search for: auth_policy_hash_truncate

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

...t;Authorization: Basic hash_from_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fail = no auth_policy_hash_truncate = 8 auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes And auth_debug=yes in /usr/local/etc/wforce.conf webserver("0.0.0.0:8084", "our_password") So when I run: curl -X POST -H "Content-Type: application/json" -...

...vecot.conf ># Pigeonhole version 0.5.9 (db4e9a2f) ># OS: Linux 5.3.0-28-generic x86_64 Ubuntu 18.04.4 LTS ># Hostname: bubba.amfes.lan >auth_cache_size = 4 k >auth_master_user_separator = * >auth_mechanisms = plain login >auth_policy_hash_nonce = # hidden, use -P to show it >auth_policy_hash_truncate = 8 >auth_policy_server_api_header = Authorization: Basic d2ZvcmNlOnVsdHJhLXNlY3JldC1zZWN1cmUtc2FmZQ >default_login_user = nobody >default_vsz_limit = 2 G >disable_plaintext_auth = no >imap_client_workarounds = tb-extra-mailbox-sep >imap_idle_notify_interval = 29 mins >listen =...

...y commenting out all auth_policy_* settings. Hello, could you be more verbose on how to verify if administrators are affected? # doveconf -n | grep auth_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas

...om_running_echo-n_base64" > auth_policy_server_timeout_msecs = 2000 > auth_policy_hash_mech = sha256 > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > auth_policy_reject_on_fail = no > auth_policy_hash_truncate = 8 > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > And auth_debug=yes > > in /usr/local/etc/wforce.conf > webserver("0.0.0.0:8084 <http://0.0.0.0:8084>", "our_password") > So w...

...-n_base64" >> auth_policy_server_timeout_msecs = 2000 >> auth_policy_hash_mech = sha256 >> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s >> auth_policy_reject_on_fail = no >> auth_policy_hash_truncate = 8 >> auth_policy_check_before_auth = yes >> auth_policy_check_after_auth = yes >> auth_policy_report_after_auth = yes >> >> And auth_debug=yes >> >> in /usr/local/etc/wforce.conf >> webserver("0.0.0.0:8084 <https://urldefense.proofpoint.co...

...88fa): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.9 (db4e9a2f) # OS: Linux 5.3.0-28-generic x86_64 Ubuntu 18.04.4 LTS # Hostname: bubba.amfes.lan auth_cache_size = 4 k auth_master_user_separator = * auth_mechanisms = plain login auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_hash_truncate = 8 auth_policy_server_api_header = Authorization: Basic d2ZvcmNlOnVsdHJhLXNlY3JldC1zZWN1cmUtc2FmZQ default_login_user = nobody default_vsz_limit = 2 G disable_plaintext_auth = no imap_client_workarounds = tb-extra-mailbox-sep imap_idle_notify_interval = 29 mins listen = * login_trusted_networks =...

...> auth_policy_hash_mech = sha256 > > > > > > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > > > > > auth_policy_reject_on_fail = no > > > > > > auth_policy_hash_truncate = 8 > > > > > > auth_policy_check_before_auth = yes > > > > > > auth_policy_check_after_auth = yes > > > > > > auth_policy_report_after_auth = yes > > > > > > > > > > > > > > > And auth_de...

...ct of my debug log # 2.2.28 (bed8434): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-642.3.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) auth_cache_size = 1 M auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_policy_hash_mech = sha512 auth_policy_hash_nonce = 78204771 auth_policy_hash_truncate = 64 auth_policy_request_attributes = auth_database=mail database=mail service=dovecot username=%{orig_user} authtoken_hash=$0$0$%{hashed_password} local_host=%{real_lip} local_port=%{real_lport} remote_host=%{real_rip} remote_port=%{real_rport} auth_policy_server_api_header = X-API-Key:dovecot:xxx...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I

...30 secs auth_cache_size = 100 M auth_cache_ttl = 30 secs auth_debug = no auth_debug_passwords = no auth_default_realm = auth_failure_delay = 2 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb...

...30 secs auth_cache_size = 100 M auth_cache_ttl = 30 secs auth_debug = no auth_debug_passwords = no auth_default_realm = auth_failure_delay = 2 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb...

...th_default_realm = | auth_failure_delay = 2 secs | auth_gssapi_hostname = | auth_krb5_keytab = | auth_master_user_separator = | auth_mechanisms = plain login | auth_policy_check_after_auth = yes | auth_policy_check_before_auth = yes | auth_policy_hash_mech = sha256 | auth_policy_hash_nonce = | auth_policy_hash_truncate = 12 | auth_policy_log_only = no | auth_policy_reject_on_fail = no | auth_policy_report_after_auth = yes | auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s | auth_policy_server_api_header = | auth_policy_server_...

...th_debug_passwords = no auth_default_realm = auth_failure_delay = 2 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_serve...

> On 25/08/2020 14:35 Robert Nowotny <rnowotny at rotek.at> wrote: > > > I get ZLIB Errors after dovecot upgrade from 2.3.10.1 to 2.3.11.3 > > > Aug 21 15:27:34 lxc-imap dovecot: imap(acsida)<63870><jZk...>: Error: Mailbox Sent: UID=40826: read(zlib(/home/vmail/virtualmailboxes/acsida/storage/m.2409)) failed:

...no auth_debug_passwords = no auth_default_realm = auth_failure_delay = 2 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_log_only = no auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs...

...g_passwords = no auth_default_realm = auth_failure_delay = 10 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain login auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_log_only = no auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msec...

...= no auth_default_realm = default.local auth_failure_delay = 2 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain login auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_serve...

...------------------------------- dovecot -n # 2.2.32 (dfbe293d4): /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-514.6.2.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 (Core) auth_cache_size = 819 M auth_mechanisms = plain login auth_policy_hash_mech = sha512 auth_policy_hash_nonce = 85979662 auth_policy_hash_truncate = 64 auth_policy_request_attributes = auth_database=mail database=mail service=dovecot username=%{orig_user} authtoken_hash=$0$0$%{hashed_password} local_host=%{real_lip} local_port=%{real_lport} remote_host=%{real_rip} remote_port=%{real_rport} auth_policy_server_api_header = X-API-Key:dovecot:4...

Hello, I sent this into the Linux Kernel Btrfs mailing list and I got reply: "RAID-1 would be preferable" (https://lore.kernel.org/linux-btrfs/7b364356-7041-7d18-bd77-f60e0e2e2112 at lechevalier.se/T/). May I ask you for the comments as from people around the Dovecot? We are using btrfs RAID-10 (/data, 4.7TB) on a physical Supermicro server with Intel(R) Xeon(R) CPU E5-2620 v4 @