Displaying 20 results from an estimated 35 matches for "auth_policy_request_attributes".
2019 Apr 12
2
Mail account brute force / harassment
>
> You are running some kind of proxy in front of it.
No proxy. Just sendmail with users using emacs/Rmail or
Webmail/Squirrelmail.
> If you want it to show real client IP, you need to enable forwarding of
> said data. With dovecot it's done by setting
>
> login_trusted_networks = your-upstream-host-or-net
>
> in backend config file.
>
OK I changed it and
2019 May 13
2
dovecot 2.2.36 and wforce
...es from
remote systems to wforce via curl
For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf
> auth_policy_server_url = http://REMOTE_IP:8084/
> auth_policy_hash_nonce = my_random
> auth_policy_server_api_header = Authorization: Basic <BASE64 of
wforce:my_password>
> auth_policy_request_attributes = login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
restarted dovecot without errors, but upon testing via imap I cannot see
just one single tcp paket leaving direction REMOTE_IP on port 8084. It
looks like auth policy in not involved at all.
T...
2019 Apr 12
1
Mail account brute force / harassment
...ICaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=CsaMqvBelGXz-_ClT0RDzwqz0tH3cTGNItJktQeULLs&s=JnUd5ej3Twniz2q3fiWUrV_qOFlAwvFHquFjfgsoQJ0&e=)
> file that I'm missing?
>
> Can you verify following?
>
> doveconf auth_policy_request_attributes
>
> auth_policy_request_attributes = login=%{requested_username}
> pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>
> On some versions remote is mistakenly %{real_rip} which expands into where
> the connection came from instead of client IP.
>
> I...
2019 Mar 28
2
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
...ginal client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</blockquote>
<div>
Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with
</div>
<div>
<br>
</div>
<div>
`doveconf auth_policy_request_attributes`
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</bo...
2017 Jan 24
1
Log authentication attempts
On 24.01.2017 00:06, rej ex wrote:
> Because we are building some monitoring application, we will need to
> record all failed and successful login attempts. We need to record
> remote IP, entered password in plain text, and if possible whether auth
> request is for SMTP or IMAP session.
SMTP? Wouldn't that be handled by your MTA, not Dovecot?
AKi Tuomi wrote:
> Since
2018 Jan 26
1
Send full X.509 client certificate to custom authentication policy server
I'm working with Dovecot 2.3 and I'm wondering if I could send the full
X.509 client certificate to my custom authentication policy server.
I'm actually aware that I can send the client certificate validity status
with something like:
auth_policy_request_attributes = ... cert=%{cert}
But I want the full X.509 certificate to be able to decide over the basis
of certificate extensions, e.g. Certificate Policies extension.
Is it currently possible?, what about Lua based authentication?, does Lua
currently receive the full client certificate?.
--
Jaime Hablutze...
2019 Apr 12
0
Mail account brute force / harassment
...'remote-host' => '###REMOTE ADDRESS###');"
>
> Which I also added previously. But that doesn't address emacs/RMail users.
>
> Could there be a setting in sendmail.mc/cf (http://sendmail.mc/cf) file that I'm missing?
Can you verify following?
doveconf auth_policy_request_attributes
auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
On some versions remote is mistakenly %{real_rip} which expands into where the connection came from instead of client IP.
If it's wrong just feel free to co...
2019 May 22
2
weakforced: Possible to access the ip address of report/allow?
Hi
I wonder if the information about the origin of report or allow can be
accessed somehow. lt.remote gives the IP of the client trying to login
but is there anything in lt which gives the ip of the system that
connects to wforced?
Thanks and have a good one
--
tobi
2019 Mar 28
2
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
> Set
>
> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate
Can this be the Lets Encrypt cert that we already have? In other words we have:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
Can those be used?
> Are you using haproxy or something in front of dovecot?
No. Just Squirrelmail webmail with sendmail.
2016 Dec 02
6
CVE-2016-8562 in dovecot
We are sorry to report that we have a bug in dovecot, which merits a
CVE. See details below. If you haven't configured any auth_policy_*
settings you are ok. This is fixed with
https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae
and
https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc
Important vulnerability in Dovecot
2019 Aug 02
3
auth-policy crashing
...AAAAA context->request == NULL
...so context->result is not null before the call (no 222) to
i_stream_unref but is after.
dovecot.conf has:
auth_policy_server_url = http://policyserver.lan/
auth_policy_server_timeout_msecs = 3000
auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia
auth_policy_request_attributes = remote=%{rip}
auth_policy_check_before_auth = yes
auth_policy_check_after_auth = yes
auth_policy_report_after_auth = yes
To simplify the problem I used a dummy policy server, in nginx.conf:
location / {
default_type application/json;
return 200 "{\"status\&quo...
2019 May 22
1
weakforced: Possible to access the ip address of report/allow?
...attrs are set (according to wforce logs), the code above
does not go into if condition. What is the proper way to access the attrs?
Thanks for your help and have a good one
--
tobi
Am 22.05.19 um 11:53 schrieb Neil Cook:
> From dovecot, you can add any additional attributes you like using the auth_policy_request_attributes configuration setting, e.g.
>
> By default in 2.3.1 this looks like:
>
> login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>
> But you can add additional parameters:
>
> login=%{requested_username} pwhash=%{hashed_pass...
2019 Mar 28
0
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
...lient ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ?
I see some options in http://squirrelmail.org/docs/admin/admin-5.html#ss5.3 <http://squirrelmail.org/docs/admin/admin-5.html#ss5.3>. Would it be a plugin?
> Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with
>
> `doveconf auth_policy_request_attributes`
Yes I?ve confirmed it matches. Still getting the URL or IP of the webmail address as well as errors like SSL handshake to ex.ter.na.lip:8084 failed: Connection closed
Mar 28 16:13:36 auth:...
2019 Mar 06
2
how to enable PowerDNS/Weakforced with Fedora and sendmail
...et
these in /etc/dovecot/conf.d/95-auth.conf
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = our_password
auth_policy_server_api_header = "Authorization: Basic
hash_from_running_echo-n_base64"
auth_policy_server_timeout_msecs = 2000
auth_policy_hash_mech = sha256
auth_policy_request_attributes = login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
auth_policy_reject_on_fail = no
auth_policy_hash_truncate = 8
auth_policy_check_before_auth = yes
auth_policy_check_after_auth = yes
auth_policy_report_after_auth = yes
And auth_debug=yes
in /...
2019 Mar 29
1
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
...riginal client ip with ID
>>> command. Otherwise dovecot cannot know it. Or you could configure
>>> squirrelmail to use weakforced ?
>
> I see some options
> in?http://squirrelmail.org/docs/admin/admin-5.html#ss5.3. Would it be
> a plugin?
>
>> Also check that auth_policy_request_attributes use %{rip} and not
>> %{real_rip}. You can see this with?
>>
>> `doveconf auth_policy_request_attributes`
>
> Yes I?ve confirmed it matches. Still getting the URL or IP of the
> webmail address as well as errors like?SSL handshake to
> ex.ter.na.lip:8084 failed: Connec...
2016 Dec 02
0
CVE-2016-8562 in dovecot
...be more verbose on how to verify if administrators are affected?
# doveconf -n | grep auth_policy_ | wc -l
0
but there /are/ default settings:
# doveconf -d | grep auth_policy_
auth_policy_hash_mech = sha256
auth_policy_hash_nonce =
auth_policy_hash_truncate = 12
auth_policy_reject_on_fail = no
auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}
auth_policy_server_api_header =
auth_policy_server_timeout_msecs = 2000
auth_policy_server_url =
Is such setup vulnerable?
Thanks for clarification,
Andreas
2019 Mar 07
0
how to enable PowerDNS/Weakforced with Fedora and sendmail
....conf
>
> auth_policy_server_url = http://localhost:8084/
> auth_policy_hash_nonce = our_password
> auth_policy_server_api_header = "Authorization: Basic
> hash_from_running_echo-n_base64"
> auth_policy_server_timeout_msecs = 2000
> auth_policy_hash_mech = sha256
> auth_policy_request_attributes = login=%{requested_username}
> pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
> auth_policy_reject_on_fail = no
> auth_policy_hash_truncate = 8
> auth_policy_check_before_auth = yes
> auth_policy_check_after_auth = yes
> auth_policy_report_after_auth =...
2019 May 13
0
dovecot 2.2.36 and wforce
...l
>
> For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf
>
> > auth_policy_server_url = http://REMOTE_IP:8084/
> > auth_policy_hash_nonce = my_random
> > auth_policy_server_api_header = Authorization: Basic <BASE64 of
> wforce:my_password>
> > auth_policy_request_attributes = login=%{requested_username}
> pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>
> restarted dovecot without errors, but upon testing via imap I cannot see
> just one single tcp paket leaving direction REMOTE_IP on port 8084. It
> looks like auth policy i...
2019 May 22
0
weakforced: Possible to access the ip address of report/allow?
From dovecot, you can add any additional attributes you like using the auth_policy_request_attributes configuration setting, e.g.
By default in 2.3.1 this looks like:
login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
But you can add additional parameters:
login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_i...
2019 Aug 06
0
auth-policy crashing
...ext->result is not null before the call (no 222) to
> i_stream_unref but is after.
>
>
>
> dovecot.conf has:
>
> auth_policy_server_url = http://policyserver.lan/
> auth_policy_server_timeout_msecs = 3000
> auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia
> auth_policy_request_attributes = remote=%{rip}
> auth_policy_check_before_auth = yes
> auth_policy_check_after_auth = yes
> auth_policy_report_after_auth = yes
>
>
> To simplify the problem I used a dummy policy server, in nginx.conf:
>
> ??? location / {
> ??????? default_type? application/json;
>...