在 Nginx Web 服务器上实现证书身份验证后,我想在 Dovecot 邮件服务器上执行相同的操作。这个想法是创建您自己的 CA 并管理证书(颁发和撤销)。要验证客户端证书,您需要您的根 CA 证书和 CRL。为了建立安全连接,可以使用由真正的 CA 签名的证书(如果您不想在每个工作站上导入您自己的根 CA 证书)。
到目前为止,我已经阅读了 Dovecot 官方 wiki 中的以下页面:
这让我找到了这个配置文件:
listen = *,[::]
protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl = required
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_ca = </etc/postfix/ca.pem
ssl_cert_username_field = emailAddress
ssl_verify_client_cert = yes
ssl_require_crl = yes
auth_ssl_require_client_cert = yes
ssl_username_from_cert = yes
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
quota = dict:user::file:/var/vmail/%d/%n/.quotausage
sieve=/var/vmail/%d/%n/.sieve
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
user = root
}
service imap-login {
client_limit = 1000
process_limit = 500
}
protocol imap {
mail_plugins = quota imap_quota
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_plugins = quota
}
protocol lda {
mail_plugins = sieve quota
}
用于验证客户端证书的 ca.pem 格式根据上面的第二个链接进行设置,包含根 CA 证书和 CRL,均为 PEM 格式。此外,用于建立安全连接的证书和密钥对也是 PEM 格式(尽管扩展名为 .cert 和 .key)。
上面第二个链接中提到的设置:(ssl_username_from_cert = yes与(默认为 commonName)结合使用ssl_cert_username_field会产生错误:
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 15: Unknown setting: ssl_username_from_cert
[....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 15: Unknown setting: ssl_username_from_cert
failed!
注释掉该选项并重新启动 Dovecot,我没有收到任何配置错误,但它不起作用。 shell 测试结果如下:
openssl s_client -connect mail.example.com:imaps
CONNECTED(00000003)
就这样。
如果我注释掉所有涉及证书认证的行(所有以 ssl 开头的行,除了 ssl、ssl_cert 和 ssl_key 对,它们用于仅允许安全的 SSL/TLS 连接),它可以工作,但我得不到证书认证。
在 Google 上搜索的结果是实施安全的 SSL/TLS 连接(到目前为止我已经这样做了)。 本指南,它准确地解释了我想要做的事情,但还没有完成。在 Dovecot 配置文件中,它有一个 ToDo 列表。
我在 Linux Debian 7(Wheezy)上运行 Dovecot 2.1.7 版本 - 目前是 Debian 稳定版本。
任何帮助都将受到赞赏。
注意:我只想为 IMAP 协议实现此功能。
编辑1:
如果您发现任何错误(不良做法、不安全),请发表评论!
ssl_username_from_cert更改并重新启动 Dovecot后auth_ssl_username_from_cert,一切似乎运行良好。
openssl s_client -connect mail.example.com:imaps
CONNECTED(00000003)
depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = [email protected]
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = [email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/description=XXXXXXXXXXXXXXXX/C=XX/CN=mail.example.com/[email protected]
i:/C=XX/O=Company Ltd./OU=Some High Security Name/CN=Certificate Class
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
-----END CERTIFICATE-----
subject=/description=XXXXXXXXXXXXXXXX/C=XX/CN=mail.example.com/[email protected]
issuer=/C=XX/O=Company Ltd./OU=Some High Security Name/CN=Certificate Class
---
Acceptable client certificate CA names
/C=XX/ST=Some-State/O=Another Company Ltd.
---
SSL handshake has read 3107 bytes and written 519 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0010 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0020 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0030 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0040 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0050 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0060 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0070 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0080 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0090 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
Compression: 1 (zlib compression)
Start Time: 1409206799
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
和
doveconf -a | grep ssl
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
imapc_ssl = no
imapc_ssl_ca_dir =
imapc_ssl_verify = yes
pop3c_ssl = no
pop3c_ssl_ca_dir =
pop3c_ssl_verify = yes
ssl = no
ssl = yes
ssl = no
ssl = yes
service ssl-params {
executable = ssl-params
unix_listener login/ssl-params {
ssl = required
ssl_ca = </etc/postfix/ca.pem
ssl_cert = </etc/postfix/smtpd.cert
ssl_cert_username_field = emailAddress
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_client_cert =
ssl_client_key =
ssl_crypto_device =
ssl_key = </etc/postfix/smtpd.key
ssl_key_password =
ssl_parameters_regenerate = 1 weeks
ssl_protocols = !SSLv2
ssl_require_crl = yes
ssl_verify_client_cert = yes
verbose_ssl = no
是时候尝试一下了。我将用户证书导入 Thunderbird 并设置身份验证方法:TLS 证书。但是当我尝试连接时,我收到以下错误消息:
The IMAP Server [email protected] does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server Settings'.
注意:密码验证有效(当然通过 TLS 安全连接)。
我们很接近了。
答案1
Dovecot wiki 似乎有错误,或者设置的名称ssl_username_from_cert已更改。在我的 Ubuntu 主机上,Dovecot 2.2.9,在 /etc/dovecot/conf.d/10-auth.conf 中,我有:
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
因此看起来您需要用 替换ssl_username_from_cert,auth_ssl_username_from_cert并且 wiki 需要进行更正。
答案2
我也遇到了同样的问题。
在阅读了规范并检查了原始日志输出后,我设法使其工作正常。
您需要external通过在变量值中列出身份验证方法来启用它auth_mechanisms。
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
C: 1 STARTTLS
S: 1 OK Begin TLS negotiation now.
C: 2 capability
S: CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=EXTERNAL
S: 2 OK Pre-login capabilities listed, post-login capabilities have more.
如果 Dovecot 没有以某种AUTH=EXTERNAL方式做出响应(无论是通过 IMAPS 端口时的问候语中,还是CAPABILITY如上所示的客户端请求之后),Thunderbird 将关闭连接并向您显示一条错误消息,提示服务器不支持使用证书进行日志记录。
否则,继续进行身份验证。
C: 3 authenticate EXTERNAL bm9ib2R5QGV4YW1wbGUuY29t
另外,请确保在用户数据库中包含用户名。