0

I'm running an IMAPS service and users are authenticated with an X.509 certificate. It works fine using Thunderbird. But how I can connect to the IMAPS service manually using openssl? I use the same certificate with openssl s_client than in Thunderbird, but I'm not authenticated.

$ openssl s_client -connect $myimapsserver:993 -key my.key -cert my.crt -quiet 
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = $myimapsserver
verify return:1
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION AUTH=EXTERNAL ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2019 Double Precision, Inc.  See COPYING for distribution information.
Micha
  • 101
  • 2
  • Does your cert need any intermediate cert(s), commonly called 'chain' cert(s), to be validated? If it's from a public CA like Digicert it always does; if it's from a smaller-scope CA like your corporation's headquarters or a city government, it usually does but maybe not. – dave_thompson_085 Oct 27 '21 at 01:03
  • I don't need any intermediate cert and the X.509 is validated, but my courier-imap does not authenticate myself if I try to use openssl but the user is authenticated using Thunderbird with the same cert. I guess I have to set a command or an openssl s_client option to authenticate with the X.509 against the imapd – Micha Oct 27 '21 at 08:42

1 Answers1

0

Authentication is possible with the following IMAP command

1 AUTHENTICATE EXTERNAL bWljaGE=

And then the IMAP servers responded with

1 OK LOGIN Ok.

The parameter is the base64 encoded username which has to be in the used client X.509 certificate, too.

Micha
  • 101
  • 2
  • it was found via https://bugzilla.mozilla.org/show_bug.cgi?id=286581 – Micha Oct 27 '21 at 09:25
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 09 '21 at 18:12