search for: auth_policy_server_timeout_msecs

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

...ULL Aug 1 14:25:44 mailhost dovecot: [ID 702911 mail.error] auth: Error: AAAAAAAAAAAAAAAAAAAAAAAAAAAA context->request == NULL ...so context->result is not null before the call (no 222) to i_stream_unref but is after. dovecot.conf has: auth_policy_server_url = http://policyserver.lan/ auth_policy_server_timeout_msecs = 3000 auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia auth_policy_request_attributes = remote=%{rip} auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes To simplify the problem I used a dummy policy server, in nginx.conf: loc...

I took suggestions from https://forge.puppet.com/fraenki/wforce to set these in /etc/dovecot/conf.d/95-auth.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = our_password auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fail = no auth_policy_hash_truncate = 8 auth_policy_check_before_auth = yes auth_policy_check_after_aut...

...# OS: Linux 5.4.44-2-pve x86_64 Debian 10.4 # Hostname: mail.xxx.xxx auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no imap_client_workarounds = delay-newmail imap_id_log = * imap_id_retain = yes login_trusted_networ...

...t settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas

.../forge.puppet.com/fraenki/wforce to set > these in /etc/dovecot/conf.d/95-auth.conf > > auth_policy_server_url = http://localhost:8084/ > auth_policy_hash_nonce = our_password > auth_policy_server_api_header = "Authorization: Basic > hash_from_running_echo-n_base64" > auth_policy_server_timeout_msecs = 2000 > auth_policy_hash_mech = sha256 > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > auth_policy_reject_on_fail = no > auth_policy_hash_truncate = 8 > auth_policy_check_before_auth = y...

...mail.error] auth: Error: > AAAAAAAAAAAAAAAAAAAAAAAAAAAA context->request == NULL > > ...so context->result is not null before the call (no 222) to > i_stream_unref but is after. > > > > dovecot.conf has: > > auth_policy_server_url = http://policyserver.lan/ > auth_policy_server_timeout_msecs = 3000 > auth_policy_hash_nonce = Ohr9phaeSeip2Pahaez2raiGohxoo5Ia > auth_policy_request_attributes = remote=%{rip} > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > > To simplify the problem I used a dummy p...

...t;> auth_cache_size = 2 M >> auth_cache_ttl = 5 mins >> auth_master_user_separator = * >> auth_mechanisms = plain login >> auth_policy_check_before_auth = no >> auth_policy_hash_nonce = # hidden, use -P to show it >> auth_policy_report_after_auth = no >> auth_policy_server_timeout_msecs = 1500 >> auth_policy_server_url =http://127.0.0.1:8090/ >> dict { >> ?? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext >> ?? quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext >> } >> disable_plaintext_auth = no >> imap_client_workarounds = delay-new...

...tR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=> >> auth_policy_hash_nonce = our_password >> auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" >> auth_policy_server_timeout_msecs = 2000 >> auth_policy_hash_mech = sha256 >> auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s >> auth_policy_reject_on_fail = no >> auth_policy_hash_truncate = 8 >> auth_policy_check_...

...> # Hostname: mail.xxx.xxx > auth_cache_size = 2 M > auth_cache_ttl = 5 mins > auth_master_user_separator = * > auth_mechanisms = plain login > auth_policy_check_before_auth = no > auth_policy_hash_nonce = # hidden, use -P to show it > auth_policy_report_after_auth = no > auth_policy_server_timeout_msecs = 1500 > auth_policy_server_url =http://127.0.0.1:8090/ > dict { > acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext > quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext > } > disable_plaintext_auth = no > imap_client_workarounds = delay-newmail > imap_id_log = * &g...

...cpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=) > > > > > > auth_policy_hash_nonce = our_password > > > > > > auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" > > > > > > auth_policy_server_timeout_msecs = 2000 > > > > > > auth_policy_hash_mech = sha256 > > > > > > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > > > > > auth_policy_reject_on_fail =...

...Linux 5.3.18-2-pve x86_64 Debian 10.4 # Hostname: mail.z-technics.com auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { ? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext ? quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no imap_client_workarounds = delay-newmail imap_hibernate_timeout = 5 secs imap_id_log = * imap_id_r...

..._policy_request_attributes = auth_database=mail database=mail service=dovecot username=%{orig_user} authtoken_hash=$0$0$%{hashed_password} local_host=%{real_lip} local_port=%{real_lport} remote_host=%{real_rip} remote_port=%{real_rport} auth_policy_server_api_header = X-API-Key:dovecot:xxxxxxxxxxxx auth_policy_server_timeout_msecs = 3000 auth_policy_server_url = http://127.0.0.1:579/dovecot-auth-policy auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$-=?^_{}~./@+%" auth_verbose = yes dict { acl = sqlite:/usr/local/cpanel/etc/dovecot/dovecot-dict-shares.conf.ext expire = sq...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I

...aster_user_separator = auth_mechanisms = plain auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_stats = no auth_use_winbind = no auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_use...

...aster_user_separator = auth_mechanisms = plain auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_stats = no auth_use_winbind = no auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_use...

...olicy_hash_truncate = 12 | auth_policy_log_only = no | auth_policy_reject_on_fail = no | auth_policy_report_after_auth = yes | auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s | auth_policy_server_api_header = | auth_policy_server_timeout_msecs = 2000 | auth_policy_server_url = | auth_proxy_self = | auth_realms = | auth_socket_path = auth-userdb | auth_ssl_require_client_cert = no | auth_ssl_username_from_cert = no | auth_stats = no | auth_use_winbind = no | auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123...

...ha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_stats = no auth_use_winbind = no auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_u...

> On 25/08/2020 14:35 Robert Nowotny <rnowotny at rotek.at> wrote: > > > I get ZLIB Errors after dovecot upgrade from 2.3.10.1 to 2.3.11.3 > > > Aug 21 15:27:34 lxc-imap dovecot: imap(acsida)<63870><jZk...>: Error: Mailbox Sent: UID=40826: read(zlib(/home/vmail/virtualmailboxes/acsida/storage/m.2409)) failed:

...once = auth_policy_hash_truncate = 12 auth_policy_log_only = no auth_policy_reject_on_fail = no auth_policy_report_after_auth = yes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_stats = no auth_use_winbind = no auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_user...