search for: pwhash

...else am I doing wrong? Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed curl -X POST -H "Content-Type: application/json" --data '{"login?:?ouruser?, "remote": "127.0.0.1", "pwhash?:?hashed-password?}? http://127.0.0.1:8084/?command=allow -u wforce:super {"status":"failure", "reason":"Unauthorized"} Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: /usr/lib64/dovecot/auth Mar 07 09:32:15 auth-worker(18933): De...

...ver_url = http://localhost:8084/ auth_policy_hash_nonce = our_password auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64" auth_policy_server_timeout_msecs = 2000 auth_policy_hash_mech = sha256 auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s auth_policy_reject_on_fail = no auth_policy_hash_truncate = 8 auth_policy_check_before_auth = yes auth_policy_check_after_auth = yes auth_policy_report_after_auth = yes And auth_debug=yes in /usr/local/etc/wforce.conf webserver(&...

...; OK I changed it and restarted wforce and dovecot. Still seeing this: Apr 12 14:38:55 auth: Debug: policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON: {"device_id":"","login":" ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > For webmails, this requires both login_trusted_networks and also support > from the webmail software to forward client IP. > I did get a reply...

Hi I wonder if the information about the origin of report or allow can be accessed somehow. lt.remote gives the IP of the client trying to login but is there anything in lt which gives the ip of the system that connects to wforced? Thanks and have a good one -- tobi

...ng? > > Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed > > curl -X POST -H "Content-Type: application/json" --data '{"login?:?ouruser?, "remote": "127.0.0.1", "pwhash?:?hashed-password?}? http://127.0.0.1:8084/?command=allow -u wforce:super > {"status":"failure", "reason":"Unauthorized"} > > > Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: /usr/lib64/dovecot/auth > Mar 07 09:32:...

...igured in /etc/dovecot/conf.d/95-wforce.conf > auth_policy_server_url = http://REMOTE_IP:8084/ > auth_policy_hash_nonce = my_random > auth_policy_server_api_header = Authorization: Basic <BASE64 of wforce:my_password> > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s restarted dovecot without errors, but upon testing via imap I cannot see just one single tcp paket leaving direction REMOTE_IP on port 8084. It looks like auth policy in not involved at all. Thanks for any idea tobi

...started wforce and dovecot. Still seeing this: > > Apr 12 14:38:55 auth: Debug: > policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON: > {"device_id":"","login":" > ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > > > > > For webmails, this requires both login_trusted_networks and also > support from the webmail software to forward client IP. >...

...ur help and have a good one -- tobi Am 22.05.19 um 11:53 schrieb Neil Cook: > From dovecot, you can add any additional attributes you like using the auth_policy_request_attributes configuration setting, e.g. > > By default in 2.3.1 this looks like: > > login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > But you can add additional parameters: > > login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s attrs/local_ip=%{lip} > > The above will add the local dovec...

...ay 31 14:20:58 mail auth-policy[10357]: { May 31 14:20:58 mail auth-policy[10357]:?? device_id: '', May 31 14:20:58 mail auth-policy[10357]:?? login: 'xxx at example.xxx', May 31 14:20:58 mail auth-policy[10357]:?? protocol: 'imap', May 31 14:20:58 mail auth-policy[10357]:?? pwhash: '097a', May 31 14:20:58 mail auth-policy[10357]:?? remote: '1.2.3.4', May 31 14:20:58 mail auth-policy[10357]:?? tls: true May 31 14:20:58 mail auth-policy[10357]: } However in some cases I see that client_id is passed to auth_policy_server: May 31 14:27:41 mail auth-policy[1035...

...shows as 127.0.0.1, so I risk banning myself. Here's the log entry: Apr 12 10:06:12 auth: Debug: policy(ouruser,127.0.0.1,<OWoLzlWGDrh/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} I've tried setting auth_policy_server_url to examples such as: - auth_policy_server_url = http://localhost:8084/ - auth_policy_server_url = http...

...t; auth_policy_hash_nonce = our_password > auth_policy_server_api_header = "Authorization: Basic > hash_from_running_echo-n_base64" > auth_policy_server_timeout_msecs = 2000 > auth_policy_hash_mech = sha256 > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > auth_policy_reject_on_fail = no > auth_policy_hash_truncate = 8 > auth_policy_check_before_auth = yes > auth_policy_check_after_auth = yes > auth_policy_report_after_auth = yes > > And auth_debug=yes > &gt...

...I changed it and restarted wforce and dovecot. Still seeing this: > Apr 12 14:38:55 auth: Debug: policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON: {"device_id":"","login":" ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > > > For webmails, this requires both login_trusted_networks and also support from the webmail software to forward client IP. > > I did ge...

From dovecot, you can add any additional attributes you like using the auth_policy_request_attributes configuration setting, e.g. By default in 2.3.1 this looks like: login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s But you can add additional parameters: login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s attrs/local_ip=%{lip} The above will add the local dovecot IP address to the attrs, wh...

...userdb sql { args = /etc/dovecot-sql.conf } user = root count = 1 } ==================== /etc/dovecot-sql.conf ==================== driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=(DB) user=(DBUSER) password=(DBPWD) default_pass_scheme = CRYPT password_query = SELECT pwhash AS password, user FROM mail_mailboxes WHERE (user = '%n' AND active = 'Y' AND (type != 'smtp') AND (type = 'imap' OR '%s' = 'pop3')) OR (mainuser = '%n' AND user = CONCAT('%n','mail0') AND (type != 'smtp') AND (type =...

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_server_url = http://example.com:4001/ auth_policy_hash_nonce = localized_random_string But when I

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

...>): > Policy request https://ourdomain:8084/?command=report > Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): > Policy server request JSON: > {"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > Well, as I said, it's up to squirrelmail to actually provide the real client IP. Otherwise dovecot cannot know it. You can try turning on imap raw...

...affected? # doveconf -n | grep auth_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas

On 24.01.2017 00:06, rej ex wrote: > Because we are building some monitoring application, we will need to > record all failed and successful login attempts. We need to record > remote IP, entered password in plain text, and if possible whether auth > request is for SMTP or IMAP session. SMTP? Wouldn't that be handled by your MTA, not Dovecot? AKi Tuomi wrote: > Since

...s as 127.0.0.1, so I risk banning myself. Here's the log entry: > Apr 12 10:06:12 auth: Debug: policy(ouruser,127.0.0.1,<OWoLzlWGDrh/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > > I've tried setting?auth_policy_server_url to examples such as: > * auth_policy_server_url = http://localhost:8084/ > * auth_policy_...