Displaying 20 results from an estimated 24 matches for "auth_policy_check_before_auth".
2019 Aug 07
2
auth-policy crashing
...efore and after auth
command=allow request are the same I cache the first, leading to a fast
second response. Removing the cache (nginx proxy_cache ...) must change
the timings and circumvented the crash. Why use both check before and
after auth? roundcube webmail reports an error with only
auth_policy_check_before_auth. I cannot see why. The simple and lazy
solution is to use double auth_policy_check_!
Thank you Aki for looking at this and finding a solution so quickly.
2019 Aug 02
3
auth-policy crashing
...t->result is not null before the call (no 222) to
i_stream_unref but is after.
dovecot.conf has:
auth_policy_server_url = http://policyserver.lan/
auth_policy_server_timeout_msecs = 3000
auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia
auth_policy_request_attributes = remote=%{rip}
auth_policy_check_before_auth = yes
auth_policy_check_after_auth = yes
auth_policy_report_after_auth = yes
To simplify the problem I used a dummy policy server, in nginx.conf:
location / {
default_type application/json;
return 200 "{\"status\":0,\"msg\":\"accepted\"}...
2017 Dec 14
4
auth_policy in a non-authenticating proxy chain
Hi,
I was looking into the new Authentication Policy feature:
https://wiki2.dovecot.org/Authentication/Policy
I had kinda hoped that I would be able to enfore this in a proxy running
in front of several backends. This proxy does not authenticate. It use
"nopassword".
But I realize that the "succes" reported in the final authpolicy req.
(command=report) is not what is
2019 Mar 06
2
how to enable PowerDNS/Weakforced with Fedora and sendmail
...om_running_echo-n_base64"
auth_policy_server_timeout_msecs = 2000
auth_policy_hash_mech = sha256
auth_policy_request_attributes = login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
auth_policy_reject_on_fail = no
auth_policy_hash_truncate = 8
auth_policy_check_before_auth = yes
auth_policy_check_after_auth = yes
auth_policy_report_after_auth = yes
And auth_debug=yes
in /usr/local/etc/wforce.conf
webserver("0.0.0.0:8084", "our_password")
So when I run:
curl -X POST -H "Content-Type: application/json" --data
'{"login":&quo...
2020 Aug 19
3
sieve_max_script_size is ignored
...advice where can be the problem?
# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 5.4.44-2-pve x86_64 Debian 10.4
# Hostname: mail.xxx.xxx
auth_cache_size = 2 M
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_check_before_auth = no
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_report_after_auth = no
auth_policy_server_timeout_msecs = 1500
auth_policy_server_url = http://127.0.0.1:8090/
dict {
acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
}...
2018 Sep 15
0
auth_policy in a non-authenticating proxy chain
Hi ...
After the below thread, I wrote a patch to select on a node-by-node
basis which auth-policy request should be done from that node.
To my surprise the exact same functionality then turned up in 2.2.34
with just slightly different option names:*
*
*auth_policy_check_before_auth*: Whether to do policy lookup before
authentication is started
*auth_policy_check_after_auth*: Whether to do policy lookup after
authentication is completed
*auth_policy_report_after_auth*: Whether to report authentication result?
This is great.
However... in the setup where you have a proxy i...
2019 Mar 07
0
how to enable PowerDNS/Weakforced with Fedora and sendmail
...auth_policy_server_timeout_msecs = 2000
> auth_policy_hash_mech = sha256
> auth_policy_request_attributes = login=%{requested_username}
> pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
> auth_policy_reject_on_fail = no
> auth_policy_hash_truncate = 8
> auth_policy_check_before_auth = yes
> auth_policy_check_after_auth = yes
> auth_policy_report_after_auth = yes
>
> And auth_debug=yes
>
> in /usr/local/etc/wforce.conf
> webserver("0.0.0.0:8084 <http://0.0.0.0:8084>", "our_password")
> So when I run:
> curl -X POST -H "C...
2019 Aug 06
0
auth-policy crashing
...to
> i_stream_unref but is after.
>
>
>
> dovecot.conf has:
>
> auth_policy_server_url = http://policyserver.lan/
> auth_policy_server_timeout_msecs = 3000
> auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia
> auth_policy_request_attributes = remote=%{rip}
> auth_policy_check_before_auth = yes
> auth_policy_check_after_auth = yes
> auth_policy_report_after_auth = yes
>
>
> To simplify the problem I used a dummy policy server, in nginx.conf:
>
> ??? location / {
> ??????? default_type? application/json;
> ??????? return 200 "{\"status\":0,\&...
2019 Aug 07
0
auth-policy crashing
...> command=allow request are the same I cache the first, leading to a
> fast second response.? Removing the cache (nginx proxy_cache ...) must
> change the timings and circumvented the crash.? Why use both check
> before and after auth?? roundcube webmail reports an error with only
> auth_policy_check_before_auth.? I cannot see why.? The simple and lazy
> solution is to use double auth_policy_check_!
>
> Thank you Aki for looking at this and finding a solution so quickly.
The double-check is for places which want to implement something like
COS or want to perform validations in policy server *aft...
2019 Aug 07
1
auth-policy crashing
On 07/08/2019 11:02, Aki Tuomi via dovecot wrote:
>> before and after auth? roundcube webmail reports an error with only
>> auth_policy_check_before_auth. I cannot see why. The simple and lazy
>> solution is to use double auth_policy_check_!
...
> The double-check is for places which want to implement something like
> COS or want to perform validations in policy server *after* we know the
> user identity. The first check is done be...
2020 Aug 19
1
sieve_max_script_size is ignored
...dovecot.conf
>> # Pigeonhole version 0.5.10 (67bf5bd7)
>> # OS: Linux 5.4.44-2-pve x86_64 Debian 10.4
>> # Hostname: mail.xxx.xxx
>> auth_cache_size = 2 M
>> auth_cache_ttl = 5 mins
>> auth_master_user_separator = *
>> auth_mechanisms = plain login
>> auth_policy_check_before_auth = no
>> auth_policy_hash_nonce = # hidden, use -P to show it
>> auth_policy_report_after_auth = no
>> auth_policy_server_timeout_msecs = 1500
>> auth_policy_server_url =http://127.0.0.1:8090/
>> dict {
>> ?? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
>...
2019 Mar 07
2
how to enable PowerDNS/Weakforced with Fedora and sendmail
...rver_timeout_msecs = 2000
>> auth_policy_hash_mech = sha256
>> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>> auth_policy_reject_on_fail = no
>> auth_policy_hash_truncate = 8
>> auth_policy_check_before_auth = yes
>> auth_policy_check_after_auth = yes
>> auth_policy_report_after_auth = yes
>>
>> And auth_debug=yes
>>
>> in /usr/local/etc/wforce.conf
>> webserver("0.0.0.0:8084 <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=Dw...
2020 Aug 19
0
sieve_max_script_size is ignored
....10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.10 (67bf5bd7)
> # OS: Linux 5.4.44-2-pve x86_64 Debian 10.4
> # Hostname: mail.xxx.xxx
> auth_cache_size = 2 M
> auth_cache_ttl = 5 mins
> auth_master_user_separator = *
> auth_mechanisms = plain login
> auth_policy_check_before_auth = no
> auth_policy_hash_nonce = # hidden, use -P to show it
> auth_policy_report_after_auth = no
> auth_policy_server_timeout_msecs = 1500
> auth_policy_server_url =http://127.0.0.1:8090/
> dict {
> acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
> quota = pgsql:/etc/d...
2019 Mar 07
0
how to enable PowerDNS/Weakforced with Fedora and sendmail
...> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
> > >
> > > auth_policy_reject_on_fail = no
> > >
> > > auth_policy_hash_truncate = 8
> > >
> > > auth_policy_check_before_auth = yes
> > >
> > > auth_policy_check_after_auth = yes
> > >
> > > auth_policy_report_after_auth = yes
> > >
> > >
> > >
> > >
> > > And auth_debug=yes
> > >
> > >
> > >
> >...
2018 Feb 28
5
v2.2.34 released
...hash
verification by setting auth_cache_verify_password_with_worker=yes.
+ Added charset_alias plugin. See
https://wiki2.dovecot.org/Plugins/CharsetAlias
+ imap_logout_format and pop3_logout_format settings now support all of
the generic variables (e.g. %{rip}, %{session}, etc.)
+ Added auth_policy_check_before_auth, auth_policy_check_after_auth
and auth_policy_report_after_auth settings.
- v2.2.33: doveadm-server: Various fixes related to log handling.
- v2.2.33: doveadm failed when trying to access UNIX socket that didn't
require authentication.
- v2.2.33: doveadm log reopen stopped working
- v...
2018 Feb 28
5
v2.2.34 released
...hash
verification by setting auth_cache_verify_password_with_worker=yes.
+ Added charset_alias plugin. See
https://wiki2.dovecot.org/Plugins/CharsetAlias
+ imap_logout_format and pop3_logout_format settings now support all of
the generic variables (e.g. %{rip}, %{session}, etc.)
+ Added auth_policy_check_before_auth, auth_policy_check_after_auth
and auth_policy_report_after_auth settings.
- v2.2.33: doveadm-server: Various fixes related to log handling.
- v2.2.33: doveadm failed when trying to access UNIX socket that didn't
require authentication.
- v2.2.33: doveadm log reopen stopped working
- v...
2020 May 31
1
auth_policy_server vs client_id and x-originating-ip
...Below is my config file:
# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 5.3.18-2-pve x86_64 Debian 10.4
# Hostname: mail.z-technics.com
auth_cache_size = 2 M
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_check_before_auth = no
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_report_after_auth = no
auth_policy_server_timeout_msecs = 1500
auth_policy_server_url = http://127.0.0.1:8090/
dict {
? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
? quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
}...
2019 Mar 06
2
how to enable PowerDNS/Weakforced with Fedora and sendmail
We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to
test wforce, from https://github.com/PowerDNS/weakforced.
I see instructions at the Authentication policy support page,
https://wiki2.dovecot.org/Authentication/Policy
I see the Required Minimum Configuration:
auth_policy_server_url = http://example.com:4001/
auth_policy_hash_nonce = localized_random_string
But when I
2020 Jul 03
0
Quota: How/where to set/change
...rs
| auth_cache_verify_password_with_worker = no
| auth_debug = no
| auth_debug_passwords = no
| auth_default_realm =
| auth_failure_delay = 2 secs
| auth_gssapi_hostname =
| auth_krb5_keytab =
| auth_master_user_separator =
| auth_mechanisms = plain login
| auth_policy_check_after_auth = yes
| auth_policy_check_before_auth = yes
| auth_policy_hash_mech = sha256
| auth_policy_hash_nonce =
| auth_policy_hash_truncate = 12
| auth_policy_log_only = no
| auth_policy_reject_on_fail = no
| auth_policy_report_after_auth = yes
| auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{r...
2020 Nov 10
3
SSL alert number 42
...e = 0
auth_cache_ttl = 1 hours
auth_cache_verify_password_with_worker = no
auth_debug = no
auth_debug_passwords = no
auth_default_realm =
auth_failure_delay = 2 secs
auth_gssapi_hostname =
auth_krb5_keytab =
auth_master_user_separator =
auth_mechanisms = plain
auth_policy_check_after_auth = yes
auth_policy_check_before_auth = yes
auth_policy_hash_mech = sha256
auth_policy_hash_nonce =
auth_policy_hash_truncate = 12
auth_policy_reject_on_fail = no
auth_policy_report_after_auth = yes
auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
a...