Open Bug 351638 Opened 19 years ago Updated 2 months ago

SMTP Authentication with client certificate (SMTP/TLS)

Categories

(MailNews Core :: Networking: SMTP, enhancement)

Product:
MailNews Core
Component:
Networking: SMTP
Type:
enhancement

Tracking

(Not tracked)

Status:
REOPENED

People

(Reporter: matthias, Unassigned)

Details

Attachments

(1 file)

Session from client using STARTTLS w/out client cert
7.64 KB, text/plain
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.0.4) Gecko/20060527 SUSE/1.5.0.4-1.3 Firefox/1.5.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060527 Thunderbird does not support client certificates to authenticate to an SMTP server over SMTP/TLS. SMTP AUTH still requires to use and handle usernames/passwords. For sites that deploy a user PKI, this results in a double effort (manage certificates *and* passwords). Reproducible: Always Steps to Reproduce: Suggested mode of operation: 1. Account settings / Outgoing Server (SMTP) 2. Select server and Edit 3. Security and Authentication 3a. Enter a username/password (and optionally select TLS or SSL) 3b. Select one of the existing user certificates for authentication (3b obviously being the enhancement) This feature is different from S/MIME encryption - it only encrypts the transport. However, this is beneficial in corporate environments, where sending encrypted messages has a number of limitations: * Server-side virus scanning is not possible if the server does not have access to the private keys of the recipients (which it should not, for obvious reasons). * E-Mail archiving, often required for regulatory reasons, require either a plain-text copy of the message or a copy of the private key. * Storing messages encrypted with a user's private keys can be a risk to an organisation, eg if the private key is lost. Therefor the use of SMTP/TLS with client certificates is an important issue, especially in corporate environments.
SMTP is a core issue. There are some bug reports regarding SMTP with TLS, if you haven't seen them yet: bug 237551, bug 311657, bug 347995.
Component: Preferences → Networking: SMTP
Product: Thunderbird → Core
Version: unspecified → Trunk
cc'ing Nelson - I don't know how the TLS code picks which cert to use - I believe it happens at a layer below mailnews.
David, I think the user wants a setup where the server relies ONLY on certificate auth, and does not use name/password AT ALL. I think the complaint is that TBird always wants to use name/password, even when a certificate is configured. Are you suggesting that this behavior is a consequence of failure to find a client auth cert to use? Matthias, Can you use ssltap to capture a connection between client and server? Please use options -s and -x (among others such as -l or -p <port> )
You have to configure TB especially to use a username + password with an smtp server - if you don't configure the smtp server in TB as a server requiring a username and password, we won't try to send one. It sounded to me like the reporter wanted a way to configure TB to use a particular cert for the SSL connection, and somehow the server would recognize that cert as belonging to a particular user, and in essence do the equivalent of an imap pre-auth...but I could be off-base here...
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #3) > David, I think the user wants a setup where the server relies ONLY on > certificate auth, and does not use name/password AT ALL. Right. > I think the complaint is that TBird always wants to use name/password, > even when a certificate is configured. Thunderbird doesn't let me specify a *client cert* to use when talking to the SMTP server (or, at least, not that I would know of). > Are you suggesting that this behavior is a consequence of failure to > find a client auth cert to use? Does it use one at all? As far as I see, client certs are only used for crypto on the message layer (ie S/MIME), but not on the transport layer. I would like a behaviour as it is shown with client certs when used over HTTPS (see eg http://www.cacert.org/help.php?id=9). > Can you use ssltap to capture a connection between client and server? > Please use options -s and -x (among others such as -l or -p <port> ) I'll add it as an attachment to the bug. Both server and ssltap work on localhost, both ssltap and the mailserver on their standard ports (1924 and 25). NB: Of course, it would be nice to have client cert authentication for IMAP etc as well, but having it for SMTP would be a first step.
Extract from the mailserver's log file for the session: smtpd[5020]: setting up TLS connection from localhost[127.0.0.1] smtpd[5020]: TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) smtpd[5020]: 3CC072346: client=localhost[127.0.0.1] By contrast a session between two mailservers using client and server certs: smtpd[15897]: connect from foo.example.com[1.2.3.4] smtpd[15897]: setting up TLS connection from foo.example.com[1.2.3.4] smtpd[15897]: fingerprint=67:D3:AF:2E:5D:15:D7:9A:5B:06:E0:2D:F8:12:68:39 smtpd[15897]: Verified: subject_CN=foo.example.com, issuer=Example CA smtpd[15897]: TLS connection established from foo.example.com[1.2.3.4]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) smtpd[15897]: 8DE8F1635C: client=foo.example.com[1.2.3.4]
In the ssltap output attached above, the server never requested client auth. The client didn't perform client auth because the server didn't request it. That's how the SSL/TLS protocol requires it to work. The client must not attempt client auth unless the server requests it.
Assignee: mscott → nobody
QA Contact: preferences
I agree with comment 0, that TBird should allow the user to configure which certificate he wants to use to perform SSL client authentication with the server, when the server requests it. But in this bug, the problem was that the server was not requesting that the client perform SSL client authentication with a certificate. No amount of client configuration would be capable of changing that. So, THIS bug report is invalid, but the issue is generally valid.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Wait, this was an RFE. My bad.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Product: Core → MailNews Core
QA Contact: networking.smtp
It seems like this just died on the vine. How is it that 'TLS Certificate' is a choice for use with IMAP (Tools > Account Settings > [account] > Server Settings > Security Settings > Authentication Method (pull-down menu) > TLS Certificate). Now, assuming that this UI was added to support 'client certificate' authentication messages...why is this option here, but still missing from the Outgoing Server (SMTP) config UI? Considering that it is now 2012, I'm a bit baffled why TB v11 still does not have this UI selection available for SMTP submission?
Another interested party - this is a feature Apple Mail and Microsoft Outlook has, but is still missing from Thunderbird.

Please add support for client certificate authentication for SMTP.

Two-factor authentication is becoming a norm, but for SMTP only authentication by username/password is available.

I would like to use certificate + username/password as a two-factor authentication for SMTP.

Severity: normal → S3

I find that client certificates work with SMTP (OpenSMTPD) for sending on Ubuntu Linux in Thunderbird 128.10.2esr (64-bit) and Firefox 128.10.2esr (64-bit).
Client certificates for Thunderbird using IMAP are broken for me; I presume that is a separate bug.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: