Robert Kudyba
2019-Mar-07 14:41 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
So for auth_policy_server_api_header. is the value of our_password come from the
hashed response or the plain-text password? What else am I doing wrong?
Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request
"/" from 127.0.0.1:56416: Web Authentication failed
curl -X POST -H "Content-Type: application/json" --data
'{"login?:?ouruser?, "remote": "127.0.0.1",
"pwhash?:?hashed-password?}? http://127.0.0.1:8084/?command=allow -u
wforce:super
{"status":"failure",
"reason":"Unauthorized"}
Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Mar 07 09:32:15 auth-worker(18933): Debug:
pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot
Mar 07 09:32:15 auth-worker(18933): Debug:
pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password:
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>):
Policy request http://localhost:8084/?command=allow
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>):
Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Set
request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520)
Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Using
existing connection to 127.0.0.1:8084 (1 requests pending)
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Submitted (requests left=1)
Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle
connections to handle 1 requests (1 total connections ready)
Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084:
Connection to peer 127.0.0.1:8084 claimed request [Req2: POST
http://localhost:8084/?command=allow]
Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed
request [Req2: POST http://localhost:8084/?command=allow]
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Sent header
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357)
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Finished sending payload
Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more
requests to service for this peer (1 connections exist, 0 pending)
Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401
response for request [Req2: POST http://localhost:8084/?command=allow] (took 0
ms + 0 ms in queue)
Mar 07 09:32:15 auth: Error: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>):
Policy server HTTP error: 401 Unauthorized
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>):
Policy request http://localhost:8084/?command=report
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>):
Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false}
> On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:
>
> wforce is the username always.
>
> auth_policy_hash_nonce should be set to a pseudorandom value that is shared
by your server(s). Weakforced does not need it for anything.
>
> auth_policy_server_api_header should be set to Authorization: Basic
<echo -n wforce:our_password | base64>
>
> without the < >.
> Aki
> On 6.3.2019 20.42, Robert Kudyba via dovecot wrote:
>> I took suggestions from https://forge.puppet.com/fraenki/wforce
<https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=>
to set these in /etc/dovecot/conf.d/95-auth.conf
>>
>> auth_policy_server_url = http://localhost:8084/
<https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=>
>> auth_policy_hash_nonce = our_password
>> auth_policy_server_api_header = "Authorization: Basic
hash_from_running_echo-n_base64"
>> auth_policy_server_timeout_msecs = 2000
>> auth_policy_hash_mech = sha256
>> auth_policy_request_attributes = login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>> auth_policy_reject_on_fail = no
>> auth_policy_hash_truncate = 8
>> auth_policy_check_before_auth = yes
>> auth_policy_check_after_auth = yes
>> auth_policy_report_after_auth = yes
>>
>> And auth_debug=yes
>>
>> in /usr/local/etc/wforce.conf
>> webserver("0.0.0.0:8084
<https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=>",
"our_password")
>> So when I run:
>> curl -X POST -H "Content-Type: application/json" --data
'{"login":"ouruser", "remote":
"127.0.0.1", "pwhash":"our_password"}'
http://127.0.0.1:8084/?command=allow
<https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=>
-u wforce:our_passwordi
>> {"msg": "", "r_attrs":
{"defaultReturn": "1"}, "status": 0}
>>
>> What's the value of wforce and super represent? -u for user? and
super is the password for the user?
>> curl -X GET http://127.0.0.1:8084/?command=ping
<https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=>
-u wforce:super
>> I always get:
>> {"status":"failure",
"reason":"Unauthorized"}
>>
>> Using Squirrelmail and logging in brings up the mails but I see these
Policy server HTTP error: 401 Unauthorized errors over and over:
>>
>> Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084
<https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=>:
Successfully connected (1 connections exist, 0 pending)
>> Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084
<https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=>:
Using 1 idle connections to handle 1 requests (1
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190307/f8fddc36/attachment-0001.html>
Aki Tuomi
2019-Mar-07 16:33 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
In weakforced you have
webserver("0.0.0.0:8084",
"THIS-IS-THE-PASSWORD-FOR-WFORCE")
Thus, you make the base64 blob as
~$ echo -n wforce:THIS-IS-THE-PASSWORD-FOR-WFORCE | base64
d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U
And in dovecot you put
auth_policy_server_api_header = Authorization Basic
d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U
Aki
> On 7 March 2019 16:41 Robert Kudyba via dovecot <dovecot at
dovecot.org> wrote:
>
>
> So for auth_policy_server_api_header. is the value of our_password come
from the hashed response or the plain-text password? What else am I doing wrong?
>
> Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request
"/" from 127.0.0.1:56416: Web Authentication failed
>
> curl -X POST -H "Content-Type: application/json" --data
'{"login?:?ouruser?, "remote": "127.0.0.1",
"pwhash?:?hashed-password?}? http://127.0.0.1:8084/?command=allow -u
wforce:super
> {"status":"failure",
"reason":"Unauthorized"}
>
>
> Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
> Mar 07 09:32:15 auth-worker(18933): Debug:
pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot
> Mar 07 09:32:15 auth-worker(18933): Debug:
pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password:
> Mar 07 09:32:15 auth: Debug:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request
http://localhost:8084/?command=allow
> Mar 07 09:32:15 auth: Debug:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
> Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084:
Set request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520)
> Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084:
Using existing connection to 127.0.0.1:8084 (1 requests pending)
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Submitted (requests left=1)
> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1
idle connections to handle 1 requests (1 total connections ready)
> Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084:
Connection to peer 127.0.0.1:8084 claimed request [Req2: POST
http://localhost:8084/?command=allow]
> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]:
Claimed request [Req2: POST http://localhost:8084/?command=allow]
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Sent header
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357)
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Finished sending payload
> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more
requests to service for this peer (1 connections exist, 0 pending)
> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got
401 response for request [Req2: POST http://localhost:8084/?command=allow] (took
0 ms + 0 ms in queue)
> Mar 07 09:32:15 auth: Error:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server HTTP error:
401 Unauthorized
> Mar 07 09:32:15 auth: Debug:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request
http://localhost:8084/?command=report
> Mar 07 09:32:15 auth: Debug:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false}
>
>
>
>
> > On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at
open-xchange.com> wrote:
> >
> >
> > wforce is the username always.
> > auth_policy_hash_nonce should be set to a pseudorandom value that is
shared by your server(s). Weakforced does not need it for anything.
> > auth_policy_server_api_header should be set to Authorization: Basic
<echo -n wforce:our_password | base64>
> > without the < >.
> >
> > Aki
> >
> >
> > On 6.3.2019 20.42, Robert Kudyba via dovecot wrote:
> >
> >
> > > I took suggestions from?https://forge.puppet.com/fraenki/wforce
(https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=)
to set these in /etc/dovecot/conf.d/95-auth.conf
> > >
> > >
> > >
> > >
> > > auth_policy_server_url = http://localhost:8084/
(https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=)
> > >
> > > auth_policy_hash_nonce = our_password
> > >
> > > auth_policy_server_api_header = "Authorization: Basic
hash_from_running_echo-n_base64"
> > >
> > > auth_policy_server_timeout_msecs = 2000
> > >
> > > auth_policy_hash_mech = sha256
> > >
> > > auth_policy_request_attributes = login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
> > >
> > > auth_policy_reject_on_fail = no
> > >
> > > auth_policy_hash_truncate = 8
> > >
> > > auth_policy_check_before_auth = yes
> > >
> > > auth_policy_check_after_auth = yes
> > >
> > > auth_policy_report_after_auth = yes
> > >
> > >
> > >
> > >
> > > And auth_debug=yes
> > >
> > >
> > >
> > >
> > > in /usr/local/etc/wforce.conf
> > >
> > > webserver("0.0.0.0:8084
(https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=)",
"our_password")
> > >
> > >
> > > So when I run:
> > >
> > > curl -X POST -H "Content-Type: application/json" --data
'{"login":"ouruser", "remote":
"127.0.0.1", "pwhash":"our_password"}'
http://127.0.0.1:8084/?command=allow
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=)
-u wforce:our_passwordi
> > >
> > > {"msg": "", "r_attrs":
{"defaultReturn": "1"}, "status": 0}
> > >
> > >
> > >
> > >
> > >
> > > What's the value of wforce and super represent? -u for user?
and super is the password for the user?
> > >
> > > curl -X GET http://127.0.0.1:8084/?command=ping
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=)
-u wforce:super
> > >
> > > I always get:
> > >
> > > {"status":"failure",
"reason":"Unauthorized"}
> > >
> > >
> > >
> > >
> > >
> > > Using Squirrelmail and logging in brings up the mails but I see
these Policy server HTTP error: 401 Unauthorized errors over and over:
> > >
> > >
> > >
> > >
> > > Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=):
Successfully connected (1 connections exist, 0 pending)
> > >
> > > Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=):
Using 1 idle connections to handle 1 requests (1
> > >
>
Robert Kudyba
2019-Mar-07 17:13 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
I think I?m getting closer:
/var/log/messages shows:
Mar 7 12:01:35 olddsm wforce[22993]: WforceWebserver: HTTP Request
"/" from 127.0.0.1:59188: Web Authentication failed
Mar 7 12:02:43 olddsm wforce[22993]: allowLog too many different failed
password attempts by IP: allow="-1" remote="127.0.0.1"
login="localguy" protocol="" device_id=""
device_attrs={} attrs={} rattrs={attempts="50" }
Mar 7 12:03:10 olddsm wforce[22993]: deleteBLEntry login_bl: login=localguy
Mar 7 12:03:12 olddsm wforce[22993]: allowLog too many different failed
password attempts by IP: allow="-1" remote="127.0.0.1"
login="localguy" protocol="" device_id=""
device_attrs={} attrs={} rattrs={attempts="50" }
But this for loop looks to be working (note the instructions say To report (if
you configured with 'webserver("127.0.0.1:8084",
"secret")') but the actual value is 0.0.0.0)
for a in {1..101}; do curl -X POST -H "Content-Type: application/json"
--data '{"login?:?ouruser?, "remote": "127.0.0.1",
"pwhash":"1234'$a'",
"success":"false"}'
http://127.0.0.1:8084/?command=report -u wforce:ourpassword; done
{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}[
Then:
curl -X POST -H "Content-Type: application/json" --data
'{"login?:?ouruser?, "remote": "127.0.0.1",
"pwhash":"1234"}' http://127.0.0.1:8084/?command=allow
-u wforce:ourpassword
results in:
{"msg": "", "r_attrs": {"attempts":
"50"}, "status": -1}
curl -X POST -H "Content-Type: application/json" --data
'{"login":"ouruser"}'
http://127.0.0.1:8084/?command=reset -u wforce:ourpassword
{"status":"ok"}
But still getting:
curl -X POST -H "Content-Type: application/json" --data
'{"login":"ouruser", "remote":
"127.0.0.1", "pwhash":"1234"}'
http://127.0.0.1:8084/?command=allow -u wforce:ourpassword
{"msg": "", "r_attrs": {"attempts":
"50"}, "status": -1}[
> On Mar 7, 2019, at 11:33 AM, Aki Tuomi <aki.tuomi at
open-xchange.com> wrote:
>
> In weakforced you have
>
> webserver("0.0.0.0:8084",
"THIS-IS-THE-PASSWORD-FOR-WFORCE")
>
> Thus, you make the base64 blob as
>
> ~$ echo -n wforce:THIS-IS-THE-PASSWORD-FOR-WFORCE | base64
> d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U>
> And in dovecot you put
>
> auth_policy_server_api_header = Authorization Basic
d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U
>
> Aki
>
>> On 7 March 2019 16:41 Robert Kudyba via dovecot <dovecot at
dovecot.org> wrote:
>>
>>
>> So for auth_policy_server_api_header. is the value of our_password come
from the hashed response or the plain-text password? What else am I doing wrong?
>>
>> Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request
"/" from 127.0.0.1:56416: Web Authentication failed
>>
>> curl -X POST -H "Content-Type: application/json" --data
'{"login?:?ouruser?, "remote": "127.0.0.1",
"pwhash?:?hashed-password?}?
https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=-BcpcIoKwR9ieBJOLMNXODQlS3t55wKhBxfu4VEppUg&e=
-u wforce:super
>> {"status":"failure",
"reason":"Unauthorized"}
>>
>>
>> Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
>> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
>> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
>> Mar 07 09:32:15 auth-worker(18933): Debug:
pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot
>> Mar 07 09:32:15 auth-worker(18933): Debug:
pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password:
>> Mar 07 09:32:15 auth: Debug:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e>>
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>):
Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
>> Mar 07 09:32:15 auth: Debug: http-client[1]: queue
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=jHhijUiLyPr9IDOEekkeaCdZn24a8PijIHtJmtVw_Pw&e=:
Set request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520)
>> Mar 07 09:32:15 auth: Debug: http-client[1]: queue
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=jHhijUiLyPr9IDOEekkeaCdZn24a8PijIHtJmtVw_Pw&e=:
Using existing connection to 127.0.0.1:8084 (1 requests pending)
>> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]:
Submitted (requests left=1)
>> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using
1 idle connections to handle 1 requests (1 total connections ready)
>> Mar 07 09:32:15 auth: Debug: http-client[1]: queue
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=jHhijUiLyPr9IDOEekkeaCdZn24a8PijIHtJmtVw_Pw&e=:
Connection to peer 127.0.0.1:8084 claimed request [Req2: POST
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]
>> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]:
Claimed request [Req2: POST
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]
>> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]:
Sent header
>> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]:
Send more (sent 100, buffered=357)
>> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]:
Finished sending payload
>> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No
more requests to service for this peer (1 connections exist, 0 pending)
>> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]:
Got 401 response for request [Req2: POST
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]
(took 0 ms + 0 ms in queue)
>> Mar 07 09:32:15 auth: Error:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server HTTP error:
401 Unauthorized
>> Mar 07 09:32:15 auth: Debug:
policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dreport&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_kmskephqwR3Suyrq3c-4MAZ-B-N8HsZTCdE385E-ig&e>>
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>):
Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false}
>>
>>
>>
>>
>>> On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at
open-xchange.com> wrote:
>>>
>>>
>>> wforce is the username always.
>>> auth_policy_hash_nonce should be set to a pseudorandom value that
is shared by your server(s). Weakforced does not need it for anything.
>>> auth_policy_server_api_header should be set to Authorization: Basic
<echo -n wforce:our_password | base64>
>>> without the < >.
>>>
>>> Aki
>>>
>>>
>>> On 6.3.2019 20.42, Robert Kudyba via dovecot wrote:
>>>
>>>
>>>> I took suggestions from
https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=4Nxb5u94Q5z-HC5RIO-O9hKi33C5_lZdRmJquMDC9u4&e=
(https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=)
to set these in /etc/dovecot/conf.d/95-auth.conf
>>>>
>>>>
>>>>
>>>>
>>>> auth_policy_server_url =
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=UvHC4BW3c6kJ3Bcp6fQiCT3TyeCA3Y2nbMlVnygLs1M&e=
(https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=)
>>>>
>>>> auth_policy_hash_nonce = our_password
>>>>
>>>> auth_policy_server_api_header = "Authorization: Basic
hash_from_running_echo-n_base64"
>>>>
>>>> auth_policy_server_timeout_msecs = 2000
>>>>
>>>> auth_policy_hash_mech = sha256
>>>>
>>>> auth_policy_request_attributes = login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>>>>
>>>> auth_policy_reject_on_fail = no
>>>>
>>>> auth_policy_hash_truncate = 8
>>>>
>>>> auth_policy_check_before_auth = yes
>>>>
>>>> auth_policy_check_after_auth = yes
>>>>
>>>> auth_policy_report_after_auth = yes
>>>>
>>>>
>>>>
>>>>
>>>> And auth_debug=yes
>>>>
>>>>
>>>>
>>>>
>>>> in /usr/local/etc/wforce.conf
>>>>
>>>> webserver("0.0.0.0:8084
(https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=)",
"our_password")
>>>>
>>>>
>>>> So when I run:
>>>>
>>>> curl -X POST -H "Content-Type: application/json"
--data '{"login":"ouruser", "remote":
"127.0.0.1", "pwhash":"our_password"}'
https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=-BcpcIoKwR9ieBJOLMNXODQlS3t55wKhBxfu4VEppUg&e=
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=)
-u wforce:our_passwordi
>>>>
>>>> {"msg": "", "r_attrs":
{"defaultReturn": "1"}, "status": 0}
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> What's the value of wforce and super represent? -u for
user? and super is the password for the user?
>>>>
>>>> curl -X GET
https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_pVX4FQJ37-qpiMH8AW4kRGIkb-RUrKUq2odsKSeP4Q&e=
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=)
-u wforce:super
>>>>
>>>> I always get:
>>>>
>>>> {"status":"failure",
"reason":"Unauthorized"}
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Using Squirrelmail and logging in brings up the mails but I see
these Policy server HTTP error: 401 Unauthorized errors over and over:
>>>>
>>>>
>>>>
>>>>
>>>> Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=):
Successfully connected (1 connections exist, 0 pending)
>>>>
>>>> Mar 06 13:32:16 auth: Debug: http-client[1]: peer
127.0.0.1:8084
(https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=):
Using 1 idle connections to handle 1 requests (1
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190307/73e03ffd/attachment-0001.html>