search for: auth_policy_request_attributes

> > You are running some kind of proxy in front of it. No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > If you want it to show real client IP, you need to enable forwarding of > said data. With dovecot it's done by setting > > login_trusted_networks = your-upstream-host-or-net > > in backend config file. > OK I changed it and

...es from remote systems to wforce via curl For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf > auth_policy_server_url = http://REMOTE_IP:8084/ > auth_policy_hash_nonce = my_random > auth_policy_server_api_header = Authorization: Basic <BASE64 of wforce:my_password> > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s restarted dovecot without errors, but upon testing via imap I cannot see just one single tcp paket leaving direction REMOTE_IP on port 8084. It looks like auth policy in not involved at all. T...

...ICaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=CsaMqvBelGXz-_ClT0RDzwqz0tH3cTGNItJktQeULLs&s=JnUd5ej3Twniz2q3fiWUrV_qOFlAwvFHquFjfgsoQJ0&e=) > file that I'm missing? > > Can you verify following? > > doveconf auth_policy_request_attributes > > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > On some versions remote is mistakenly %{real_rip} which expands into where > the connection came from instead of client IP. > > I...

...ginal client ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ? </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </blockquote> <div> Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with </div> <div> <br> </div> <div> `doveconf auth_policy_request_attributes` </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </bo...

On 24.01.2017 00:06, rej ex wrote: > Because we are building some monitoring application, we will need to > record all failed and successful login attempts. We need to record > remote IP, entered password in plain text, and if possible whether auth > request is for SMTP or IMAP session. SMTP? Wouldn't that be handled by your MTA, not Dovecot? AKi Tuomi wrote: > Since

I'm working with Dovecot 2.3 and I'm wondering if I could send the full X.509 client certificate to my custom authentication policy server. I'm actually aware that I can send the client certificate validity status with something like: auth_policy_request_attributes = ... cert=%{cert} But I want the full X.509 certificate to be able to decide over the basis of certificate extensions, e.g. Certificate Policies extension. Is it currently possible?, what about Lua based authentication?, does Lua currently receive the full client certificate?. -- Jaime Hablutze...

...'remote-host' => '###REMOTE ADDRESS###');" > > Which I also added previously. But that doesn't address emacs/RMail users. > > Could there be a setting in sendmail.mc/cf (http://sendmail.mc/cf) file that I'm missing? Can you verify following? doveconf auth_policy_request_attributes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s On some versions remote is mistakenly %{real_rip} which expands into where the connection came from instead of client IP. If it's wrong just feel free to co...

Hi I wonder if the information about the origin of report or allow can be accessed somehow. lt.remote gives the IP of the client trying to login but is there anything in lt which gives the ip of the system that connects to wforced? Thanks and have a good one -- tobi

> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificate Can this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Can those be used? > Are you using haproxy or something in front of dovecot? No. Just Squirrelmail webmail with sendmail.

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

...AAAAA context->request == NULL ...so context->result is not null before the call (no 222) to i_stream_unref but is after. dovecot.conf has: auth_policy_server_url = http://policyserver.lan/ auth_policy_server_timeout_msecs = 3000 auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia auth_policy_request_attributes = remote=%{rip} auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes To simplify the problem I used a dummy policy server, in nginx.conf: location / { default_type application/json; return 200 "{\"status\&quo...

...attrs are set (according to wforce logs), the code above does not go into if condition. What is the proper way to access the attrs? Thanks for your help and have a good one -- tobi Am 22.05.19 um 11:53 schrieb Neil Cook: > From dovecot, you can add any additional attributes you like using the auth_policy_request_attributes configuration setting, e.g. > > By default in 2.3.1 this looks like: > > login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > But you can add additional parameters: > > login=%{requested_username} pwhash=%{hashed_pass...

...lient ip with ID command. Otherwise dovecot cannot know it. Or you could configure squirrelmail to use weakforced ? I see some options in http://squirrelmail.org/docs/admin/admin-5.html#ss5.3 <http://squirrelmail.org/docs/admin/admin-5.html#ss5.3>. Would it be a plugin? > Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with > > `doveconf auth_policy_request_attributes` Yes I?ve confirmed it matches. Still getting the URL or IP of the webmail address as well as errors like SSL handshake to ex.ter.na.lip:8084 failed: Connection closed Mar 28 16:13:36 auth:...

...et these in /etc/dovecot/conf.d/95-auth.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = our_password auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fail = no auth_policy_hash_truncate = 8 auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes And auth_debug=yes in /...

...riginal client ip with ID >>> command. Otherwise dovecot cannot know it. Or you could configure >>> squirrelmail to use weakforced ? > > I see some options > in?http://squirrelmail.org/docs/admin/admin-5.html#ss5.3. Would it be > a plugin? > >> Also check that auth_policy_request_attributes use %{rip} and not >> %{real_rip}. You can see this with? >> >> `doveconf auth_policy_request_attributes` > > Yes I?ve confirmed it matches. Still getting the URL or IP of the > webmail address as well as errors like?SSL handshake to > ex.ter.na.lip:8084 failed: Connec...

...be more verbose on how to verify if administrators are affected? # doveconf -n | grep auth_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas

....conf > > auth_policy_server_url = http://localhost:8084/ > auth_policy_hash_nonce = our_password > auth_policy_server_api_header = "Authorization: Basic > hash_from_running_echo-n_base64" > auth_policy_server_timeout_msecs = 2000 > auth_policy_hash_mech = sha256 > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > auth_policy_reject_on_fail = no > auth_policy_hash_truncate = 8 > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth =...

...l > > For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf > > > auth_policy_server_url = http://REMOTE_IP:8084/ > > auth_policy_hash_nonce = my_random > > auth_policy_server_api_header = Authorization: Basic <BASE64 of > wforce:my_password> > > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > restarted dovecot without errors, but upon testing via imap I cannot see > just one single tcp paket leaving direction REMOTE_IP on port 8084. It > looks like auth policy i...

From dovecot, you can add any additional attributes you like using the auth_policy_request_attributes configuration setting, e.g. By default in 2.3.1 this looks like: login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s But you can add additional parameters: login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_i...

...ext->result is not null before the call (no 222) to > i_stream_unref but is after. > > > > dovecot.conf has: > > auth_policy_server_url = http://policyserver.lan/ > auth_policy_server_timeout_msecs = 3000 > auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia > auth_policy_request_attributes = remote=%{rip} > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > > To simplify the problem I used a dummy policy server, in nginx.conf: > > ??? location / { > ??????? default_type? application/json; >...