:
listen = *,[::] protocols = imap pop3 auth_mechanisms = plain login disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail ssl = required ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key ssl_ca = </etc/postfix/ca.pem ssl_cert_username_field = emailAddress ssl_verify_client_cert = yes ssl_require_crl = yes auth_ssl_require_client_cert = yes ssl_username_from_cert = yes passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve=/var/vmail/%d/%n/.sieve } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 500 } protocol imap { mail_plugins = quota imap_quota } protocol pop3 { pop3_uidl_format = %08Xu%08Xv mail_plugins = quota } protocol lda { mail_plugins = sieve quota } 用于validation客户端证书的ca.pem根据上面的第二个链接进行格式化,并包含PEM格式的根CA证书和CRL。 此外,用于build立安全连接的证书和密钥对采用PEM格式(即使扩展名为.cert和.key)。
上面第二个链接中提到的设置: ssl_username_from_cert = yes (与ssl_cert_username_field (默认为commonName)结合使用ssl_cert_username_field产生错误:
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 15: Unknown setting: ssl_username_from_cert [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 15: Unknown setting: ssl_username_from_cert failed!
注释掉这个选项并重新启动Dovecot,我没有得到任何configuration错误,但是不起作用。 shelltesting的结果是:
openssl s_client -connect mail.example.com:imaps CONNECTED(00000003)
就这样。
如果我注释掉所有涉及证书authentication的行(所有以ssl开头的行,除了ssl,ssl_cert和ssl_key对,这些行只用于允许安全的SSL / TLS连接),它都可以工作,但是我没有获得证书authentication。
在Google上进行search会导致实施安全的SSL / TLS连接(到目前为止我已经完成了这项工作)。 本指南解释了我想要做什么,尚未完成。 在Dovecotconfiguration文件中,它有一个ToDo列表。
我正在Linux Debian 7(Wheezy)上运行Dovecot 2.1.7版 – 目前是Debian的稳定版本。
任何帮助表示赞赏。
注意:我只想实现这个IMAP协议。
编辑1:
如果你发现有什么不对(不好的做法,不安全),请发表评论!
使用auth_ssl_username_from_cert更改auth_ssl_username_from_cert并重新启动ssl_username_from_cert后,一切似乎都正常。
openssl s_client -connect mail.example.com:imaps CONNECTED(00000003) depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = [email protected] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = [email protected] verify error:num=27:certificate not trusted verify return:1 depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = [email protected] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/description=XXXXXXXXXXXXXXXX/C=XX/CN=mail.example.com/[email protected] i:/C=XX/O=Company Ltd./OU=Some High Security Name/CN=Certificate Class --- Server certificate -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX -----END CERTIFICATE----- subject=/description=XXXXXXXXXXXXXXXX/C=XX/CN=mail.example.com/[email protected] issuer=/C=XX/O=Company Ltd./OU=Some High Security Name/CN=Certificate Class --- Acceptable client certificate CA names /C=XX/ST=Some-State/O=Another Company Ltd. --- SSL handshake has read 3107 bytes and written 519 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0010 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0020 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0030 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0040 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0050 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0060 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0070 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0080 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX 0090 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX Compression: 1 (zlib compression) Start Time: 1409206799 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
和
doveconf -a | grep ssl auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes imapc_ssl = no imapc_ssl_ca_dir = imapc_ssl_verify = yes pop3c_ssl = no pop3c_ssl_ca_dir = pop3c_ssl_verify = yes ssl = no ssl = yes ssl = no ssl = yes service ssl-params { executable = ssl-params unix_listener login/ssl-params { ssl = required ssl_ca = </etc/postfix/ca.pem ssl_cert = </etc/postfix/smtpd.cert ssl_cert_username_field = emailAddress ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_key = </etc/postfix/smtpd.key ssl_key_password = ssl_parameters_regenerate = 1 weeks ssl_protocols = !SSLv2 ssl_require_crl = yes ssl_verify_client_cert = yes verbose_ssl = no
有时间尝试一下。 我将一个用户证书导入Thunderbird,并设置了authentication方法:TLS证书。 但是当我尝试连接时,出现以下错误消息:
The IMAP Server [email protected] does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server Settings'.
注意:密码authentication工作(当然通过TLS安全连接)。
我们很近
Dovecot wiki似乎有错误,或者ssl_username_from_cert设置的名称已更改。 在我的Ubuntu主机与Dovecot 2.2.9,在/etc/dovecot/conf.d/10-auth.conf,我有:
# Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #auth_ssl_username_from_cert = no
因此,您似乎需要用auth_ssl_username_from_certreplaceauth_ssl_username_from_cert ,并且需要更正wiki。
我有完全一样的问题。
在通过阅读规范和检查原始产品后,我设法得到了这个工作。
您需要通过将其列入auth_mechanismsvariables的值来启用external身份validation方法。
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. C: 1 STARTTLS S: 1 OK Begin TLS negotiation now. C: 2 capability S: CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=EXTERNAL S: 2 OK Pre-login capabilities listed, post-login capabilities have more.
如果Dovecot没有以AUTH=EXTERNALfunction响应(在IMAPS端口上的问候语中,或者如上所示,在客户端的CAPABILITY请求之后),Thunderbird将closures连接并给出错误消息,表明服务器不支持用证书logging。
否则,继续进行authentication。
C: 3 authenticate EXTERNAL bm9ib2R5QGV4YW1wbGUuY29t
另外,请务必在用户数据库中包含用户名。