Aki Tuomi
2019-Mar-28 20:07 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div> <br> </div> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote: </div> <div> <br> </div> <div> <br> </div> <div> <blockquote type="cite"> <div class=""> <div class=""> Set </div> <div class=""> <br class=""> </div> <div class=""> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate </div> </div> </blockquote> <div> <br class=""> </div> <div> Can this be the Lets Encrypt cert that we already have? In other words we have: </div> <div> <div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""> <span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</span> </div> <div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;" class=""> <span style="font-variant-ligatures: no-common-ligatures;" class="">ssl_key = </etc/pki/dovecot/private/dovecot.pem</span> </div> </div> <div> <br class=""> </div> <div> Can those be used? </div> </div> </blockquote> <div> <br> </div> <div> Set it to *CA* cert. You can also use </div> <div> <br> </div> <div> ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos) </div> <div> <br> </div> <div> or </div> <div> <br> </div> <div> ssl_client_ca_dir=/etc/ssl/certs (on debian based) </div> <blockquote type="cite"> <div> <blockquote type="cite"> <div class=""> <div class=""> Are you using haproxy or something in front of dovecot? </div> </div> </blockquote> <br class=""> </div> <div> No. Just Squirrelmail webmail with sendmail. </div> <br class=""> </blockquote> <div> Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ? </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </blockquote> <div> Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with </div> <div> <br> </div> <div> `doveconf auth_policy_request_attributes` </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
Robert Kudyba
2019-Mar-28 20:34 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
>>>> Set >>>> >>>> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate >>> >>> Can this be the Lets Encrypt cert that we already have? In other words we have: >>> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem >>> ssl_key = </etc/pki/dovecot/private/dovecot.pem >>> >>> Can those be used? >> >> Set it to *CA* cert. You can also use >> >> ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos)OK did that.>> ssl_client_ca_dir=/etc/ssl/certs (on debian based) >>>> Are you using haproxy or something in front of dovecot? >>> >>> No. Just Squirrelmail webmail with sendmail. >>> >> Maybe squirrelmail supports forwarding original client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?I see some options in http://squirrelmail.org/docs/admin/admin-5.html#ss5.3 <http://squirrelmail.org/docs/admin/admin-5.html#ss5.3>. Would it be a plugin?> Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with > > `doveconf auth_policy_request_attributes`Yes I?ve confirmed it matches. Still getting the URL or IP of the webmail address as well as errors like SSL handshake to ex.ter.na.lip:8084 failed: Connection closed Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: Timeout (now: 2019-03-28 16:13:36.300) Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: Absolute timeout expired for request [Req10: POST https://ourdomain:8084/?command=allow] (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops) Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST https://ourdomain:8084/?command=allow]: Error: 9008 Absolute request timeout expired (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops) Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: Dropping request [Req10: POST https://ourdomain:8084/?command=allow] Mar 28 16:13:36 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server HTTP error: Absolute request timeout expired (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops) Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST https://ourdomain:8084/?command=allow]: Destroy (requests left=1) Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST https://ourdomain:8084/?command=allow]: Free (requests left=0) Mar 28 16:13:36 auth-worker(32249): Debug: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): lookup service=dovecot Mar 28 16:13:36 auth-worker(32249): Debug: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): #1/1 style=1 msg=Password: Mar 28 16:13:38 auth-worker(32249): Info: pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): unknown user Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy request https://ourdomain:8084/?command=report Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server request JSON: {"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} Mar 28 16:13:38 auth: Debug: http-client[1]: queue https://ourdomain:8084: Set request timeout to 2019-03-28 16:13:40.625 (now: 2019-03-28 16:13:38.625) Mar 28 16:13:38 auth: Debug: http-client: peer ex.ter.na.lip:8084 (shared): Peer reused Mar 28 16:13:38 auth: Debug: http-client[1]: queue https://ourdomain:8084: Setting up connection to ex.ter.na.lip:8084 (SSL=ourdomain) (1 requests pending) Mar 28 16:13:38 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Submitted (requests left=1) Mar 28 16:13:38 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Mar 28 16:13:40 auth: Debug: client passdb out: FAIL 1 user=abc Mar 28 16:13:40 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 secs): user=<abc>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<5aBSMC2FROF/AAAB> Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: Timeout (now: 2019-03-28 16:13:40.626) Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: Absolute timeout expired for request [Req11: POST https://ourdomain:8084/?command=report] (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops) Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Error: 9008 Absolute request timeout expired (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops) Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: Dropping request [Req11: POST https://ourdomain:8084/?command=report] Mar 28 16:13:40 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy server HTTP error: Absolute request timeout expired (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops) Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Destroy (requests left=1) Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST https://ourdomain:8084/?command=report]: Free (requests left=0) Mar 28 16:13:59 auth: Debug: http-client: peer ex.ter.na.lip:8084 (shared): Backoff timer expired Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Making new connection 1 of 1 (0 connections exist, 0 pending) Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: HTTPS connection created (1 parallel connections exist) Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connected Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Starting SSL handshake Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: SSL handshake to ex.ter.na.lip:8084 failed: Connection closed Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Connection failed (1 connections exist, 0 pending) Mar 28 16:13:59 auth: Debug: http-client: peer ex.ter.na.lip:8084: Failed to make connection (1 connections exist, 0 pending) Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Failed to establish any connection within our peer pool: SSL handshake to ex.ter.na.lip:8084 failed: Connection closed (1 connections exist, 0 pending) Mar 28 16:13:59 auth: Debug: http-client[1]: queue https://ourdomain:8084: Failed to set up connection to ex.ter.na.lip:8084 (SSL=ourdomain): SSL handshake to ex.ter.na.lip:8084 failed: Connection closed (1 peers pending, 0 requests pending) Mar 28 16:13:59 auth: Debug: http-client[1]: queue https://ourdomain:8084: Failed to set up any connection; failing all queued requests Mar 28 16:13:59 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Unlinked queue https://ourdomain:8084 (0 queues linked) Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection close Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection disconnect Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Detached peer Mar 28 16:13:59 auth: Debug: http-client[1]: conn ex.ter.na.lip:8084 [9]: Connection destroy -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190328/3c8ef892/attachment-0001.html>
Aki Tuomi
2019-Mar-29 09:35 UTC
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
On 28.3.2019 22.34, Robert Kudyba via dovecot wrote:>>>>> Set >>>>> >>>>> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate? >>>> >>>> Can this be the Lets Encrypt cert that we already have? In other >>>> words we have: >>>> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem >>>> ssl_key = </etc/pki/dovecot/private/dovecot.pem >>>> >>>> Can those be used? >>> >>> Set it to *CA* cert. You can also use >>> >>> ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos)? > > OK did that. > >>> ssl_client_ca_dir=/etc/ssl/certs (on debian based) >>>>> Are you using haproxy or something in front of dovecot? >>>> >>>> No. Just Squirrelmail webmail with sendmail. >>>> >>> Maybe squirrelmail supports forwarding original client ip with ID >>> command. Otherwise dovecot cannot know it. Or you could configure >>> squirrelmail to use weakforced ? > > I see some options > in?http://squirrelmail.org/docs/admin/admin-5.html#ss5.3. Would it be > a plugin? > >> Also check that auth_policy_request_attributes use %{rip} and not >> %{real_rip}. You can see this with? >> >> `doveconf auth_policy_request_attributes` > > Yes I?ve confirmed it matches. Still getting the URL or IP of the > webmail address as well as errors like?SSL handshake to > ex.ter.na.lip:8084 failed: Connection closed > > Mar 28 16:13:36 auth: Debug: http-client[1]: queue > https://ourdomain:8084: Timeout (now: 2019-03-28 16:13:36.300) > Mar 28 16:13:36 auth: Debug: http-client[1]: queue > https://ourdomain:8084: Absolute timeout expired for request [Req10: > POST https://ourdomain:8084/?command=allow] (Request queued 2.002 secs > ago, not yet sent, 0.000 in other ioloops) > Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST > https://ourdomain:8084/?command=allow]: Error: 9008 Absolute request > timeout expired (Request queued 2.002 secs ago, not yet sent, 0.000 in > other ioloops) > Mar 28 16:13:36 auth: Debug: http-client[1]: queue > https://ourdomain:8084: Dropping request [Req10: POST > https://ourdomain:8084/?command=allow] > Mar 28 16:13:36 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): > Policy server HTTP error: Absolute request timeout expired (Request > queued 2.002 secs ago, not yet sent, 0.000 in other ioloops) > Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST > https://ourdomain:8084/?command=allow]: Destroy (requests left=1) > Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST > https://ourdomain:8084/?command=allow]: Free (requests left=0) > Mar 28 16:13:36 auth-worker(32249): Debug: > pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): lookup service=dovecot > Mar 28 16:13:36 auth-worker(32249): Debug: > pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): #1/1 style=1 msg=Password:? > Mar 28 16:13:38 auth-worker(32249): Info: > pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): unknown user > Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): > Policy request https://ourdomain:8084/?command=report > Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): > Policy server request JSON: > {"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} >Well, as I said, it's up to squirrelmail to actually provide the real client IP. Otherwise dovecot cannot know it. You can try turning on imap rawlogs (see https://wiki.dovecot.org/Debugging/Rawlog) and check if squirrelmail is forwarding client ip or not. Aki Aki -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190329/b6766abd/attachment-0001.html>
Possibly Parallel Threads
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
- configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed