Robert Kudyba
2019-Mar-07 14:41 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
So for auth_policy_server_api_header. is the value of our_password come from the hashed response or the plain-text password? What else am I doing wrong? Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed curl -X POST -H "Content-Type: application/json" --data '{"login?:?ouruser?, "remote": "127.0.0.1", "pwhash?:?hashed-password?}? http://127.0.0.1:8084/?command=allow -u wforce:super {"status":"failure", "reason":"Unauthorized"} Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: /usr/lib64/dovecot/auth Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password: Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request http://localhost:8084/?command=allow Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false} Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Set request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520) Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Using existing connection to 127.0.0.1:8084 (1 requests pending) Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Submitted (requests left=1) Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready) Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed request [Req2: POST http://localhost:8084/?command=allow] Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed request [Req2: POST http://localhost:8084/?command=allow] Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Sent header Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357) Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Finished sending payload Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST http://localhost:8084/?command=allow] (took 0 ms + 0 ms in queue) Mar 07 09:32:15 auth: Error: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server HTTP error: 401 Unauthorized Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request http://localhost:8084/?command=report Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false}> On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > wforce is the username always. > > auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. > > auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> > > without the < >. > Aki > On 6.3.2019 20.42, Robert Kudyba via dovecot wrote: >> I took suggestions from https://forge.puppet.com/fraenki/wforce <https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=> to set these in /etc/dovecot/conf.d/95-auth.conf >> >> auth_policy_server_url = http://localhost:8084/ <https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=> >> auth_policy_hash_nonce = our_password >> auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" >> auth_policy_server_timeout_msecs = 2000 >> auth_policy_hash_mech = sha256 >> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s >> auth_policy_reject_on_fail = no >> auth_policy_hash_truncate = 8 >> auth_policy_check_before_auth = yes >> auth_policy_check_after_auth = yes >> auth_policy_report_after_auth = yes >> >> And auth_debug=yes >> >> in /usr/local/etc/wforce.conf >> webserver("0.0.0.0:8084 <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=>", "our_password") >> So when I run: >> curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhash":"our_password"}' http://127.0.0.1:8084/?command=allow <https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=> -u wforce:our_passwordi >> {"msg": "", "r_attrs": {"defaultReturn": "1"}, "status": 0} >> >> What's the value of wforce and super represent? -u for user? and super is the password for the user? >> curl -X GET http://127.0.0.1:8084/?command=ping <https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=> -u wforce:super >> I always get: >> {"status":"failure", "reason":"Unauthorized"} >> >> Using Squirrelmail and logging in brings up the mails but I see these Policy server HTTP error: 401 Unauthorized errors over and over: >> >> Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084 <https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=>: Successfully connected (1 connections exist, 0 pending) >> Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084 <https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=>: Using 1 idle connections to handle 1 requests (1-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190307/f8fddc36/attachment-0001.html>
Aki Tuomi
2019-Mar-07 16:33 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
In weakforced you have webserver("0.0.0.0:8084", "THIS-IS-THE-PASSWORD-FOR-WFORCE") Thus, you make the base64 blob as ~$ echo -n wforce:THIS-IS-THE-PASSWORD-FOR-WFORCE | base64 d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U And in dovecot you put auth_policy_server_api_header = Authorization Basic d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U Aki> On 7 March 2019 16:41 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote: > > > So for auth_policy_server_api_header. is the value of our_password come from the hashed response or the plain-text password? What else am I doing wrong? > > Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed > > curl -X POST -H "Content-Type: application/json" --data '{"login?:?ouruser?, "remote": "127.0.0.1", "pwhash?:?hashed-password?}? http://127.0.0.1:8084/?command=allow -u wforce:super > {"status":"failure", "reason":"Unauthorized"} > > > Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: /usr/lib64/dovecot/auth > Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so > Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so > Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot > Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password: > Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request http://localhost:8084/?command=allow > Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false} > Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Set request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520) > Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Using existing connection to 127.0.0.1:8084 (1 requests pending) > Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Submitted (requests left=1) > Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready) > Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed request [Req2: POST http://localhost:8084/?command=allow] > Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed request [Req2: POST http://localhost:8084/?command=allow] > Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Sent header > Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357) > Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Finished sending payload > Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) > Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST http://localhost:8084/?command=allow] (took 0 ms + 0 ms in queue) > Mar 07 09:32:15 auth: Error: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server HTTP error: 401 Unauthorized > Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request http://localhost:8084/?command=report > Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false} > > > > > > On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > > > > wforce is the username always. > > auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. > > auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> > > without the < >. > > > > Aki > > > > > > On 6.3.2019 20.42, Robert Kudyba via dovecot wrote: > > > > > > > I took suggestions from?https://forge.puppet.com/fraenki/wforce (https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=) to set these in /etc/dovecot/conf.d/95-auth.conf > > > > > > > > > > > > > > > auth_policy_server_url = http://localhost:8084/ (https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=) > > > > > > auth_policy_hash_nonce = our_password > > > > > > auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" > > > > > > auth_policy_server_timeout_msecs = 2000 > > > > > > auth_policy_hash_mech = sha256 > > > > > > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > > > > > auth_policy_reject_on_fail = no > > > > > > auth_policy_hash_truncate = 8 > > > > > > auth_policy_check_before_auth = yes > > > > > > auth_policy_check_after_auth = yes > > > > > > auth_policy_report_after_auth = yes > > > > > > > > > > > > > > > And auth_debug=yes > > > > > > > > > > > > > > > in /usr/local/etc/wforce.conf > > > > > > webserver("0.0.0.0:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=)", "our_password") > > > > > > > > > So when I run: > > > > > > curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhash":"our_password"}' http://127.0.0.1:8084/?command=allow (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=) -u wforce:our_passwordi > > > > > > {"msg": "", "r_attrs": {"defaultReturn": "1"}, "status": 0} > > > > > > > > > > > > > > > > > > What's the value of wforce and super represent? -u for user? and super is the password for the user? > > > > > > curl -X GET http://127.0.0.1:8084/?command=ping (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=) -u wforce:super > > > > > > I always get: > > > > > > {"status":"failure", "reason":"Unauthorized"} > > > > > > > > > > > > > > > > > > Using Squirrelmail and logging in brings up the mails but I see these Policy server HTTP error: 401 Unauthorized errors over and over: > > > > > > > > > > > > > > > Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=): Successfully connected (1 connections exist, 0 pending) > > > > > > Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=): Using 1 idle connections to handle 1 requests (1 > > > >
Robert Kudyba
2019-Mar-07 17:13 UTC
how to enable PowerDNS/Weakforced with Fedora and sendmail
I think I?m getting closer: /var/log/messages shows: Mar 7 12:01:35 olddsm wforce[22993]: WforceWebserver: HTTP Request "/" from 127.0.0.1:59188: Web Authentication failed Mar 7 12:02:43 olddsm wforce[22993]: allowLog too many different failed password attempts by IP: allow="-1" remote="127.0.0.1" login="localguy" protocol="" device_id="" device_attrs={} attrs={} rattrs={attempts="50" } Mar 7 12:03:10 olddsm wforce[22993]: deleteBLEntry login_bl: login=localguy Mar 7 12:03:12 olddsm wforce[22993]: allowLog too many different failed password attempts by IP: allow="-1" remote="127.0.0.1" login="localguy" protocol="" device_id="" device_attrs={} attrs={} rattrs={attempts="50" } But this for loop looks to be working (note the instructions say To report (if you configured with 'webserver("127.0.0.1:8084", "secret")') but the actual value is 0.0.0.0) for a in {1..101}; do curl -X POST -H "Content-Type: application/json" --data '{"login?:?ouruser?, "remote": "127.0.0.1", "pwhash":"1234'$a'", "success":"false"}' http://127.0.0.1:8084/?command=report -u wforce:ourpassword; done {"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}[ Then: curl -X POST -H "Content-Type: application/json" --data '{"login?:?ouruser?, "remote": "127.0.0.1", "pwhash":"1234"}' http://127.0.0.1:8084/?command=allow -u wforce:ourpassword results in: {"msg": "", "r_attrs": {"attempts": "50"}, "status": -1} curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser"}' http://127.0.0.1:8084/?command=reset -u wforce:ourpassword {"status":"ok"} But still getting: curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhash":"1234"}' http://127.0.0.1:8084/?command=allow -u wforce:ourpassword {"msg": "", "r_attrs": {"attempts": "50"}, "status": -1}[> On Mar 7, 2019, at 11:33 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > In weakforced you have > > webserver("0.0.0.0:8084", "THIS-IS-THE-PASSWORD-FOR-WFORCE") > > Thus, you make the base64 blob as > > ~$ echo -n wforce:THIS-IS-THE-PASSWORD-FOR-WFORCE | base64 > d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U> > And in dovecot you put > > auth_policy_server_api_header = Authorization Basic d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U > > Aki > >> On 7 March 2019 16:41 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote: >> >> >> So for auth_policy_server_api_header. is the value of our_password come from the hashed response or the plain-text password? What else am I doing wrong? >> >> Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed >> >> curl -X POST -H "Content-Type: application/json" --data '{"login?:?ouruser?, "remote": "127.0.0.1", "pwhash?:?hashed-password?}? https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=-BcpcIoKwR9ieBJOLMNXODQlS3t55wKhBxfu4VEppUg&e= -u wforce:super >> {"status":"failure", "reason":"Unauthorized"} >> >> >> Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: /usr/lib64/dovecot/auth >> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so >> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so >> Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot >> Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password: >> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e>> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false} >> Mar 07 09:32:15 auth: Debug: http-client[1]: queue https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=jHhijUiLyPr9IDOEekkeaCdZn24a8PijIHtJmtVw_Pw&e=: Set request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520) >> Mar 07 09:32:15 auth: Debug: http-client[1]: queue https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=jHhijUiLyPr9IDOEekkeaCdZn24a8PijIHtJmtVw_Pw&e=: Using existing connection to 127.0.0.1:8084 (1 requests pending) >> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]: Submitted (requests left=1) >> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready) >> Mar 07 09:32:15 auth: Debug: http-client[1]: queue https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=jHhijUiLyPr9IDOEekkeaCdZn24a8PijIHtJmtVw_Pw&e=: Connection to peer 127.0.0.1:8084 claimed request [Req2: POST https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=] >> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed request [Req2: POST https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=] >> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]: Sent header >> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]: Send more (sent 100, buffered=357) >> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=]: Finished sending payload >> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) >> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_noIxW2-o7DK-gMbRuRnMa-VcjjznQlQ4F7iojxqeMs&e=] (took 0 ms + 0 ms in queue) >> Mar 07 09:32:15 auth: Error: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server HTTP error: 401 Unauthorized >> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_-3Fcommand-3Dreport&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_kmskephqwR3Suyrq3c-4MAZ-B-N8HsZTCdE385E-ig&e>> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false} >> >> >> >> >>> On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: >>> >>> >>> wforce is the username always. >>> auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. >>> auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> >>> without the < >. >>> >>> Aki >>> >>> >>> On 6.3.2019 20.42, Robert Kudyba via dovecot wrote: >>> >>> >>>> I took suggestions from https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=4Nxb5u94Q5z-HC5RIO-O9hKi33C5_lZdRmJquMDC9u4&e= (https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=) to set these in /etc/dovecot/conf.d/95-auth.conf >>>> >>>> >>>> >>>> >>>> auth_policy_server_url = https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=UvHC4BW3c6kJ3Bcp6fQiCT3TyeCA3Y2nbMlVnygLs1M&e= (https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=) >>>> >>>> auth_policy_hash_nonce = our_password >>>> >>>> auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" >>>> >>>> auth_policy_server_timeout_msecs = 2000 >>>> >>>> auth_policy_hash_mech = sha256 >>>> >>>> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s >>>> >>>> auth_policy_reject_on_fail = no >>>> >>>> auth_policy_hash_truncate = 8 >>>> >>>> auth_policy_check_before_auth = yes >>>> >>>> auth_policy_check_after_auth = yes >>>> >>>> auth_policy_report_after_auth = yes >>>> >>>> >>>> >>>> >>>> And auth_debug=yes >>>> >>>> >>>> >>>> >>>> in /usr/local/etc/wforce.conf >>>> >>>> webserver("0.0.0.0:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=)", "our_password") >>>> >>>> >>>> So when I run: >>>> >>>> curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhash":"our_password"}' https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=-BcpcIoKwR9ieBJOLMNXODQlS3t55wKhBxfu4VEppUg&e= (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=) -u wforce:our_passwordi >>>> >>>> {"msg": "", "r_attrs": {"defaultReturn": "1"}, "status": 0} >>>> >>>> >>>> >>>> >>>> >>>> What's the value of wforce and super represent? -u for user? and super is the password for the user? >>>> >>>> curl -X GET https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwIFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=hY8LMvY-6AKc7R7tJ9Gz7ph5bp8a3YUotKYREw-jJII&s=_pVX4FQJ37-qpiMH8AW4kRGIkb-RUrKUq2odsKSeP4Q&e= (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=) -u wforce:super >>>> >>>> I always get: >>>> >>>> {"status":"failure", "reason":"Unauthorized"} >>>> >>>> >>>> >>>> >>>> >>>> Using Squirrelmail and logging in brings up the mails but I see these Policy server HTTP error: 401 Unauthorized errors over and over: >>>> >>>> >>>> >>>> >>>> Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=): Successfully connected (1 connections exist, 0 pending) >>>> >>>> Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=): Using 1 idle connections to handle 1 requests (1 >>>> >>-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190307/73e03ffd/attachment-0001.html>