具有 TLS 客户端证书身份验证的 Dovecot 代理仅因“无身份验证尝试”而失败

具有 TLS 客户端证书身份验证的 Dovecot 代理仅因“无身份验证尝试”而失败

如同我之前的问答其中我成功地使用 Kerberos/GSSAPI 设置了一个身份验证 Dovecot IMAP 代理,我想对 TLS 客户端证书执行同样的操作;

  • 我的上游(后端)IMAP 服务器允许无需密码进行身份验证(信任此 Dovecot 代理正确地对用户进行身份验证)。
  • 此 Dovecot 代理设置为验证 TLS 客户端证书并从证书的通用名称字段中获取用户名。

Dovecot 配置文件:

# Default configuration will have it listen on IMAP tcp/143 with StartTLS required and IMAPS tcp/993 with TLS required.
protocols = imap

hostname = myhostname.domain.tld

passdb {
  driver = static
  # Backend IMAP server that accepts any/none password for a given user.
  args = proxy=y host=10.1.2.3 port=9999 pass=masterpass nopassword=y
}

# Deliberately omitted userdb, because this is a proxy.

# local username only
auth_username_format = %n

# Logging to foreground with some verbose logging for authentication.
log_path = /dev/stderr
auth_verbose = yes
verbose_ssl = yes
auth_debug = yes

ssl = required
ssl_cert = </etc/dovecot-ssl/cert.crt
ssl_key = </etc/dovecot-ssl/key.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:[... omitted for brevity ...]

# SSL client certificate authentication required (no password required by client).
# https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#client-certificate-verification-authentication
ssl_ca = </etc/dovecot-ssl/client-ca.crt
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
# I don't have CRL set up at this point (will do later) and Dovecot requires to disable CRL check or else it fails.
ssl_require_crl = no

# Take the username from the client certificate (CN)
auth_ssl_username_from_cert = yes
ssl_cert_username_field = commonName

这个方法确实很有效,除了一件事:客户端仍然需要提供虚假的用户名/密码。

答案1

external在 中启用auth_mechanisms,并确保客户端提供的用户名与从证书中提取的用户名匹配。

最好覆盖提供的用户名,避免输入错误(如前一种情况)。欢迎提出修复该问题的建议。

非常令人沮丧的是,这种机制没有被列入Dovecot 配置文档auth_mechanisms导致我在这上面浪费了太多时间。

相关内容