Dan*_*ncu 7 imap dovecot ssl-certificate
在 Nginx Web 服务器上实现证书认证后,我想在 Dovecot 邮件服务器上做同样的事情。这个想法是创建您自己的 CA 并管理证书(颁发和撤销)。要验证客户端证书,您需要根 CA 证书和 CRL。为了建立安全连接,可以使用由真正 CA 签署的证书(如果您不想在每个工作站上导入自己的根 CA 证书)。
到目前为止,我已经从 Dovecot 官方 wiki 中阅读了这些页面:
这让我得到了这个配置文件:
listen = *,[::]
protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl = required
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_ca = </etc/postfix/ca.pem
ssl_cert_username_field = emailAddress
ssl_verify_client_cert = yes
ssl_require_crl = yes
auth_ssl_require_client_cert = yes
ssl_username_from_cert = yes
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
quota = dict:user::file:/var/vmail/%d/%n/.quotausage
sieve=/var/vmail/%d/%n/.sieve
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
user = root
}
service imap-login {
client_limit = 1000
process_limit = 500
}
protocol imap {
mail_plugins = quota imap_quota
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_plugins = quota
}
protocol lda {
mail_plugins = sieve quota
}
用于验证客户端证书的 ca.pem 根据上面的第二个链接进行格式化,并包含根 CA 证书和 CRL,均为 PEM 格式。此外,用于建立安全连接的证书和密钥对采用 PEM 格式(即使扩展名为 .cert 和 .key)。
上面第二个链接中提到的设置:(ssl_username_from_cert = yes与ssl_cert_username_field(默认为 commonName)结合使用会产生错误:
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 15: Unknown setting: ssl_username_from_cert
[....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 15: Unknown setting: ssl_username_from_cert
failed!
注释掉该选项并重新启动 Dovecot,我没有收到任何配置错误,但它不起作用。外壳测试结果为:
openssl s_client -connect mail.example.com:imaps
CONNECTED(00000003)
就这样。
如果我注释掉所有涉及证书身份验证的行(所有以 ssl 开头的行,除了 ssl、ssl_cert 和 ssl_key 对,这些行仅用于允许安全的 SSL/TLS 连接),它可以工作,但我没有得到证书身份验证.
在 Google 上的搜索结果实现了安全的 SSL/TLS 连接(到目前为止我已经完成了)。 本指南,它准确地解释了我想要做什么,还没有完成。在 Dovecot 配置文件中,它有一个 ToDo 列表。
我在 Linux Debian 7 (Wheezy) 上运行 Dovecot 2.1.7 版 - 目前是 Debian 稳定版。
任何帮助表示赞赏。
注意:我只想为 IMAP 协议实现这个。
编辑 1:
如果您发现错误(不好的做法,不安全),请发表评论!
改变后ssl_username_from_cert与auth_ssl_username_from_cert并重新启动达夫科特,一切似乎运作良好。
openssl s_client -connect mail.example.com:imaps
CONNECTED(00000003)
depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = postmaster@example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = postmaster@example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = XXXXXXXXXXXXXXXX, C = XX, CN = mail.example.com, emailAddress = postmaster@example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/description=XXXXXXXXXXXXXXXX/C=XX/CN=mail.example.com/emailAddress=postmaster@example.com
i:/C=XX/O=Company Ltd./OU=Some High Security Name/CN=Certificate Class
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
-----END CERTIFICATE-----
subject=/description=XXXXXXXXXXXXXXXX/C=XX/CN=mail.example.com/emailAddress=postmaster@example.com
issuer=/C=XX/O=Company Ltd./OU=Some High Security Name/CN=Certificate Class
---
Acceptable client certificate CA names
/C=XX/ST=Some-State/O=Another Company Ltd.
---
SSL handshake has read 3107 bytes and written 519 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0010 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0020 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0030 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0040 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0050 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0060 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0070 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0080 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
0090 - XX XX XX XX XX XX XX XX-XX XX XX XX XX XX XX XX XXXXXXXXXXXXXXXX
Compression: 1 (zlib compression)
Start Time: 1409206799
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
和
doveconf -a | grep ssl
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
imapc_ssl = no
imapc_ssl_ca_dir =
imapc_ssl_verify = yes
pop3c_ssl = no
pop3c_ssl_ca_dir =
pop3c_ssl_verify = yes
ssl = no
ssl = yes
ssl = no
ssl = yes
service ssl-params {
executable = ssl-params
unix_listener login/ssl-params {
ssl = required
ssl_ca = </etc/postfix/ca.pem
ssl_cert = </etc/postfix/smtpd.cert
ssl_cert_username_field = emailAddress
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_client_cert =
ssl_client_key =
ssl_crypto_device =
ssl_key = </etc/postfix/smtpd.key
ssl_key_password =
ssl_parameters_regenerate = 1 weeks
ssl_protocols = !SSLv2
ssl_require_crl = yes
ssl_verify_client_cert = yes
verbose_ssl = no
是时候试试了。我将用户证书导入 Thunderbird 并设置身份验证方法:TLS 证书。但是当我尝试连接时,我收到以下错误消息:
The IMAP Server user@example.com does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server Settings'.
注意:密码验证有效(当然通过 TLS 安全连接)。
我们很接近。
Dovecot wiki 似乎有错误,或者ssl_username_from_cert设置的名称可能已更改。在我的带有 Dovecot 2.2.9 的 Ubuntu 主机上,在 /etc/dovecot/conf.d/10-auth.conf 中,我有:
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
所以看来你需要替换ssl_username_from_cert为auth_ssl_username_from_cert,wiki 需要更正。
| 归档时间: |
|
| 查看次数: |
7479 次 |
| 最近记录: |