search for: auth_policy_report_after_auth

...t is after. dovecot.conf has: auth_policy_server_url = http://policyserver.lan/ auth_policy_server_timeout_msecs = 3000 auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia auth_policy_request_attributes = remote=%{rip} auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes To simplify the problem I used a dummy policy server, in nginx.conf: location / { default_type application/json; return 200 "{\"status\":0,\"msg\":\"accepted\"}"; } however no matter what rubbish a policy server sends ba...

Hi, I was looking into the new Authentication Policy feature: https://wiki2.dovecot.org/Authentication/Policy I had kinda hoped that I would be able to enfore this in a proxy running in front of several backends. This proxy does not authenticate. It use "nopassword". But I realize that the "succes" reported in the final authpolicy req. (command=report) is not what is

...auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fail = no auth_policy_hash_truncate = 8 auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes And auth_debug=yes in /usr/local/etc/wforce.conf webserver("0.0.0.0:8084", "our_password") So when I run: curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhas...

...igeonhole version 0.5.10 (67bf5bd7) # OS: Linux 5.4.44-2-pve x86_64 Debian 10.4 # Hostname: mail.xxx.xxx auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no imap_client_workarounds = delay-newmail imap_id_log = * ima...

...urprise the exact same functionality then turned up in 2.2.34 with just slightly different option names:* * *auth_policy_check_before_auth*: Whether to do policy lookup before authentication is started *auth_policy_check_after_auth*: Whether to do policy lookup after authentication is completed *auth_policy_report_after_auth*: Whether to report authentication result? This is great. However... in the setup where you have a proxy in front of a backend and the backend does all authentication, it would be nice with an option to only do report requests in case of authentication failure. Point being that, if the proxy au...

...auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > auth_policy_reject_on_fail = no > auth_policy_hash_truncate = 8 > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > And auth_debug=yes > > in /usr/local/etc/wforce.conf > webserver("0.0.0.0:8084 <http://0.0.0.0:8084>", "our_password") > So when I run: > curl -X POST -H "Content-Type: application/json" --data > '{"login":"our...

...gt; auth_policy_server_url = http://policyserver.lan/ > auth_policy_server_timeout_msecs = 3000 > auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia > auth_policy_request_attributes = remote=%{rip} > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > > To simplify the problem I used a dummy policy server, in nginx.conf: > > ??? location / { > ??????? default_type? application/json; > ??????? return 200 "{\"status\":0,\"msg\":\"accepted\"}"; > ??? } > > however no ma...

...an 10.4 >> # Hostname: mail.xxx.xxx >> auth_cache_size = 2 M >> auth_cache_ttl = 5 mins >> auth_master_user_separator = * >> auth_mechanisms = plain login >> auth_policy_check_before_auth = no >> auth_policy_hash_nonce = # hidden, use -P to show it >> auth_policy_report_after_auth = no >> auth_policy_server_timeout_msecs = 1500 >> auth_policy_server_url =http://127.0.0.1:8090/ >> dict { >> ?? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext >> ?? quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext >> } >> disable_plaintext_auth =...

...quest_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s >> auth_policy_reject_on_fail = no >> auth_policy_hash_truncate = 8 >> auth_policy_check_before_auth = yes >> auth_policy_check_after_auth = yes >> auth_policy_report_after_auth = yes >> >> And auth_debug=yes >> >> in /usr/local/etc/wforce.conf >> webserver("0.0.0.0:8084 <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL...

...: Linux 5.4.44-2-pve x86_64 Debian 10.4 > # Hostname: mail.xxx.xxx > auth_cache_size = 2 M > auth_cache_ttl = 5 mins > auth_master_user_separator = * > auth_mechanisms = plain login > auth_policy_check_before_auth = no > auth_policy_hash_nonce = # hidden, use -P to show it > auth_policy_report_after_auth = no > auth_policy_server_timeout_msecs = 1500 > auth_policy_server_url =http://127.0.0.1:8090/ > dict { > acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext > quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext > } > disable_plaintext_auth = no > imap_client_workarou...

...col=%s > > > > > > auth_policy_reject_on_fail = no > > > > > > auth_policy_hash_truncate = 8 > > > > > > auth_policy_check_before_auth = yes > > > > > > auth_policy_check_after_auth = yes > > > > > > auth_policy_report_after_auth = yes > > > > > > > > > > > > > > > And auth_debug=yes > > > > > > > > > > > > > > > in /usr/local/etc/wforce.conf > > > > > > webserver("0.0.0.0:8084 (https://urldefense.p...

...ker=yes. + Added charset_alias plugin. See https://wiki2.dovecot.org/Plugins/CharsetAlias + imap_logout_format and pop3_logout_format settings now support all of the generic variables (e.g. %{rip}, %{session}, etc.) + Added auth_policy_check_before_auth, auth_policy_check_after_auth and auth_policy_report_after_auth settings. - v2.2.33: doveadm-server: Various fixes related to log handling. - v2.2.33: doveadm failed when trying to access UNIX socket that didn't require authentication. - v2.2.33: doveadm log reopen stopped working - v2.2.30+: IMAP stopped advertising SPECIAL-USE capability - v2.2.30...

...ker=yes. + Added charset_alias plugin. See https://wiki2.dovecot.org/Plugins/CharsetAlias + imap_logout_format and pop3_logout_format settings now support all of the generic variables (e.g. %{rip}, %{session}, etc.) + Added auth_policy_check_before_auth, auth_policy_check_after_auth and auth_policy_report_after_auth settings. - v2.2.33: doveadm-server: Various fixes related to log handling. - v2.2.33: doveadm failed when trying to access UNIX socket that didn't require authentication. - v2.2.33: doveadm log reopen stopped working - v2.2.30+: IMAP stopped advertising SPECIAL-USE capability - v2.2.30...

...le version 0.5.10 (67bf5bd7) # OS: Linux 5.3.18-2-pve x86_64 Debian 10.4 # Hostname: mail.z-technics.com auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { ? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext ? quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no imap_client_workarounds = delay-newmail imap_hibernate_time...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I

...= | auth_master_user_separator = | auth_mechanisms = plain login | auth_policy_check_after_auth = yes | auth_policy_check_before_auth = yes | auth_policy_hash_mech = sha256 | auth_policy_hash_nonce = | auth_policy_hash_truncate = 12 | auth_policy_log_only = no | auth_policy_reject_on_fail = no | auth_policy_report_after_auth = yes | auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s | auth_policy_server_api_header = | auth_policy_server_timeout_msecs = 2000 | auth_policy_server_url = | auth_proxy_self = | auth_realms = | auth_socke...

...y = 2 secs auth_gssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-...

> On 25/08/2020 14:35 Robert Nowotny <rnowotny at rotek.at> wrote: > > > I get ZLIB Errors after dovecot upgrade from 2.3.10.1 to 2.3.11.3 > > > Aug 21 15:27:34 lxc-imap dovecot: imap(acsida)<63870><jZk...>: Error: Mailbox Sent: UID=40826: read(zlib(/home/vmail/virtualmailboxes/acsida/storage/m.2409)) failed:

..._hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_log_only = no auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-user...

...= auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain login auth_policy_check_after_auth = yes auth_policy_check_before_auth = yes auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_log_only = no auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-...