Robert Kudyba
2019-Mar-06 16:25 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I search for these directives, they're not found: grep auth_policy_server_url /etc/dovecot/conf.d/* Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does anyone know if a good tutorial? -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190306/fbadc684/attachment.html>
Aki Tuomi
2019-Mar-06 16:54 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 6 March 2019 18:25 Robert Kudyba via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div> <br> </div> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from <a href="https://github.com/PowerDNS/weakforced">https://github.com/PowerDNS/weakforced</a>. <br> </div> <div dir="ltr"> <br> </div> <div> I see instructions at the Authentication policy support page, <a href="https://wiki2.dovecot.org/Authentication/Policy">https://wiki2.dovecot.org/Authentication/Policy</a> </div> <div> <br> </div> <div> <div> I see the Required Minimum Configuration: </div> <div> auth_policy_server_url = <a href="http://example.com:4001/">http://example.com:4001/</a> </div> <div> auth_policy_hash_nonce = localized_random_string </div> </div> <div> <br> </div> <div> But when I search for these directives, they're not found: </div> <div> grep auth_policy_server_url /etc/dovecot/conf.d/* <br> </div> <div> <br> </div> <div> Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does anyone know if a good tutorial? </div> </div> </div> </div> </div> </div> </div> </div> </blockquote> <div> <br> </div> <div> You can add them there if you want, dovecot combines all the files into one in the end. </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
Robert Kudyba
2019-Mar-06 18:42 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
I took suggestions from https://forge.puppet.com/fraenki/wforce to set these in /etc/dovecot/conf.d/95-auth.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = our_password auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fail = no auth_policy_hash_truncate = 8 auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes And auth_debug=yes in /usr/local/etc/wforce.conf webserver("0.0.0.0:8084", "our_password") So when I run: curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhash":"our_password"}' http://127.0.0.1:8084/?command=allow -u wforce:our_passwordi {"msg": "", "r_attrs": {"defaultReturn": "1"}, "status": 0} What's the value of wforce and super represent? -u for user? and super is the password for the user? curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:super I always get: {"status":"failure", "reason":"Unauthorized"} Using Squirrelmail and logging in brings up the mails but I see these Policy server HTTP error: 401 Unauthorized errors over and over: Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084: Successfully connected (1 connections exist, 0 pending) Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready) Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed request [Req1: POST http://localhost:8084/?command=allow] Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed request [Req1: POST http://localhost:8084/?command=allow] Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST http://localhost:8084/?command=allow]: Sent header Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357) Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST http://localhost:8084/?command=allow]: Finished sending payload Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req1: POST http://localhost:8084/?command=allow] (took 1 ms + 3 ms in queue) Mar 06 13:32:16 auth: Error: policy(our_user,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy server HTTP error: 401 Unauthorized Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Response payload stream destroyed (0 ms after initial response) Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST http://localhost:8084/?command=allow]: Finished Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084: Dropping request [Req1: POST http://localhost:8084/?command=allow] Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST http://localhost:8084/?command=allow]: Free (requests left=1) Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No requests to service for this peer (1 connections exist, 0 pending) Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: No more requests queued; going idle (timeout = 10000 msecs) Mar 06 13:32:16 auth-worker(18997): Debug: Loading modules from directory: /usr/lib64/dovecot/auth Mar 06 13:32:16 auth-worker(18997): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Mar 06 13:32:16 auth-worker(18997): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Mar 06 13:32:16 auth-worker(18997): Debug: pam( our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): lookup service=dovecot Mar 06 13:32:16 auth-worker(18997): Debug: pam( our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): #1/1 style=1 msg=Password: Mar 06 13:32:16 auth: Debug: policy( our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy request http://localhost:8084/?command=allow Mar 06 13:32:16 auth: Debug: policy( our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy server request JSON: {"device_id":"","login":"our_user","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false} Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084: Set request timeout to 2019-03-06 13:32:18.444 (now: 2019-03-06 13:32:16.444) Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084: Using existing connection to 127.0.0.1:8084 (1 requests pending) Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Submitted (requests left=1) Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready) Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed request [Req2: POST http://localhost:8084/?command=allow] Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed request [Req2: POST http://localhost:8084/?command=allow] Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Sent header Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357) Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Finished sending payload Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST http://localhost:8084/?command=allow] (took 0 ms + 0 ms in queue) On Wed, Mar 6, 2019 at 11:54 AM Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> > On 6 March 2019 18:25 Robert Kudyba via dovecot <dovecot at dovecot.org> > wrote: > > > We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to > test wforce, from https://github.com/PowerDNS/weakforced > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=ad_d6ykCRpPOr4ehYd6VB7xXoluB7mfL-zP1nLP1zYM&e=>. > > > I see instructions at the Authentication policy support page, > https://wiki2.dovecot.org/Authentication/Policy > <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki2.dovecot.org_Authentication_Policy&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=oUIaxcC0ZNouGhsggz0iRH5_TgJnMThAWf0hdo61_DE&e=> > > I see the Required Minimum Configuration: > auth_policy_server_url = http://example.com:4001/ > <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com-3A4001_&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=lj8gokzfoeFyaB5N_6VhObmjQ3VNkyPEyQLhuMxK_fk&e=> > auth_policy_hash_nonce = localized_random_string > > But when I search for these directives, they're not found: > grep auth_policy_server_url /etc/dovecot/conf.d/* > > Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does > anyone know if a good tutorial? > > > You can add them there if you want, dovecot combines all the files into > one in the end. > > --- > Aki Tuomi > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190306/3eed3fcb/attachment-0001.html>
Apparently Analagous Threads
- how to enable PowerDNS/Weakforced with Fedora and sendmail
- how to enable PowerDNS/Weakforced with Fedora and sendmail
- how to enable PowerDNS/Weakforced with Fedora and sendmail
- Mail account brute force / harassment
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed