Disable auth_ssl_require_client_cert for SASL

Fri, 22 Jul 2016 02:30:19 -0700 

Hello!

Dovecot version - 2.2.6
Postfix version - 2.10.2
OS: Mageia Linux 4 x86_64
I have configured Dovecot imaps-server on 993 port to authenticate users via private certificates: 
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = no
Users' database is in OpenLDAP and in dovecot-ldap.conf.ext checking of users' passwords is disabled: 
pass_attrs = uid=%n, mail=%n@%d, =nopassword=1
It all works fine.
I have configured Postfix submission-service on 587 port to connect users via StartTLS: 
submission      inet    n       -       y       -       - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_req_ccert=yes
  -o smtpd_tls_ask_ccert=yes
  -o smtpd_client_restrictions=permit_tls_all_clientcerts,reject
  -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject
  -o smtpd_helo_restrictions=permit_tls_all_clientcerts,reject
It works fine.
And now I have a new task: I also need Postfix to authenticate OpenLDAP-users using SASL on smtps-port 465. I need it for using on mobile devices, which don't support StartTLS. So I have configured smtps in Postfix: 
smtps   inet    n       -       y       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination 
  -o smtpd_helo_restrictions=permit_sasl_authenticated,reject
While trying to connect to smtps, clients get an error: "Client didn't present valid SSL certificate", and this is clear. The question is: how to configure an additional auth-service in dovecot, which doesn't require private certificates and authenticates users using login/password? 

Configuration-files:
dovecot -n:
# 2.2.6: /etc/dovecot/dovecot.conf
# OS: Linux 3.14.43-server-1.mga4 x86_64 Mageia 4 ext4
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
base_dir = /var/run/dovecot/
first_valid_gid = 12
first_valid_uid = 8
hostname = myexample.com
last_valid_gid = 12
last_valid_uid = 8
listen = *
login_greeting = Dovecot L ready.
login_trusted_networks = 127.0.0.0/8 10.62.0.0/16
mail_debug = yes
mail_gid = 12
mail_home = /home/mail/%d/%n
mail_location = maildir:/home/mail/%d/%n
mail_uid = 8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave 
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  default_fields = homeDirectory=/home/mail/%d/%n
  driver = ldap
}
plugin {
  sieve = /home/mail/%d/%n/sieve/UsersActiveScript.sieve
  sieve_before = /var/spool/mail/dovecot.sieve
  sieve_default = /var/spool/mail/dovecot.sieve
  sieve_dir = /home/mail/%d/%n/sieve
}
postmaster_address = ad...@myexample.com
protocols = imap
service anvil {
  type = anvil
  unix_listener anvil-auth-penalty {
    group = mail
    mode = 0600
    user = mail
  }
  unix_listener anvil {
    mode = 0600
    user = mail
  }
}
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = mail
    mode = 0600
    user = mail
  }
}
service imap-login {
  inet_listener imap {
    port = 0
    ssl = no
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 0
  }
}
ssl_ca = </etc/pki/CA/private/dovecot-ca.pem

grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf.ext:

uris = ldap://localhost
dn = cn=service,ou=Systems,dc=myexample,dc=com
dnpass = SeCrEt
auth_bind = no
ldap_version = 3
base = ou=People,dc=myexample,dc=com
deref = never
scope = subtree
user_attrs = homeDirectory=home
user_filter = (&(mail=%n@%d)(uid=%n))
pass_attrs = uid=%n, mail=%n@%d, =nopassword=1
pass_filter = (&(mail=%n@%d)(uid=%n))

Kind regards, Damir

Reply via email to