2/26/2019 Dovecot and Postfix client certificate authentication - Mortikia Blog

Dovecot and Postfix client certificate authentication

(https://blog.mortis.eu/permalinks/JVlhd1NL8xYtE0oY0OetkEK0XH

Date  do 08 juni 2017 Modified  za 10 juni 2017 Tags communications (https://blog.mortis.eu/tag/communications.html) / free-software
(https://blog.mortis.eu/tag/free-software.html) / open-source (https://blog.mortis.eu/tag/open-source.html)

For a while now I’ve been interested in using client certificates for authentication of e-mail clients using IMAP and SMTP, while still permitting password authentication.
This week I finally decided to actually figure out how I could get this to work. Because it took me quite some effort to discover how to do this but couldn’t find anyone else
documenting the same I thought it might help other people to describe my setup.

I’m using Postfix 2.11.3 (https://packages.debian.org/jessie/postfix) for SMTP and a patched Dovecot 2.2.27 (https://packages.debian.org/jessie-backports/dovecot-
imapd) for IMAP. I had to patch Dovecot because the required functionality only gets introduced with 2.2.28 in cdf00f5
(https://github.com/dovecot/core/commit/cdf00f56f959c078dc5201d60e6bb88f3a7263af):

auth: Support filtering by SASL mechanism: passdb { mechanisms }

So if you want to get the same functionality either use Dovecot 2.2.28 or higher or backport the mentioned commit like I did.

Certificate Authority
To manage my CA (https://en.wikipedia.org/wiki/Certificate_authority) I’m using the easy-rsa (https://github.com/OpenVPN/easy-rsa) utility. For brevity I’m not
documenting how to use that, except to mention how I’m exporting the combined CA+CRL file which is what I’m using in the rest of this article. Producing that file is done
as follows:

$ cd easy-rsa/easyrsa3
$ ./easyrsa gen-crl
$ cat pki/ca.crt pki/crl.pem > pki/ca+crl.pem

SMTP server Postfix

First lets add certificate authentication to Postfix as it’s the easiest. We’re assuming that any valid certificate, signed by our CA, is authorized to use this server for
relaying mail. If you actually want more complicated authentication than that I don’t think Postfix can currently help you.

In /etc/postfix/master.cf configure TLS to be required and ask for a client certificate on the submission port. You don’t want to do this globally, in main.cf , because
some servers, wishing to deliver mail to you, might not deal well with being asked for a client certificate.

submission inet n - - - - smtpd

# mandatory encryption. 'may', opportunistic encryption, works too, but you
# probably don't want that
-o smtpd_tls_security_level=encrypt

# enable regular SASL authentication (with passwords, assuming you currently

# have this and want to retain it)
-o smtpd_sasl_auth_enable=yes

# ask for a client certificate: gives the client the opportunity to provide
# one, not the obligation to do so
-o smtpd_tls_ask_ccert=yes

Then in /etc/postfix/main.cf configure certificate verification and give permission for relay access:

smtpd_tls_CAfile = /etc/easy-rsa/easyrsa3/pki/ca+crl.pem
# necessary to prevent any random, public, CA from giving relay access to your server
tls_append_default_CA = no

# add to either smtpd_recipient_restrictions or smtpd_relay_restrictions

# depending on which of those you use to control authenticated relay access
smtpd_relay_restrictions =
permit_sasl_authenticated
permit_tls_all_clientcerts

IMAP server Dovecot

For setting up Dovecot I’ll assume you already have it running with TLS enabled. I’m only describing the additional configuration options that are needed. In
/etc/dovecot/conf.d/10-ssl.conf add:

https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html 1/3
2/26/2019 Dovecot and Postfix client certificate authentication - Mortikia Blog

# Our CA that we use to sign the client certificates

ssl_ca = </etc/easy-rsa/easyrsa3/pki/ca+crl.pem

# only permit non-revoked certificates

ssl_require_crl = yes

# ask for client certificates (but don't require them)

ssl_verify_client_cert = yes

# I'm using a full mail address as username and storing it in the emailAddres
# field of the certificate
ssl_cert_username_field = emailAddres

In /etc/dovecot/conf.d/10-auth.conf add EXTERNAL as an authentication mechanism:

# Use the username taken from the client certificate

auth_ssl_username_from_cert = yes

# Add 'external' to auth_mechanisms. That will use the username extracted from
# the certificate combined with the empty string as password to authenticate.
# This is my list of enabled mechanisms
auth_mechanisms = plain login external

Now comes the “trick” to making the combination of password and certificate authentication work. Because Dovecot’s EXTERNAL authentication mechanism attempts to
authenticate with the empty string as password, we need to have a password database that permits that. At the same time though, we want to prevent regular logins,
with password, to succeed when specifying the empty string as password. This requires the filtering of password databases by SASL mechanism added to Dovecot
2.2.28 that I mentioned earlier. I’m adding a passwd-file password database containing only the usernames, without passwords, as /etc/dovecot/users-external :

user@example.com:::::::
other-user@example.com:::::::

Subsequently I’m adding an EXTERNAL -specific password database to /etc/dovecot/conf.d/auth-passwdfile.conf.ext . Make sure to also include it, near the bottom
of /etc/dovecot/10-auth.conf .

passdb {
driver = passwd-file
# the PLAIN scheme prevents us from having to hash the empty string
args = scheme=PLAIN username_format=%u /etc/dovecot/users-external

# this option requires Dovecot 2.2.28 (or the patch), without it this setup
# is insecure because it permits logins with the empty string as password
mechanisms = external

# explicitly permit empty passwords

override_fields = nopassword
}

You can test this on a terminal with the openssl s_client:

$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -verify 4 \

> -cert ${PATH_TO_CLIENT_CERT} \
> -key ${PATH_TO_PRIVATE_KEY_FOR_CLIENT_CERT} \
> -tls1 -starttls imap -connect imap.example.com:imap
<lots of text scrolling by>
. OK Pre-login capabilities listed, post-login capabilities have more.
A001 AUTHENTICATE EXTERNAL ""
* CAPABILITY IMAP4rev1 ......
A001 OK Logged in

Thunderbird as Client
When using Thunderbird as a client you can specify the “TLS certificate” “authentication method” in the “security settings” portion of the “server settings” for your account
settings. Unfortunately you cannot choose this during the account setup wizard. So during the wizard you’ll still need to use password authentication. For SMTP you can
just use “no authentication” as the “authentication method” (it’s a misleading name).

      

Comments
There are no comments yet.

Add a comment via email (mailto:blog-comments%40mortis.eu?subject=Comment%20for%20dovecot-and-postfix-with-client-cert-

auth&body=%0AHey%2C%0A%0AI%20posted%20a%20new%20comment%20on%20https%3A//blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-
auth.html%0A%0A%23%23%20Please%20replace%20the%20%3C%3E%20markers%20with%20your%20text.%0A%23%23%20I%20will%20place%20your%20comment
mail%20address%20_unless_%20you%20ask%20me%20to.%0A%0ARaw%20comment%20data%3A%0A-----BEGIN%20IMPORT%20BLOCK-----
%0Atype%3A%20article%0Aslug%3A%20dovecot-and-postfix-with-client-cert-auth%0A-----BEGIN%20CONTENT%20BLOCK-----
%0Aauthor%3A%20%3Cmy%20name%20or%20nickname%20to%20show%20on%20the%20website%3E%0Awebsite%3A%20%3Clink%20to%20my%20website%20I%2
----END%20CONTENT/IMPORT%20BLOCK-----%0A)

https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html 2/3
2/26/2019 Dovecot and Postfix client certificate authentication - Mortikia Blog
Comment Atom Feed (https://blog.mortis.eu/feeds/comment.dovecot-and-postfix-with-client-cert-auth.atom.xml)

 Social

diaspora* (https://diasp.eu/public/muggenhor)

 github (https://github.com/muggenhor)

 linkedin (https://nl.linkedin.com/in/gielvanschijndel/)

 stack-overflow (https://stackoverflow.com/users/247648/giel)

 twitter (https://twitter.com/muggenhor)

 rss (https://blog.mortis.eu/feeds/all.atom.xml)

© 2017 Giel van Schijndel · Powered by pelican-bootstrap3 (https://github.com/getpelican/pelican-themes/tree/master/pelican-bootstrap3),  Back to top

Pelican (http://docs.getpelican.com/), Bootstrap (http://getbootstrap.com)
(https://creativecommons.org/licenses/by-sa/4.0/deed.en) Content licensed under a Creative Commons Attribution-ShareAlike 4.0 International
License (https://creativecommons.org/licenses/by-sa/4.0/deed.en), except where indicated otherwise.

https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html 3/3