如同我之前的问答其中我成功地使用 Kerberos/GSSAPI 设置了一个身份验证 Dovecot IMAP 代理,我想对 TLS 客户端证书执行同样的操作;
- 我的上游(后端)IMAP 服务器允许无需密码进行身份验证(信任此 Dovecot 代理正确地对用户进行身份验证)。
- 此 Dovecot 代理设置为验证 TLS 客户端证书并从证书的通用名称字段中获取用户名。
Dovecot 配置文件:
# Default configuration will have it listen on IMAP tcp/143 with StartTLS required and IMAPS tcp/993 with TLS required.
protocols = imap
hostname = myhostname.domain.tld
passdb {
driver = static
# Backend IMAP server that accepts any/none password for a given user.
args = proxy=y host=10.1.2.3 port=9999 pass=masterpass nopassword=y
}
# Deliberately omitted userdb, because this is a proxy.
# local username only
auth_username_format = %n
# Logging to foreground with some verbose logging for authentication.
log_path = /dev/stderr
auth_verbose = yes
verbose_ssl = yes
auth_debug = yes
ssl = required
ssl_cert = </etc/dovecot-ssl/cert.crt
ssl_key = </etc/dovecot-ssl/key.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:[... omitted for brevity ...]
# SSL client certificate authentication required (no password required by client).
# https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
ssl_ca = </etc/dovecot-ssl/client-ca.crt
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
# I don't have CRL set up at this point (will do later) and Dovecot requires to disable CRL check or else it fails.
ssl_require_crl = no
# Take the username from the client certificate (CN)
auth_ssl_username_from_cert = yes
ssl_cert_username_field = commonName
这个方法确实很有效,除了一件事:客户端仍然需要提供虚假的用户名/密码。
答案1
external在 中启用auth_mechanisms,并确保客户端提供的用户名与从证书中提取的用户名匹配。
最好覆盖提供的用户名,避免输入错误(如前一种情况)。欢迎提出修复该问题的建议。
非常令人沮丧的是,这种机制没有被列入Dovecot 配置文档auth_mechanisms导致我在这上面浪费了太多时间。