Ssl
帶有 TLS 客戶端證書身份驗證的 Dovecot 代理僅因“無身份驗證嘗試”而失敗
與我之前的問答類似,我成功地使用 Kerberos/GSSAPI 設置了身份驗證 Dovecot IMAP 代理,我想對 TLS 客戶端證書做同樣的事情;
- 我的上游(後端)IMAP 伺服器允許在沒有密碼的情況下進行身份驗證(信任此 Dovecot 代理以正確驗證使用者身份)。
- 此 Dovecot 代理設置為驗證 TLS 客戶端證書並從證書的 Common Name 欄位中獲取使用者名。
Dovecot 配置文件:
# Default configuration will have it listen on IMAP tcp/143 with StartTLS required and IMAPS tcp/993 with TLS required. protocols = imap hostname = myhostname.domain.tld passdb { driver = static # Backend IMAP server that accepts any/none password for a given user. args = proxy=y host=10.1.2.3 port=9999 pass=masterpass nopassword=y } # Deliberately omitted userdb, because this is a proxy. # local username only auth_username_format = %n # Logging to foreground with some verbose logging for authentication. log_path = /dev/stderr auth_verbose = yes verbose_ssl = yes auth_debug = yes ssl = required ssl_cert = </etc/dovecot-ssl/cert.crt ssl_key = </etc/dovecot-ssl/key.pem ssl_prefer_server_ciphers = yes ssl_min_protocol = TLSv1.2 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:[... omitted for brevity ...] # SSL client certificate authentication required (no password required by client). # https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication ssl_ca = </etc/dovecot-ssl/client-ca.crt ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes # I don't have CRL set up at this point (will do later) and Dovecot requires to disable CRL check or else it fails. ssl_require_crl = no # Take the username from the client certificate (CN) auth_ssl_username_from_cert = yes ssl_cert_username_field = commonName
這非常有效,除了一件事:客戶端仍然需要提供虛假的使用者名/密碼。😕
我本來希望能夠在 IMAP 客戶端(身份驗證類型 = 客戶端證書)中省略使用者名/密碼,例如 K-9 郵件。
日誌中的伺服器端錯誤顯示
no auth attempts
資訊級別記錄的錯誤消息:[...] Apr 27 18:37:57 imap-login: Info: Received valid SSL certificate: [...] [...] Apr 27 18:37:57 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Apr 27 18:37:57 imap-login: Debug: SSL alert: close notify Apr 27 18:37:57 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.9.9.9, lip=10.1.2.4, TLS, session=<Yw6fj/jA1JsKMgB0> Apr 27 18:37:57 imap-login: Debug: SSL alert: close notify
設置偽造的使用者名+密碼時,登錄似乎可以工作,但是:
[...] Apr 27 18:33:36 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Apr 27 18:33:36 imap-login: Info: proxy(gert): started proxying to 10.1.2.3:9999: user=<gert>, method=PLAIN, rip=10.9.9.9, lip=10.1.2.4, TLS, session=<bSMSgPjA0psKMgB0>
所以,我的問題的底線是:我如何配置 Dovecot 以僅使用 TLS 客戶端證書登錄並避免讓我的使用者選擇隨機密碼?
我試過了:
- 設置
nologin=y
為 passdb arg 選項,但這似乎沒有任何效果。- set
auth_mechanisms = anonymous
,但這似乎沒有任何效果。- 設置
auth_mechanisms =
(空),但與任何連接失敗auth: Fatal: No authentication mechanisms configured
啟用
external
inauth_mechanisms
,並確保客戶端提供的使用者名與從證書中提取的使用者名匹配。最好覆蓋提供的使用者名而不會輸入錯誤的使用者名(例如在前一種情況下)。歡迎提出解決此問題的建議。
發現Dovecot 配置文件
auth_mechanisms
中沒有列出這種機制,這讓我在這方面浪費了很多時間,這非常令人沮喪。😕找到此選項的功勞轉到Giel van Schijndel 的“Dovecot 和 Postfix 客戶端證書身份驗證”。🙏