Hello,
My mail system is build with postfix, dovecot and roundcube.
In first time users can view and "manage" their mail only on the webmail.
So this one (webmail) use IMAP (no tls/ssl at all) authentication to give
access to users maildir. This connection is made on the 'loopback' interface
and use PLAIN method.
This works fine (configuration below without ssl parameters).
Now I want to see and send my mail with a MUA (thunderbird).
As my system is on an Internet provider I want to add more security "solutions".
I use smtps with postfix and SASL/auth by dovecot socket mechanism to send mail.
I use imaps with dovecot for managing my maildir.
I have added ssl parameters to the configuration file (see below) and I
required certificate from the client (to avoid man in the middle attack and to
get access only for client with user certificate).
To get this "ssl_require_client_cert" is set to yes.
Ok, now imaps works perfectly.
But since a certificate is required webmail authentication (localhost) and SASL
(postfix auth trough dovecot socket mechanism) don't work.
Webmail => dovecot: imap-login: Disconnected (cert required, client didn't
start TLS): method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Postfix => postfix/smtpd[71640]: warning: TOTO[X.A.B.C]: SASL PLAIN
authentication failed: Client didn't present valid SSL certificate
That's normal. But 127.0.0.1 client(network) is considered by dovecot as
secure, so won't the auth possible without certificate ?
Can't we make two auth policy to make secure (client crt require) for public
IP/client and less "secure" (without crt client) for local process (postfix)
and local newtwork(127.0.0.1) for roundcube ?
I see section "auth default { ... }" and is used by ... default ! But can we
make an other one to make this two particular authentication on the same
"instance" ?
Thank you.
And then my configuration :
operating system => FreeBSD 7.1
dovecot --version => 1.2.8
dovecot -n =>
# 1.2.8: /usr/local/etc/dovecot.conf
# OS: FreeBSD 7.1-RELEASE i386 ufs
protocols: imap
listen: 127.0.0.1
ssl_listen: X.Y.Z.T
ssl: yes
ssl_ca_file: /usr/local/etc/dovecot/CAclient.pem
ssl_cert_file: /usr/local/etc/dovecot/imaps.pem
ssl_key_file: /usr/local/etc/dovecot/imaps.key
ssl_verify_client_cert: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:/jails/mails/%d/%n
imap_client_workarounds: delay-newmail netscape-eoh tb-extra-mailbox-sep
lda:
postmaster_address: postmas...@something
hostname: SOMETHING_ELSE
sendmail_path: /usr/sbin/sendmail
auth default:
mechanisms: plain login
username_format: %Lu
passdb:
driver: passwd-file
args: username_format=%n /jails/mails/dov_pass/%d/usr_pas
userdb:
driver: passwd-file
args: username_format=%n /jails/mails/dov_pass/%d/usr_pas
ssl_require_client_cert = yes
ssl_username_from_cert = no
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: wheel
master:
path: /var/run/dovecot/auth-master
mode: 384
Best regards,
_________________________________________________________________
Consultez gratuitement vos emails Orange, Gmail, Free, ... directement dans
HOTMAIL !
http://www.windowslive.fr/hotmail/agregation/
