Professional Documents
Culture Documents
Dovecot and Postfix Client Certificate Authentication - Mortikia Blog
Dovecot and Postfix Client Certificate Authentication - Mortikia Blog
Date do 08 juni 2017 Modified za 10 juni 2017 Tags communications (https://blog.mortis.eu/tag/communications.html) / free-software
(https://blog.mortis.eu/tag/free-software.html) / open-source (https://blog.mortis.eu/tag/open-source.html)
For a while now I’ve been interested in using client certificates for authentication of e-mail clients using IMAP and SMTP, while still permitting password authentication.
This week I finally decided to actually figure out how I could get this to work. Because it took me quite some effort to discover how to do this but couldn’t find anyone else
documenting the same I thought it might help other people to describe my setup.
I’m using Postfix 2.11.3 (https://packages.debian.org/jessie/postfix) for SMTP and a patched Dovecot 2.2.27 (https://packages.debian.org/jessie-backports/dovecot-
imapd) for IMAP. I had to patch Dovecot because the required functionality only gets introduced with 2.2.28 in cdf00f5
(https://github.com/dovecot/core/commit/cdf00f56f959c078dc5201d60e6bb88f3a7263af):
So if you want to get the same functionality either use Dovecot 2.2.28 or higher or backport the mentioned commit like I did.
Certificate Authority
To manage my CA (https://en.wikipedia.org/wiki/Certificate_authority) I’m using the easy-rsa (https://github.com/OpenVPN/easy-rsa) utility. For brevity I’m not
documenting how to use that, except to mention how I’m exporting the combined CA+CRL file which is what I’m using in the rest of this article. Producing that file is done
as follows:
$ cd easy-rsa/easyrsa3
$ ./easyrsa gen-crl
$ cat pki/ca.crt pki/crl.pem > pki/ca+crl.pem
In /etc/postfix/master.cf configure TLS to be required and ask for a client certificate on the submission port. You don’t want to do this globally, in main.cf , because
some servers, wishing to deliver mail to you, might not deal well with being asked for a client certificate.
# ask for a client certificate: gives the client the opportunity to provide
# one, not the obligation to do so
-o smtpd_tls_ask_ccert=yes
Then in /etc/postfix/main.cf configure certificate verification and give permission for relay access:
smtpd_tls_CAfile = /etc/easy-rsa/easyrsa3/pki/ca+crl.pem
# necessary to prevent any random, public, CA from giving relay access to your server
tls_append_default_CA = no
https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html 1/3
2/26/2019 Dovecot and Postfix client certificate authentication - Mortikia Blog
# I'm using a full mail address as username and storing it in the emailAddres
# field of the certificate
ssl_cert_username_field = emailAddres
# Add 'external' to auth_mechanisms. That will use the username extracted from
# the certificate combined with the empty string as password to authenticate.
# This is my list of enabled mechanisms
auth_mechanisms = plain login external
Now comes the “trick” to making the combination of password and certificate authentication work. Because Dovecot’s EXTERNAL authentication mechanism attempts to
authenticate with the empty string as password, we need to have a password database that permits that. At the same time though, we want to prevent regular logins,
with password, to succeed when specifying the empty string as password. This requires the filtering of password databases by SASL mechanism added to Dovecot
2.2.28 that I mentioned earlier. I’m adding a passwd-file password database containing only the usernames, without passwords, as /etc/dovecot/users-external :
user@example.com:::::::
other-user@example.com:::::::
Subsequently I’m adding an EXTERNAL -specific password database to /etc/dovecot/conf.d/auth-passwdfile.conf.ext . Make sure to also include it, near the bottom
of /etc/dovecot/10-auth.conf .
passdb {
driver = passwd-file
# the PLAIN scheme prevents us from having to hash the empty string
args = scheme=PLAIN username_format=%u /etc/dovecot/users-external
# this option requires Dovecot 2.2.28 (or the patch), without it this setup
# is insecure because it permits logins with the empty string as password
mechanisms = external
Thunderbird as Client
When using Thunderbird as a client you can specify the “TLS certificate” “authentication method” in the “security settings” portion of the “server settings” for your account
settings. Unfortunately you cannot choose this during the account setup wizard. So during the wizard you’ll still need to use password authentication. For SMTP you can
just use “no authentication” as the “authentication method” (it’s a misleading name).
Comments
There are no comments yet.
https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html 2/3
2/26/2019 Dovecot and Postfix client certificate authentication - Mortikia Blog
Comment Atom Feed (https://blog.mortis.eu/feeds/comment.dovecot-and-postfix-with-client-cert-auth.atom.xml)
Social
diaspora* (https://diasp.eu/public/muggenhor)
github (https://github.com/muggenhor)
linkedin (https://nl.linkedin.com/in/gielvanschijndel/)
stack-overflow (https://stackoverflow.com/users/247648/giel)
twitter (https://twitter.com/muggenhor)
rss (https://blog.mortis.eu/feeds/all.atom.xml)
https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html 3/3