search for: auth_policy_check_before_auth

...efore and after auth command=allow request are the same I cache the first, leading to a fast second response. Removing the cache (nginx proxy_cache ...) must change the timings and circumvented the crash. Why use both check before and after auth? roundcube webmail reports an error with only auth_policy_check_before_auth. I cannot see why. The simple and lazy solution is to use double auth_policy_check_! Thank you Aki for looking at this and finding a solution so quickly.

...t->result is not null before the call (no 222) to i_stream_unref but is after. dovecot.conf has: auth_policy_server_url = http://policyserver.lan/ auth_policy_server_timeout_msecs = 3000 auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia auth_policy_request_attributes = remote=%{rip} auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes To simplify the problem I used a dummy policy server, in nginx.conf: location / { default_type application/json; return 200 "{\"status\":0,\"msg\":\"accepted\"}...

Hi, I was looking into the new Authentication Policy feature: https://wiki2.dovecot.org/Authentication/Policy I had kinda hoped that I would be able to enfore this in a proxy running in front of several backends. This proxy does not authenticate. It use "nopassword". But I realize that the "succes" reported in the final authpolicy req. (command=report) is not what is

...om_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fail = no auth_policy_hash_truncate = 8 auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes And auth_debug=yes in /usr/local/etc/wforce.conf webserver("0.0.0.0:8084", "our_password") So when I run: curl -X POST -H "Content-Type: application/json" --data '{"login":&quo...

...advice where can be the problem? # 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (67bf5bd7) # OS: Linux 5.4.44-2-pve x86_64 Debian 10.4 # Hostname: mail.xxx.xxx auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext }...

Hi ... After the below thread, I wrote a patch to select on a node-by-node basis which auth-policy request should be done from that node. To my surprise the exact same functionality then turned up in 2.2.34 with just slightly different option names:* * *auth_policy_check_before_auth*: Whether to do policy lookup before authentication is started *auth_policy_check_after_auth*: Whether to do policy lookup after authentication is completed *auth_policy_report_after_auth*: Whether to report authentication result? This is great. However... in the setup where you have a proxy i...

...auth_policy_server_timeout_msecs = 2000 > auth_policy_hash_mech = sha256 > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > auth_policy_reject_on_fail = no > auth_policy_hash_truncate = 8 > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > And auth_debug=yes > > in /usr/local/etc/wforce.conf > webserver("0.0.0.0:8084 <http://0.0.0.0:8084>", "our_password") > So when I run: > curl -X POST -H "C...

...to > i_stream_unref but is after. > > > > dovecot.conf has: > > auth_policy_server_url = http://policyserver.lan/ > auth_policy_server_timeout_msecs = 3000 > auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia > auth_policy_request_attributes = remote=%{rip} > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > > To simplify the problem I used a dummy policy server, in nginx.conf: > > ??? location / { > ??????? default_type? application/json; > ??????? return 200 "{\"status\":0,\&...

...> command=allow request are the same I cache the first, leading to a > fast second response.? Removing the cache (nginx proxy_cache ...) must > change the timings and circumvented the crash.? Why use both check > before and after auth?? roundcube webmail reports an error with only > auth_policy_check_before_auth.? I cannot see why.? The simple and lazy > solution is to use double auth_policy_check_! > > Thank you Aki for looking at this and finding a solution so quickly. The double-check is for places which want to implement something like COS or want to perform validations in policy server *aft...

On 07/08/2019 11:02, Aki Tuomi via dovecot wrote: >> before and after auth? roundcube webmail reports an error with only >> auth_policy_check_before_auth. I cannot see why. The simple and lazy >> solution is to use double auth_policy_check_! ... > The double-check is for places which want to implement something like > COS or want to perform validations in policy server *after* we know the > user identity. The first check is done be...

...dovecot.conf >> # Pigeonhole version 0.5.10 (67bf5bd7) >> # OS: Linux 5.4.44-2-pve x86_64 Debian 10.4 >> # Hostname: mail.xxx.xxx >> auth_cache_size = 2 M >> auth_cache_ttl = 5 mins >> auth_master_user_separator = * >> auth_mechanisms = plain login >> auth_policy_check_before_auth = no >> auth_policy_hash_nonce = # hidden, use -P to show it >> auth_policy_report_after_auth = no >> auth_policy_server_timeout_msecs = 1500 >> auth_policy_server_url =http://127.0.0.1:8090/ >> dict { >> ?? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext >...

...rver_timeout_msecs = 2000 >> auth_policy_hash_mech = sha256 >> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s >> auth_policy_reject_on_fail = no >> auth_policy_hash_truncate = 8 >> auth_policy_check_before_auth = yes >> auth_policy_check_after_auth = yes >> auth_policy_report_after_auth = yes >> >> And auth_debug=yes >> >> in /usr/local/etc/wforce.conf >> webserver("0.0.0.0:8084 <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=Dw...

....10.1 (a3d0e1171): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.10 (67bf5bd7) > # OS: Linux 5.4.44-2-pve x86_64 Debian 10.4 > # Hostname: mail.xxx.xxx > auth_cache_size = 2 M > auth_cache_ttl = 5 mins > auth_master_user_separator = * > auth_mechanisms = plain login > auth_policy_check_before_auth = no > auth_policy_hash_nonce = # hidden, use -P to show it > auth_policy_report_after_auth = no > auth_policy_server_timeout_msecs = 1500 > auth_policy_server_url =http://127.0.0.1:8090/ > dict { > acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext > quota = pgsql:/etc/d...

...> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > > > > > auth_policy_reject_on_fail = no > > > > > > auth_policy_hash_truncate = 8 > > > > > > auth_policy_check_before_auth = yes > > > > > > auth_policy_check_after_auth = yes > > > > > > auth_policy_report_after_auth = yes > > > > > > > > > > > > > > > And auth_debug=yes > > > > > > > > > > >...

...hash verification by setting auth_cache_verify_password_with_worker=yes. + Added charset_alias plugin. See https://wiki2.dovecot.org/Plugins/CharsetAlias + imap_logout_format and pop3_logout_format settings now support all of the generic variables (e.g. %{rip}, %{session}, etc.) + Added auth_policy_check_before_auth, auth_policy_check_after_auth and auth_policy_report_after_auth settings. - v2.2.33: doveadm-server: Various fixes related to log handling. - v2.2.33: doveadm failed when trying to access UNIX socket that didn't require authentication. - v2.2.33: doveadm log reopen stopped working - v...

...hash verification by setting auth_cache_verify_password_with_worker=yes. + Added charset_alias plugin. See https://wiki2.dovecot.org/Plugins/CharsetAlias + imap_logout_format and pop3_logout_format settings now support all of the generic variables (e.g. %{rip}, %{session}, etc.) + Added auth_policy_check_before_auth, auth_policy_check_after_auth and auth_policy_report_after_auth settings. - v2.2.33: doveadm-server: Various fixes related to log handling. - v2.2.33: doveadm failed when trying to access UNIX socket that didn't require authentication. - v2.2.33: doveadm log reopen stopped working - v...

...Below is my config file: # 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (67bf5bd7) # OS: Linux 5.3.18-2-pve x86_64 Debian 10.4 # Hostname: mail.z-technics.com auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { ? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext ? quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext }...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I

...rs | auth_cache_verify_password_with_worker = no | auth_debug = no | auth_debug_passwords = no | auth_default_realm = | auth_failure_delay = 2 secs | auth_gssapi_hostname = | auth_krb5_keytab = | auth_master_user_separator = | auth_mechanisms = plain login | auth_policy_check_after_auth = yes | auth_policy_check_before_auth = yes | auth_policy_hash_mech = sha256 | auth_policy_hash_nonce = | auth_policy_hash_truncate = 12 | auth_policy_log_only = no | auth_policy_reject_on_fail = no | auth_policy_report_after_auth = yes | auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{r...

...e = 0 auth_cache_ttl = 1 hours auth_cache_verify_password_with_worker = no auth_debug = no auth_debug_passwords = no auth_default_realm = auth_failure_delay = 2 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s a...