search for: auth_policy_server_url

...t JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} I've tried setting auth_policy_server_url to examples such as: - auth_policy_server_url = http://localhost:8084/ - auth_policy_server_url = http://0.0.0.0:8084/ - auth_policy_server_url = https://ourdomain.edu:8084/ in the custom config file for wforce and the rip (reporting IP, e.g., Apr 12 10:06:10 auth: Debug: client in: AUTH...

When using Auth policy server it doesn?t currently doesn?t support https. In version 2.2.27: Policy server HTTP error: 9002 Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) and in version 2.3.devel Policy server HTTP error: 9002 Requested https connection, but no SSL settings given dovecot.conf does have

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 21:52 Robert Kudyba <rkudyba@fordham.edu> wrote: </div> <div> <br> </div> <div> <br>

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 16:08 Robert Kudyba via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div>

...quot;device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > > I've tried setting?auth_policy_server_url to examples such as: > * auth_policy_server_url = http://localhost:8084/ > * auth_policy_server_url = http://0.0.0.0:8084/ > * auth_policy_server_url = https://ourdomain.edu:8084/ > in the custom config file for wforce and the rip (reporting IP, e.g., Apr 12 10:06:10 auth: Debug:...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I search for these directives, they're not found: grep auth_policy_server_url /etc/dovecot/conf.d/* Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does anyone know if a good tutorial? ---...

> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificate Can this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Can those be used? > Are you using haproxy or something in front of dovecot? No. Just Squirrelmail webmail with sendmail.

dovecot-2.3.3-1.fc29.x86_64 Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 (http_client_request_unref): assertion failed: (req->refcount > 0) Mar 28 10:04:47 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] -> /usr/lib64/dovecot/libdovecot.so.0(+0xe3597) [0x7fe76e083597] -> /usr/lib64/dovecot/libdovecot.so.0(+0x51207)

Is there explicit documentation available for the (probably trivial) configuration needed for Dovecot and Wforce? I'm probably missing something that should be perfectly obvious... Wforce appears to start without errors. I added a file to dovecot's conf.d: 95-policy.conf: auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = this_is_my_super_secret_something Looking at the Wforce console I see: WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication failed In wforce.conf I have the (default): webserver("0.0.0.0:8084", "--...

...1px;">/etc/dovecot/conf.d/95-auth.conf</span> <span class="" style="font-family: Menlo; font-size: 11px;"> in our case:</span> <div class=""> <span class="" style="font-family: Menlo; font-size: 11px;">auth_policy_server_url = </span> <a class="" style="font-family: Menlo; font-size: 11px;" href="https://dsm.dsm.fordham.edu:8084/"><span class="" style="-webkit-font-kerning: none; color: #3586ff;">https://ourdomain:8084/</span></a> &...

>>>> Set >>>> >>>> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate >>> >>> Can this be the Lets Encrypt cert that we already have? In other words we have: >>> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem >>> ssl_key = </etc/pki/dovecot/private/dovecot.pem >>> >>> Can those be

...p3 >> > Hi, > > this is a known issue as DOV-3019 and we are fixing this. It happens during auth process shutdown if there are pending requests. Another issue is that the dovecot logs always report the offending URL or IP as what?s in /etc/dovecot/conf.d/95-auth.conf in our case: auth_policy_server_url = https://ourdomain:8084/ <https://dsm.dsm.fordham.edu:8084/> These are HTTP errors in the logs: Mar 28 09:58:04 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=lmNw8SeFoMl/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=51616 resp=<hidden> Mar 28 09:58:04 auth: Deb...

...setup dovecot 2.2.36 on a Centos6 to communicate with a wforce daemon on the remote side. wforce is latest released from git repo. Daemon part is working and I can successfully send queries from remote systems to wforce via curl For dovecot I configured in /etc/dovecot/conf.d/95-wforce.conf > auth_policy_server_url = http://REMOTE_IP:8084/ > auth_policy_hash_nonce = my_random > auth_policy_server_api_header = Authorization: Basic <BASE64 of wforce:my_password> > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%...

...forced lately. There are cases (IP ranges, so could be wrapped up in remote {} blocks) where it'd be nice to skip the auth policy (internal hosts that I can trust, but that are hitting the same servers as the outside world). Is there any way to disable auth policy, possibly inside a remote{}? auth_policy_server_url complains that it can't be used inside a remote block, so no dice there. Anything I'm missing?

On 11/04/2019 11:43, Marc Roos via dovecot wrote: > A. With the fail2ban solution > - you 'solve' that the current ip is not able to access you It is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot login failures. My firewall is set to log these so I can see that few repeat, those

On 28.3.2019 22.34, Robert Kudyba via dovecot wrote: >>>>> Set >>>>> >>>>> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate? >>>> >>>> Can this be the Lets Encrypt cert that we already have? In other >>>> words we have: >>>> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

Hi Aki, I've configured in this way: vm-weakforced:~# printf 'wforce:super' | base64 d2ZvcmNlOnN1cGVy vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf auth_policy_server_url = http://localhost:8084/ auth_policy_hash_nonce = some random string auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy With the same result... > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web Authentication failed WforceWebserver: HTTP Request...

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 28 March 2019 22:02 Aki Tuomi via dovecot <dovecot@dovecot.org> wrote: </div> <div> <br> </div> <div> <br>

...up in remote {} blocks) where > > it'd be nice to skip the auth policy (internal hosts that I can trust, > but > > that are hitting the same servers as the outside world). > > > > Is there any way to disable auth policy, possibly inside a remote{}? > > > > auth_policy_server_url complains that it can't be used inside a remote > > block, so no dice there. Anything I'm missing? > > From my config: > ``` > allowed_subnets=newNetmaskGroup() > allowed_subnets:addMask('fe80::/64') > allowed_subnets:addMask('127.0.0.0/8') >...