search for: real_rip

...notice that pop3-proxy is doing a different xsession than the imap proxy. Is there an xsession standard that is different between the two, or just an oversight in the code? Both send the remote address/port, but only imap proxy sends the local address/port. This patch declares long variable %{real_rip} so that a backend server can declare a different login_log_format_elements login_log_format_elements = user=<%u> method=%m rip=%r lip=%l pip=%{real_rip} mpid=%e %c This is primarily useful for backend servers to log both the rip, lip, and in case of xsession, the real rip. I haven't...

I run a Director setup with a webmail in front, the webmail is in login_trusted_networks and sends IMAP-ID x-original-ip to log the client IP. If I enable auth_debug on the director, I see that the cache key contains the client IP, and not the %real_rip. This is causing problems because in my passdb SQL query, I use the %real_rip to determine if login is allowed. Should %real_rip not be added to the auth cache key? Or should it be the cache key instead of the %rip? Thanks -- Tom

> > You are running some kind of proxy in front of it. No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > If you want it to show real client IP, you need to enable forwarding of > said data. With dovecot it's done by setting > > login_trusted_networks = your-upstream-host-or-net > > in backend config file. > OK I changed it and

We are sorry to report that we have a bug in dovecot, which merits a CVE. See details below. If you haven't configured any auth_policy_* settings you are ok. This is fixed with https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f34be960cff13a5a725ae and https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d57351fd42c67a8612fc Important vulnerability in Dovecot

...9;m missing? > > Can you verify following? > > doveconf auth_policy_request_attributes > > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > On some versions remote is mistakenly %{real_rip} which expands into where > the connection came from instead of client IP. > > If it's wrong just feel free to copypaste the setting above into dovecot > config. > Verified. I believe you told me that on the other thread and I made that change a while back. -------------- next p...

...annot know it. Or you could configure squirrelmail to use weakforced ? </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </blockquote> <div> Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with </div> <div> <br> </div> <div> `doveconf auth_policy_request_attributes` </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>

...h_policy_ | wc -l 0 but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = Is such setup vulnerable? Thanks for clarification, Andreas

On 24.01.2017 00:06, rej ex wrote: > Because we are building some monitoring application, we will need to > record all failed and successful login attempts. We need to record > remote IP, entered password in plain text, and if possible whether auth > request is for SMTP or IMAP session. SMTP? Wouldn't that be handled by your MTA, not Dovecot? AKi Tuomi wrote: > Since

...f (http://sendmail.mc/cf) file that I'm missing? Can you verify following? doveconf auth_policy_request_attributes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s On some versions remote is mistakenly %{real_rip} which expands into where the connection came from instead of client IP. If it's wrong just feel free to copypaste the setting above into dovecot config. Aki Aki

> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificate Can this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Can those be used? > Are you using haproxy or something in front of dovecot? No. Just Squirrelmail webmail with sendmail.

...erbose = yes auth_verbose_passwords = plain dict { expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no login_greeting = Dovecot ready login_log_format_elements = user=<%u> method=%m rip=%r lip=%l pip=%{real_rip} mpid=%e %c session=<%{session}> mail_gid = vmail mail_location = /nowhere mail_plugins = quota expire listescape mail_uid = vmail managesieve_sieve_capability = fileinto envelope encoded-character subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables mail...

...dict { expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no imapc_features = rfc822.size fetch-headers login_greeting = Dovecot ready login_log_format_elements = user=<%u> method=%m rip=%r lip=%l pip=%{real_rip} mpid=%e %c session=<%{session}> login_trusted_networks = xx.xx.xx.2 mail_gid = vmail mail_location = /nowhere mail_plugins = quota expire listescape mail_uid = vmail managesieve_sieve_capability = fileinto envelope encoded-character subaddress comparator-i;ascii-numeric relational regex ima...

...uth_policy_hash_mech = sha512 auth_policy_hash_nonce = 78204771 auth_policy_hash_truncate = 64 auth_policy_request_attributes = auth_database=mail database=mail service=dovecot username=%{orig_user} authtoken_hash=$0$0$%{hashed_password} local_host=%{real_lip} local_port=%{real_lport} remote_host=%{real_rip} remote_port=%{real_rport} auth_policy_server_api_header = X-API-Key:dovecot:xxxxxxxxxxxx auth_policy_server_timeout_msecs = 3000 auth_policy_server_url = http://127.0.0.1:579/dovecot-auth-policy auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$-=?^_{}~./...

...now it. Or you could configure squirrelmail to use weakforced ? I see some options in http://squirrelmail.org/docs/admin/admin-5.html#ss5.3 <http://squirrelmail.org/docs/admin/admin-5.html#ss5.3>. Would it be a plugin? > Also check that auth_policy_request_attributes use %{rip} and not %{real_rip}. You can see this with > > `doveconf auth_policy_request_attributes` Yes I?ve confirmed it matches. Still getting the URL or IP of the webmail address as well as errors like SSL handshake to ex.ter.na.lip:8084 failed: Connection closed Mar 28 16:13:36 auth: Debug: http-client[1]: queue h...

...ecot cannot know it. Or you could configure >>> squirrelmail to use weakforced ? > > I see some options > in?http://squirrelmail.org/docs/admin/admin-5.html#ss5.3. Would it be > a plugin? > >> Also check that auth_policy_request_attributes use %{rip} and not >> %{real_rip}. You can see this with? >> >> `doveconf auth_policy_request_attributes` > > Yes I?ve confirmed it matches. Still getting the URL or IP of the > webmail address as well as errors like?SSL handshake to > ex.ter.na.lip:8084 failed: Connection closed > > Mar 28 16:13:36 a...

...mechanisms = plain login base_dir = /services/dovecot1/var/run default_client_limit = 10240 default_login_user = dovecot dict { quotadict = mysql:/services/dovecot1/etc/quota.conf } disable_plaintext_auth = no log_path = login_log_format_elements = user=%u session=%{session} mpid=%e rip=%r rrip=%{real_rip} mail_location = mdbox:~/mails mail_log_prefix = "store107: %s(%u): %{session}: " mail_max_userip_connections = 0 mail_plugins = quota virtual fts fts_solr notify mail_log mailbox_list_index = yes mdbox_rotate_size = 256 k mmap_disable = yes namespace inbox { inbox = yes location =...

...mechanisms = plain login base_dir = /services/dovecot1/var/run default_client_limit = 10240 default_login_user = dovecot dict { quotadict = mysql:/services/dovecot1/etc/quota.conf } disable_plaintext_auth = no log_path = login_log_format_elements = user=%u session=%{session} mpid=%e rip=%r rrip=%{real_rip} mail_location = mdbox:~/mails mail_log_prefix = "store107: %s(%u): %{session}: " mail_max_userip_connections = 0 mail_plugins = quota virtual fts fts_solr notify mail_log mailbox_list_index = yes mdbox_rotate_size = 256 k mmap_disable = yes namespace inbox { inbox = yes location =...

...ssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_stats = no auth_use_winbind = no auth_username_chars = abcdefghij...

...ssapi_hostname = auth_krb5_keytab = auth_master_user_separator = auth_mechanisms = plain auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url = auth_proxy_self = auth_realms = auth_socket_path = auth-userdb auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no auth_stats = no auth_use_winbind = no auth_username_chars = abcdefghij...

http://dovecot.org/releases/2.2/dovecot-2.2.16.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.16.tar.gz.sig A few fixes and some imapc improvements since the release candidate. * dbox: Resyncing (e.g. doveadm force-resync) no longer deletes dovecot.index.cache file. The cache file was rarely the problem so this just caused unnecessary slowness. * Mailbox name limits changed during