0

I have set up successfully an email server with Postfix and Dovecot. I also have succcessfully integrated Dovecot authentication with Microsoft AD. This is, Dovecot queries AD when a user creates or logs in an email account on the Mail User Agent (in this case I am using Thunderbird). My DNS servers (both public and private) are also doing their job and my domain MX record is working as expected.

However, now I want to implement SmartCard authentication for users. This is how I had it originally, because the user objects in AD had the "Smart Card is required for logon" box checked. This option resets the password to a long complicated string also. I set up Dovecot to require a certificate from the client as well (should I do this?). And of course, I am running ADCS and all my users have their respective certificates published and on their SmartCards, which they use to login into Windows worksations, among other stuff.

But when I open Thunderbird, and I attempt to login or create an account and I don't get prompted to use a certificate. It just lets me enter a password. I checked the logs with

tail -n 20 -f /var/log/maillog

and I see that, as expected, Dovecot denies the authentication because client did not send a certificate. But how I am supposed to send my certificate if Thunderbird does not seem to give me the option?

Does anyone know of an MUA that supports SmartCard authentication over IMAP, and that can be used on production?

Thanks, Juan

Improve this question

1 Answer 1

Reset to default
1

how I am supposed to send my certificate if Thunderbird does not seem to give me the option?

On Windows, Thunderbird needs to have security.osclientcerts.autoload enabled for it to load client certificates from Windows CAPI. (Thunderbird does not use Windows SChannel for TLS – it uses Mozilla NSS – therefore this is not automatic.)

On other platforms, Thunderbird needs to have a PKCS#11 module for your smartcard type loaded through the "Settings > Security Devices" dialog. Possibly p11-kit-proxy.so to make use of the system-wide p11-kit PKCS#11 multiplexer, if that is already configured to load the correct PKCS#11 module itself.

Make sure your client certificates were issued with the TLS Client extendedKeyUsage. Some AD CS smartcard auth templates might not necessarily have that usage if they were meant solely for Kerberos authentication.

With Windows AD desktops as clients, it might make more sense for you to implement Kerberos authentication in Dovecot – that is, SASL GSSAPI – as then Thunderbird could use the same Kerberos credentials for IMAP and SMTP as Windows already does for other things. (This also applies to Linux clients, if you managed to get smartcard-based Kerberos auth to work on Linux.)

Improve this answer
1
  • Hello, your comment helped but is not working at all. I set up on Thunderbird security.osclientcerts.autoload to true, and what happened is that when I create an account I get the prompt to choose my certificate. Then, when the IMAP and SMTP server are found, I get prompted for a password. I check the logs and I see: ... client didntr send a certificate. Does this means that I should set auth_ssl_require_client_cert = yes to no? Commented Oct 6 at 5:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.