Hi, after I found out how to debug my login issues and fixing the small oversight in couriertls (https://github.com/svarshavchik/courier-libs/commit/80a7d970578c67841992bd3ba609e833767be573) that Sam already merged I found another issue with K9Mail (an android mail client).
K9Mail allows to use a client-certificate while connecting to the imap server, but it requires you to input a username nonetheless. What it aparently does is that it sends that username as an initial response (-> See https://tools.ietf.org/html/rfc4422#appendix-A) with the AUTHENTICATE EXTERNAL directive. If there is a non-empty initial response, courier/imaplogin checks this response against the client-certificate subject (as specified by TLS_EXTERNAL in the courier-imap config). So far so good. But the problem is, K9Mail sends that initial response base64 encoded. I checked, that when i rip the base64-decode-code from libs/rfc2045/rfc2045cdecode.c and use it in libs/imap/authenticate_auth.c to decode the initial response before calling auth_sasl_ex and the username in K9Mail is set correctly, that authentication is successful with authenticate external and using a client certificate. My question though: Can anyone figure out from the rfc4422 and the imap protocol specification if encoding it base64 is correct? Since the SASL protocol is embedded in the imap protocol i guess it can be possible that it is a requirement from the imap-protocol.. but i haven't studied the imap-rfc that deeply and would rather not have to dig into there. If base64 encoding the AUTHENTICATE EXTERNAL initial response is indeed correct, i gladly provide a small patch to fix the code :) Regards, Flo _______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
