Dovecot Certificate Authentication

The Dovecot wiki seems to have an error, or maybe the name of the ssl_username_from_cert setting has changed. On my Ubuntu host with Dovecot 2.2.9, in /etc/dovecot/conf.d/10-auth.conf, I have:

# Take the username from client's SSL certificate, using 
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName. 
#auth_ssl_username_from_cert = no

So it seems that you need to replace ssl_username_from_cert by auth_ssl_username_from_cert, and the wiki needs to be corrected.

I had exactly the same problem.

I managed to get this working after reading though the specifications and examining rawlog output.

You need to enable external authentication method by listing it in the value of the auth_mechanisms variable.

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
C: 1 STARTTLS
S: 1 OK Begin TLS negotiation now.
C: 2 capability
S: CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=EXTERNAL
S: 2 OK Pre-login capabilities listed, post-login capabilities have more.

If Dovecot does not respond with an AUTH=EXTERNAL capability (either inside the greeting when over IMAPS port or after CAPABILITY request from the client as shown above), Thunderbird will shut down the connection and give you an error message that the server does not support logging with a certificate.

Otherwise, it proceeds with the authentication.

C: 3 authenticate EXTERNAL bm9ib2R5QGV4YW1wbGUuY29t

Also, be sure to include the username in the user database.