search for: auth_policy_server_api_header

Is there explicit documentation available for the (probably trivial) configuration needed for Dovecot and Wforce? I'm probably missing something that should be perfectly obvious... Wforce appears to start without errors. I added a file to dovecot's conf.d: 95-policy.conf: auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = this_is_my_super_secret_something

So for auth_policy_server_api_header. is the value of our_password come from the hashed response or the plain-text password? What else am I doing wrong? Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed curl -X POST -H "Content-Type: application/jso...

...orce is latest released from git repo. Daemon part is working and I can successfully send queries from remote systems to wforce via curl For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf > auth_policy_server_url = http://REMOTE_IP:8084/ > auth_policy_hash_nonce = my_random > auth_policy_server_api_header = Authorization: Basic <BASE64 of wforce:my_password> > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s restarted dovecot without errors, but upon testing via imap I cannot see just one single tcp pake...

In weakforced you have webserver("0.0.0.0:8084", "THIS-IS-THE-PASSWORD-FOR-WFORCE") Thus, you make the base64 blob as ~$ echo -n wforce:THIS-IS-THE-PASSWORD-FOR-WFORCE | base64 d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U= And in dovecot you put auth_policy_server_api_header = Authorization Basic d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U Aki > On 7 March 2019 16:41 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote: > > > So for auth_policy_server_api_header. is the value of our_password come from the hashed response or the plain-t...

I took suggestions from https://forge.puppet.com/fraenki/wforce to set these in /etc/dovecot/conf.d/95-auth.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = our_password auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fai...

...uot;) >>> >>> Do I need to change the "--WEBPWD"? Do I need to specify something >>> in the Dovecot config? >> You could try putting an actual password, in plain text, where >> --WEBPWD is. Then add that base64 encoded to dovecot setting >> auth_policy_server_api_header. >> > I knew it would be something like that. I've made some changes but > I'm still not there. I presently have: > > webserver("0.0.0.0:8084", "--WEBPWD ultra-secret-secure-safe") > in wforce.conf (and I've tried with and without the --WEBPWD...

wforce is the username always. auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything. auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64> without the < >. Aki On 6.3.2019 20.42, Robert Kudyba via dovecot wrote: > I took suggestions from?https://forge.puppet.com/fraenki/wforce to set > these in /etc/dovecot/conf.d/95-auth.conf > > a...

Hi Aki, I've configured in this way: vm-weakforced:~# printf 'wforce:super' | base64 d2ZvcmNlOnN1cGVy vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = some random string auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy With the same result... > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web Authentication failed WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web Authentication failed WforceWebserver: HTTP Request &quot...

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

...gt; I've configured in this way: > > vm-weakforced:~# printf 'wforce:super' | base64 > d2ZvcmNlOnN1cGVy > > vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf > auth_policy_server_url = http://localhost:8084/ > auth_policy_hash_nonce = some random string > auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy > > With the same result... > > > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web > Authentication failed > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web > Authentication failed...

...n 0.5.9 (db4e9a2f) ># OS: Linux 5.3.0-28-generic x86_64 Ubuntu 18.04.4 LTS ># Hostname: bubba.amfes.lan >auth_cache_size = 4 k >auth_master_user_separator = * >auth_mechanisms = plain login >auth_policy_hash_nonce = # hidden, use -P to show it >auth_policy_hash_truncate = 8 >auth_policy_server_api_header = Authorization: Basic d2ZvcmNlOnVsdHJhLXNlY3JldC1zZWN1cmUtc2FmZQ >default_login_user = nobody >default_vsz_limit = 2 G >disable_plaintext_auth = no >imap_client_workarounds = tb-extra-mailbox-sep >imap_idle_notify_interval = 29 mins >listen = * >login_trusted_networks = 192.16...

...| wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas

...> webserver("0.0.0.0:8084", "--WEBPWD") > > Do I need to change the "--WEBPWD"? Do I need to specify something in the Dovecot config? You could try putting an actual password, in plain text, where --WEBPWD is. Then add that base64 encoded to dovecot setting auth_policy_server_api_header. hope this helps, Teemu

...po. Daemon part is working and I can successfully send queries from > remote systems to wforce via curl > > For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf > > > auth_policy_server_url = http://REMOTE_IP:8084/ > > auth_policy_hash_nonce = my_random > > auth_policy_server_api_header = Authorization: Basic <BASE64 of > wforce:my_password> > > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > restarted dovecot without errors, but upon testing via imap I cannot see...

Hi, I'm trying to set Weakforced with Dovecot and I cannot log in policy server. This is the config: /root/weakforced/wforce/wforce.conf ----------------------------------- ... webserver("0.0.0.0:8084", "super") ... /etc/dovecot/conf.d/95-policy.conf ---------------------------------- auth_policy_server_url = http://localhost:8084/ #auth_policy_hash_nonce = wforce:super

...entOS release 6.10 (Final) auth_master_user_separator = * auth_mechanisms = plain login auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s attrs/local_ip=%{lip} auth_policy_server_api_header = Authorization: Basic asdfasdfasdf auth_policy_server_url = http://wforce.example.com:8084/ auth_verbose = yes auth_verbose_passwords = sha1 default_client_limit = 6000 default_vsz_limit = 2 G dict { acl = mysql:/etc/dovecot/dovecot-dict-shares.conf quotadict = mysql:/etc/dovecot/dovecot-dict-...

...dovecot.conf # Pigeonhole version 0.5.9 (db4e9a2f) # OS: Linux 5.3.0-28-generic x86_64 Ubuntu 18.04.4 LTS # Hostname: bubba.amfes.lan auth_cache_size = 4 k auth_master_user_separator = * auth_mechanisms = plain login auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_hash_truncate = 8 auth_policy_server_api_header = Authorization: Basic d2ZvcmNlOnVsdHJhLXNlY3JldC1zZWN1cmUtc2FmZQ default_login_user = nobody default_vsz_limit = 2 G disable_plaintext_auth = no imap_client_workarounds = tb-extra-mailbox-sep imap_idle_notify_interval = 29 mins listen = * login_trusted_networks = 192.168.0.0/24 mail_attachment_ha...

Hi! You configure it like this: auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = some random string auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOkJydHpUNlRuTkZ4UUU=" the authorization blob is basically printf 'wforce:super' | base64 Aki > On 16 January 2019 at 10:06 alberto bersol <alberto at bersol.info> wrote: > > > Hi, > I'm trying to set Weakforced with Do...

...olicy_hash_nonce = 78204771 auth_policy_hash_truncate = 64 auth_policy_request_attributes = auth_database=mail database=mail service=dovecot username=%{orig_user} authtoken_hash=$0$0$%{hashed_password} local_host=%{real_lip} local_port=%{real_lport} remote_host=%{real_rip} remote_port=%{real_rport} auth_policy_server_api_header = X-API-Key:dovecot:xxxxxxxxxxxx auth_policy_server_timeout_msecs = 3000 auth_policy_server_url = http://127.0.0.1:579/dovecot-auth-policy auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$-=?^_{}~./@+%" auth_verbose = yes dict { acl = sqlite:/usr/l...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I