LMTP STARTTLS and certificates

[Matt Bernstein]

On Aug 17 Matt Bernstein wrote:
>On Aug 16 Ken Murchison wrote:

>>> My MTA supports STARTTLS and can offer a client cert if requested. Would
>>> it have to issue an "AUTH EXTERNAL" on top of that? I see that lmtpd can
>>
>>Yes.  STARTTLS itself doesn't actually authenticate the client.  The
>>credentials are passed to the server, so that it knows it can offer
>>EXTERNAL, but the client still needs to authenticate.  It can choose to
>>use EXTERNAL, which uses the info in the cert, or it could use any other
>>mechanism that is offered.
>
>OK, I'll investigate the feasibility of this--but you see that without it 
>one can instead require a certificate, hence my dumb question below!

[ three weeks pass.. (sorry!) ]

I've now managed to get STARTTLS over LMTP over TCP to work.. but, when I 
switch off "-a" for lmtpd in cyrus.conf AUTH EXTERNAL disappears 
altogether. Here's the LMTP conversation (it says "SMTP" because it's the 
Exim smtp transport.. it is doing valid LMTP now I've patched it :)

  SMTP<< 220 vicar LMTP Cyrus v2.1.9 ready
  SMTP>> LHLO mail.dcs.qmul.ac.uk
  SMTP<< 250-vicar
         250-8BITMIME
         250-ENHANCEDSTATUSCODES
         250-PIPELINING
         250-SIZE
         250-STARTTLS
         250 IGNOREQUOTA
  SMTP>> STARTTLS
  SMTP<< 220 Begin TLS negotiation now
  SMTP>> LHLO mail.dcs.qmul.ac.uk
  SMTP<< 250-vicar
         250-8BITMIME
         250-ENHANCEDSTATUSCODES
         250-PIPELINING
         250-SIZE
         250-STARTTLS
         250-AUTH LOGIN PLAIN
         250 IGNOREQUOTA
  SMTP>> QUIT
LOG: MAIN
  == mb at vicar2 R=vicar2 T=cyrus_lmtp_tls defer (-42): authentication required but no common mechanisms were found

So.. Exim is ready to send AUTH EXTERNAL, but it's no longer offered :-/

Matt

PS does anyone have a tool like "openssl s_client" useful for testing such 
sessions where TLS negotiation happens after connect, rather than on 
connect?