Hi, I've just started trying allow_nets on one of my servers. I have auth_debug and auth_verbose both enabled and the output is as follows: Oct 28 13:05:48 mink dovecot: auth-worker(default): auth(user at domain.net,x.x.x.x): allow_nets: Matching for network 127.0.0.1/8 Oct 28 13:05:48 mink dovecot: auth-worker(default): auth(user at domain.net,x.x.x.x): allow_nets: Matching for network 10.0.7.176/28 Oct 28 13:05:48 mink dovecot: auth-worker(default): passdb(user at domain.net,x.x.x.x): allow_nets check failed: IP not in allowed networks Oct 28 13:05:50 mink dovecot: auth(default): client out: FAIL 1265 user=username at aluminati.net Oct 28 13:05:50 mink dovecot: auth(default): cache(user at domain.net,x.x.x.x): hit: <hidden> user=user at domain.net Oct 28 13:05:50 mink dovecot: auth(default): client out: OK 1266 user=user at domain.net auth_cache_ttl is set to 300. If I set it to 1 then the allow_nets successfully rejects. Once I set it back up to 300 the cache overrides the result from the allow_nets check and let's the account log in even though the allow_nets check fails. I've tried waiting for longer than the 300 seconds and then logged in again, but I still get the same result as above. Is there a gotcha that I'm unaware of or have I done something stupid (which seems the most likely :P)? Thanks Guy -- Don't just do something...sit there!
On Tue, 2008-10-28 at 13:55 +0000, Guy wrote:> auth_cache_ttl is set to 300. If I set it to 1 then the allow_nets > successfully rejects. Once I set it back up to 300 the cache overrides > the result from the allow_nets check and let's the account log in even > though the allow_nets check fails. > > I've tried waiting for longer than the 300 seconds and then logged in > again, but I still get the same result as above.What Dovecot version? Post your dovecot -n output? Seems to work fine with the almost-v1.1.6 (and I don't remember doing changes related to this for a long time): client in: AUTH 5 PLAIN service=imap secured lip=127.0.1.1 rip=127.0.1.1 lport=143 rport=49704 resp=AHRzcwBwYXNz cache(tss,127.0.1.1): hit: {plain}pass allow_nets=127.0.0.1 auth(tss,127.0.1.1): allow_nets: Matching for network 127.0.0.1 passdb(tss,127.0.1.1): allow_nets check failed: IP not in allowed networks client out: FAIL 5 user=tss -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20081029/5582e4c1/attachment-0002.bin>
Hi Timo, 2008/10/29 Timo Sirainen <tss at iki.fi>:> > What Dovecot version? Post your dovecot -n output? Seems to work fine > with the almost-v1.1.6 (and I don't remember doing changes related to > this for a long time):Sorry, should have included that before. I've just upgraded to 1.1.5, compiled from source with nothing extra added. Although I did just do a make install without doing an uninstall on the old 1.1.2, could that effect it? root at stoat:/opt/src/dovecot/1.1.5/dovecot-1.1.5# dovecot -n # 1.1.5: /etc/dovecot/dovecot.conf protocols: imap imaps pop3 pop3s listen(default): *:143 listen(imap): *:143 listen(pop3): *:110 ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(pop3): *:995 ssl_cert_file: /etc/ssl/certs/imapd.pem ssl_key_file: /etc/ssl/private/imapd.pem disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_process_per_connection: no login_processes_count: 10 max_mail_processes: 1024 verbose_proctitle: yes mail_location: maildir:%h/Maildir/ mail_full_filesystem_access: yes mmap_disable: yes dotlock_use_excl: no mail_nfs_storage: yes mail_nfs_index: yes lock_method: dotlock mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_process_size: 128 mail_plugins(default): imap_quota quota mail_plugins(imap): imap_quota quota mail_plugins(pop3): quota mail_log_max_lines_per_sec: 30 imap_client_workarounds: outlook-idle delay-newmail pop3_uidl_format: %08Xv%08Xu pop3_client_workarounds: outlook-no-nuls oe-ns-eoh namespace: type: private separator: / inbox: yes list: yes subscriptions: yes namespace: type: private separator: / prefix: mail/ location: maildir:%h/Maildir/ hidden: yes subscriptions: yes auth default: cache_size: 2048 cache_ttl: 1 cache_negative_ttl: 1 username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@' master_user_separator: * verbose: yes worker_max_count: 5 passdb: driver: passwd-file args: /etc/dovecot/dovecot-master.pwd master: yes passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf plugin: quota: maildir quota_rule: *:storage=100M quota_rule2: Trash:ignore In the section of logs that I showed you could see the client out:FAIL after the allow_nets check but a cache hit immediately afterwards would allow the account to login. Even if I set the auth_cache_ttl to 15 seconds it would still fail the allow_nets check and then get a cache hit and be logged in. If there's any other information I can provide please let me know. Thanks Guy -- Don't just do something...sit there!
This bug is finally fixed: http://hg.dovecot.org/dovecot-1.1/rev/e76f93b48187 On Tue, 2008-10-28 at 13:55 +0000, Guy wrote:> Hi, > > I've just started trying allow_nets on one of my servers. I have > auth_debug and auth_verbose both enabled and the output is as follows: > Oct 28 13:05:48 mink dovecot: auth-worker(default): > auth(user at domain.net,x.x.x.x): allow_nets: Matching for network > 127.0.0.1/8 > Oct 28 13:05:48 mink dovecot: auth-worker(default): > auth(user at domain.net,x.x.x.x): allow_nets: Matching for network > 10.0.7.176/28 > Oct 28 13:05:48 mink dovecot: auth-worker(default): > passdb(user at domain.net,x.x.x.x): allow_nets check failed: IP not in > allowed networks > Oct 28 13:05:50 mink dovecot: auth(default): client out: FAIL 1265 > user=username at aluminati.net > Oct 28 13:05:50 mink dovecot: auth(default): > cache(user at domain.net,x.x.x.x): hit: <hidden> > user=user at domain.net > Oct 28 13:05:50 mink dovecot: auth(default): client out: OK 1266 > user=user at domain.net > > auth_cache_ttl is set to 300. If I set it to 1 then the allow_nets > successfully rejects. Once I set it back up to 300 the cache overrides > the result from the allow_nets check and let's the account log in even > though the allow_nets check fails. > > I've tried waiting for longer than the 300 seconds and then logged in > again, but I still get the same result as above. > > Is there a gotcha that I'm unaware of or have I done something stupid > (which seems the most likely :P)? > > Thanks > Guy >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090108/b367b557/attachment-0002.bin>