thr3ads.net - dovecot - how to enable PowerDNS/Weakforced with Fedora and sendmail [Mar 2019]

If this information is useful, please help other people find it:
Share via:

Robert Kudyba

2019-Mar-06 16:25 UTC

how to enable PowerDNS/Weakforced with Fedora and sendmail

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to
test wforce, from https://github.com/PowerDNS/weakforced.

I see instructions at the Authentication policy support page,
https://wiki2.dovecot.org/Authentication/Policy

I see the Required Minimum Configuration:
auth_policy_server_url = http://example.com:4001/
auth_policy_hash_nonce = localized_random_string

But when I search for these directives, they're not found:
grep auth_policy_server_url /etc/dovecot/conf.d/*

Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does
anyone know if a good tutorial?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190306/fbadc684/attachment.html>

Aki Tuomi

2019-Mar-06 16:54 UTC

head link

how to enable PowerDNS/Weakforced with Fedora and sendmail

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 6 March 2019 18:25 Robert Kudyba via dovecot <dovecot@dovecot.org>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div dir="ltr">
    <div dir="ltr">
     <div dir="ltr">
      <div dir="ltr">
       <div dir="ltr">
        <div dir="ltr">
         <div dir="ltr">
          <div dir="ltr">
           We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd
like to test wforce, from
           <a
href="https://github.com/PowerDNS/weakforced">https://github.com/PowerDNS/weakforced</a>.
           <br>
          </div>
          <div dir="ltr">
           <br>
          </div>
          <div>
           I see instructions at the Authentication policy support page, 
           <a
href="https://wiki2.dovecot.org/Authentication/Policy">https://wiki2.dovecot.org/Authentication/Policy</a>
          </div>
          <div>
           <br>
          </div>
          <div>
           <div>
            I see the Required Minimum Configuration:
           </div>
           <div>
            auth_policy_server_url = 
            <a
href="http://example.com:4001/">http://example.com:4001/</a>
           </div>
           <div>
            auth_policy_hash_nonce = localized_random_string
           </div>
          </div>
          <div>
           <br>
          </div>
          <div>
           But when I search for these directives, they're not found:
          </div>
          <div>
           grep auth_policy_server_url /etc/dovecot/conf.d/*
           <br>
          </div>
          <div>
           <br>
          </div>
          <div>
           Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file?
Does anyone know if a good tutorial?
          </div>
         </div>
        </div>
       </div>
      </div>
     </div>
    </div>
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   You can add them there if you want, dovecot combines all the files into one
in the end.
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>

Robert Kudyba

2019-Mar-06 18:42 UTC

head link

how to enable PowerDNS/Weakforced with Fedora and sendmail

I took suggestions from https://forge.puppet.com/fraenki/wforce to set
these in /etc/dovecot/conf.d/95-auth.conf

auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = our_password
auth_policy_server_api_header = "Authorization: Basic
hash_from_running_echo-n_base64"
auth_policy_server_timeout_msecs = 2000
auth_policy_hash_mech = sha256
auth_policy_request_attributes = login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
auth_policy_reject_on_fail = no
auth_policy_hash_truncate = 8
auth_policy_check_before_auth = yes
auth_policy_check_after_auth = yes
auth_policy_report_after_auth = yes

And auth_debug=yes

in /usr/local/etc/wforce.conf
webserver("0.0.0.0:8084", "our_password")
So when I run:
curl -X POST -H "Content-Type: application/json" --data
'{"login":"ouruser", "remote":
"127.0.0.1", "pwhash":"our_password"}'
http://127.0.0.1:8084/?command=allow -u wforce:our_passwordi
{"msg": "", "r_attrs": {"defaultReturn":
"1"}, "status": 0}

What's the value of wforce and super represent? -u for user? and super is
the password for the user?

curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:super

I always get:
{"status":"failure",
"reason":"Unauthorized"}

Using Squirrelmail and logging in brings up the mails but I see these
Policy server HTTP error: 401 Unauthorized errors over and over:

Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084: Successfully
connected (1 connections exist, 0 pending)
Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1
idle connections to handle 1 requests (1 total connections ready)
Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084:
Connection to peer 127.0.0.1:8084 claimed request [Req1: POST
http://localhost:8084/?command=allow]
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]:
Claimed request [Req1: POST http://localhost:8084/?command=allow]
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST
http://localhost:8084/?command=allow]: Sent header
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST
http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357)
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST
http://localhost:8084/?command=allow]: Finished sending payload
Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more
requests to service for this peer (1 connections exist, 0 pending)
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got
401 response for request [Req1: POST http://localhost:8084/?command=allow]
(took 1 ms + 3 ms in queue)
Mar 06 13:32:16 auth: Error:
policy(our_user,127.0.0.1,<7CmLNXGDisV/AAAB>):
Policy server HTTP error: 401 Unauthorized
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]:
Response payload stream destroyed (0 ms after initial response)
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST
http://localhost:8084/?command=allow]: Finished
Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084:
Dropping request [Req1: POST http://localhost:8084/?command=allow]
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST
http://localhost:8084/?command=allow]: Free (requests left=1)
Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No
requests to service for this peer (1 connections exist, 0 pending)
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: No
more requests queued; going idle (timeout = 10000 msecs)
Mar 06 13:32:16 auth-worker(18997): Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
Mar 06 13:32:16 auth-worker(18997): Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Mar 06 13:32:16 auth-worker(18997): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Mar 06 13:32:16 auth-worker(18997): Debug: pam( our_user
,127.0.0.1,<7CmLNXGDisV/AAAB>): lookup service=dovecot
Mar 06 13:32:16 auth-worker(18997): Debug: pam( our_user
,127.0.0.1,<7CmLNXGDisV/AAAB>): #1/1 style=1 msg=Password:
Mar 06 13:32:16 auth: Debug: policy( our_user
,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy request
http://localhost:8084/?command=allow
Mar 06 13:32:16 auth: Debug: policy( our_user
,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy server request JSON:
{"device_id":"","login":"our_user","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084:
Set request timeout to 2019-03-06 13:32:18.444 (now: 2019-03-06
13:32:16.444)
Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084:
Using existing connection to 127.0.0.1:8084 (1 requests pending)
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Submitted (requests left=1)
Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1
idle connections to handle 1 requests (1 total connections ready)
Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084:
Connection to peer 127.0.0.1:8084 claimed request [Req2: POST
http://localhost:8084/?command=allow]
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]:
Claimed request [Req2: POST http://localhost:8084/?command=allow]
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Sent header
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357)
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Finished sending payload
Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more
requests to service for this peer (1 connections exist, 0 pending)
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got
401 response for request [Req2: POST http://localhost:8084/?command=allow]
(took 0 ms + 0 ms in queue)



On Wed, Mar 6, 2019 at 11:54 AM Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:
>
> On 6 March 2019 18:25 Robert Kudyba via dovecot <dovecot at
dovecot.org>
> wrote:
>
>
> We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to
> test wforce, from https://github.com/PowerDNS/weakforced
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=ad_d6ykCRpPOr4ehYd6VB7xXoluB7mfL-zP1nLP1zYM&e=>.
>
>
> I see instructions at the Authentication policy support page,
> https://wiki2.dovecot.org/Authentication/Policy
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki2.dovecot.org_Authentication_Policy&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=oUIaxcC0ZNouGhsggz0iRH5_TgJnMThAWf0hdo61_DE&e=>
>
> I see the Required Minimum Configuration:
> auth_policy_server_url = http://example.com:4001/
>
<https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com-3A4001_&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=lj8gokzfoeFyaB5N_6VhObmjQ3VNkyPEyQLhuMxK_fk&e=>
> auth_policy_hash_nonce = localized_random_string
>
> But when I search for these directives, they're not found:
> grep auth_policy_server_url /etc/dovecot/conf.d/*
>
> Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does
> anyone know if a good tutorial?
>
>
> You can add them there if you want, dovecot combines all the files into
> one in the end.
>
> ---
> Aki Tuomi
>
>-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190306/3eed3fcb/attachment-0001.html>

Seemingly Similar Threads

Search for more seemingly similar threads

dovecot - Mar 2019 - how to enable PowerDNS/Weakforced with Fedora and sendmail

how to enable PowerDNS/Weakforced with Fedora and sendmail

how to enable PowerDNS/Weakforced with Fedora and sendmail

how to enable PowerDNS/Weakforced with Fedora and sendmail

Seemingly Similar Threads