LMTP STARTTLS and certificates

Ken Murchison ken at oceana.com
Tue Sep 10 09:42:53 EDT 2002 


Matt Bernstein wrote:
> 
> On Aug 17 Matt Bernstein wrote:
> >On Aug 16 Ken Murchison wrote:
> 
> >>> My MTA supports STARTTLS and can offer a client cert if requested. Would
> >>> it have to issue an "AUTH EXTERNAL" on top of that? I see that lmtpd can
> >>
> >>Yes.  STARTTLS itself doesn't actually authenticate the client.  The
> >>credentials are passed to the server, so that it knows it can offer
> >>EXTERNAL, but the client still needs to authenticate.  It can choose to
> >>use EXTERNAL, which uses the info in the cert, or it could use any other
> >>mechanism that is offered.
> >
> >OK, I'll investigate the feasibility of this--but you see that without it
> >one can instead require a certificate, hence my dumb question below!
> 
> [ three weeks pass.. (sorry!) ]
> 
> I've now managed to get STARTTLS over LMTP over TCP to work.. but, when I
> switch off "-a" for lmtpd in cyrus.conf AUTH EXTERNAL disappears
> altogether. Here's the LMTP conversation (it says "SMTP" because it's the
> Exim smtp transport.. it is doing valid LMTP now I've patched it :)
> 
>   SMTP<< 220 vicar LMTP Cyrus v2.1.9 ready
>   SMTP>> LHLO mail.dcs.qmul.ac.uk
>   SMTP<< 250-vicar
>          250-8BITMIME
>          250-ENHANCEDSTATUSCODES
>          250-PIPELINING
>          250-SIZE
>          250-STARTTLS
>          250 IGNOREQUOTA
>   SMTP>> STARTTLS
>   SMTP<< 220 Begin TLS negotiation now
>   SMTP>> LHLO mail.dcs.qmul.ac.uk
>   SMTP<< 250-vicar
>          250-8BITMIME
>          250-ENHANCEDSTATUSCODES
>          250-PIPELINING
>          250-SIZE
>          250-STARTTLS
>          250-AUTH LOGIN PLAIN
>          250 IGNOREQUOTA
>   SMTP>> QUIT
> LOG: MAIN
>   == mb at vicar2 R=vicar2 T=cyrus_lmtp_tls defer (-42): authentication required but no common mechanisms were found
> 
> So.. Exim is ready to send AUTH EXTERNAL, but it's no longer offered :-/

Are you sure that Exim is offering a valid client cert?  lmtpd won't
offer EXTERNAL unless it gets an authid from the client cert.

> PS does anyone have a tool like "openssl s_client" useful for testing such
> sessions where TLS negotiation happens after connect, rather than on
> connect?

Yeah, use 'lmtptest -t <certfile>'.  You no longer need to use s_client
to test any of the Cyrus daemons.  You can use
imtest/pop3test/lmtptest/smtptest/sivtest/mupdatetest (actually, they
are all the same binary) to test SSL/TLS/AUTH.

Ken
-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list