IMAP CLIENT CERTIFICATES

sslhappy-ca | dovecot-clientcert | thunderbird | apache-clientcert | firefox

assuming you’ve got dovecot and your CA up and running already

NOTICE

Not using CN as username: we still require the username to be submitted. We could otherwise use x500UniqueIdentifier or emailAddress for virtual hosting. SAN entries do not count in thise use-case and with Dovecot.

It’s worth noting that postfix-sasl cannot deal with client certificates. This is why we simply disable it for SASL to at least have it for IMAP.

postfix/sasl/smtpd[1502]: Anonymous TLS connection established from IP-ADDRESS: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256

postfix/sasl/smtpd[1502]: warning: IP-ADDRESS: SASL PLAIN authentication failed: Client didn't present valid SSL certificate

REQUIREMENTS

Dovecot wants the CRLs to be concatenated with (after) the Root cert.

SETUP

add external as auth method

    vi /etc/dovecot/dovecot.conf

    auth_mechanisms = plain login external
protocol !smtp {
    auth_ssl_require_client_cert = yes
        auth_ssl_username_from_cert = no
}

    ...

    # client cert
    ssl_ca = </etc/ssl/ORG-ROOT-CA/ca.crt
    ssl_require_crl = yes
    ssl_verify_client_cert = yes
    #ssl_cert_username_field =
    # x500UniqueIdentifier
    # emailAddress

import the client cert into you client and you will see e.g. thunderbird asking which client cert it shall use when trying to connect.

SERVER CERT ON STEROIDS

in some extreme paranoid use-case, you might also want to switch to your own CA for the server cert

ssl_cert = </etc/ssl/NETHENCE-ROOT-CA/xc.crt
ssl_key = </etc/ssl/NETHENCE-ROOT-CA/xc.key

and you obviously need to import the CA cert into your client for that matter.

TROUBLES

while trying to auth with tb/clientcert

    dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=HOME, arg=.: user=<>,

==> simply wrong path to the server cert?

    dovecot: imap-login: Error: Failed to initialize SSL server context: Couldn't parse private SSL key (ssl_key setting) (maybe ssl_key_password is wrong?): error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt, error:0906A065:PEM routines:PEM_do_header:bad decrypt: user=<>, rip=62.221.83.44, lip=62.210.110.7, session=<uP2WCZe63LU+3VMs>

==> don’t use the CA key as server key, as it wants a passphrase (it could otherwise have done the trick, unless you do it right and dedicated an offline machine for your CA).

RESOURCES

instructions https://wiki.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication

tutorials

passwd + pkix https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html

server capabilities https://serverfault.com/questions/624303/dovecot-certificate-authentication

nsCertType and CRL https://unix.stackexchange.com/questions/348372/dovecot-rejecting-client-certificate

troubles

no SAN https://dovecot.org/pipermail/dovecot/2012-March/082158.html