search for: username_filter

We are seeing lots of IMAP login attempts like this: dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xcentrex5fxnewx5fxyorkx5fxquotex5fxisx5fxreadyx2dxx2dx426453.eml>, method=PLAIN, rip=197.255.60.118, or dovecot[363]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xmatchingx5fxyourx5fxrecentx5fxvisitx5fxonx5fxx2dxx2dx121584.eml at

...Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) Vulnerability Details: When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication. Dovecot documentation does not advise against the u...

...Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) Vulnerability Details: When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication. Dovecot documentation does not advise against the u...

...t silently drop them. Or throw the attempts into a different log perhaps. Just thinking out loud at this point. For the sake of completeness, there's also my personal favourite, CSF, which in my opinion does a better job than fail2ban, but still not exactly what I envisaged. > you can add username_filter = *@domain.com > or deny-passdb before actual passdb with username_filter = !*@domain.com > https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/ This is more like what I had in mind. Let me try this out and I'll report back. P.

This is probably quite an easy question, but I haven't been able to find the answer. I'm running a server where all the email addresses are in the format "user at domain.com". I've noticed that a large number of fake login attempts use the format "user" eg. reception, service, root, admin. Is it possible to prevent any such logins to these email users without an

When a sql user logs in, dovecot always tries pam first (used for the local users with home directories) which generates a login failure in the log, before trying sql (virtual users) and allowing the user to login. Since all the pam users login as 'user' and all the sql users login as 'user at example.com' is it possible to tell dovecot which method to check based on the username

...gt; > default_pass_scheme = MD5 > > you have one LDAP conf per domain and two userdb's, right? > > Can you make use of ${domain} in one of the LDAP servers, is the domain > present in the user entries? > > - -- > Steffen Kaiser Dovecot 2.2.29+ has feature called username_filter for passdb blocks, which lets you specify usernames the passdb block is to be used. This could simplify your config somewhat. See https://wiki.dovecot.org/PasswordDatabase Aki

...t shutdown, which instructs them to close all the socket listeners immediately. This way restarting Dovecot should no longer fail due to some processes keeping the listeners open for a long time. + auth: Add passdb { mechanisms=none } to match separate passdb lookup + auth: Add passdb { username_filter } to use passdb only if user matches the filter. See https://wiki2.dovecot.org/PasswordDatabase + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit the transaction after saving this many new messages. Because of the way dsync works, it may not always be possible if mail...

...t shutdown, which instructs them to close all the socket listeners immediately. This way restarting Dovecot should no longer fail due to some processes keeping the listeners open for a long time. + auth: Add passdb { mechanisms=none } to match separate passdb lookup + auth: Add passdb { username_filter } to use passdb only if user matches the filter. See https://wiki2.dovecot.org/PasswordDatabase + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit the transaction after saving this many new messages. Because of the way dsync works, it may not always be possible if mail...

...= mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext passdb { driver = shadow username_filter = !*@* } passdb { args = username_format=%n /etc/virtual/%d/passwd driver = passwd-file username_filter = *@* } plugin { quota = maildir sieve = file:~/sieve;active=~/.dovecot.sieve sieve_default = /var/lib/dovecot/sieve/default.sieve sieve_global = /var/lib/dovecot/sieve/global/ } pr...

> On 12 Jul 2017, at 15.46, Rick Romero <rick at havokmon.com> wrote: > This is awesome, as I was just contemplating how to maintain persistence with 2FA. > Is it possible to use a passdb based on remote ip? There's a username_filter, but I want to use a master password for webmail (which will use 2FA via Radius), and those IPs are known and non-routable. passdb { driver = static args = password=masterpassword allow_nets=192.168.0.0/24 } or can even use single ip like allow_nets=192.168.1.234 Sami

...e they trying to accomplish? > > Any ideas on how to mitigate it? If the attempts really all come from different source ip addresses and the username attempted is always *.eml (and you don't have any real users with username ending in .eml), maybe you could just create deny-passdb with username_filter *.eml? passdb { driver = static deny = yes username_filter = *.eml args = } as your first passdb Sami

...ngs. Refer to server log for more information. The error makes me think this is intentional, and I can see that makes a sort of sense, but it still leaves me with a Sent box that grow forever until I manually go in and remove old mails. I am using passed for userdb and pam for passdb: passdb { username_filter = "!*@*" driver = pam } userdb { driver = passwd } Can I do this with doveadm or am going to have to resort to either manually removing the mail (hah!) or just crontabbing a task to remove the files more than 30 days old?

> On July 11, 2017 at 11:50 AM azurit at pobox.sk wrote: > > > > Cit?t azurit at pobox.sk: > > > Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: > > > >>> On July 10, 2017 at 1:45 PM azurit at pobox.sk wrote: > >>> > >>> > >>> > >>> Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: > >>> >

...n=<6v9kQkdREADAqAG3> btw, its Dovecot 2.2.18 (Ubuntu 16.04 LTS) Robert 2017-06-03 18:18 GMT+02:00 Sami Ketola <sami.ketola at dovecot.fi>: > > > On 2 Jun 2017, at 11.40, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > Dovecot 2.2.29+ has feature called username_filter for passdb blocks, > which lets you specify usernames the passdb block is to be used. This could > simplify your config somewhat. See https://wiki.dovecot.org/ > PasswordDatabase > > > Small mistake. That feature is in 2.2.30+ > > Sami > >

...n: ------>8------------------------------------------------------------------------------ mail /usr/local/etc/dovecot/conf.d >doveconf | grep -A 10 -B 10 to_header_ignore_envelope result_failure = continue result_internalfail = continue result_success = return-ok skip = never username_filter = } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes sieve = file:/srv/vmail/%u/sieve;active=/srv/vmail/%u/active.sieve sieve_vacation_to_header_ignore_envelope = yes } pop3_client_workarounds = pop3_delete_type = default pop3_deleted_flag = pop3_enable_last...

...auto = subscribe special_use = \Archive } mailbox Drafts { special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam username_filter = !*@* } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/...

...t shutdown, which instructs them to close all the socket listeners immediately. This way restarting Dovecot should no longer fail due to some processes keeping the listeners open for a long time. + auth: Add passdb { mechanisms=none } to match separate passdb lookup + auth: Add passdb { username_filter } to use passdb only if user matches the filter. See https://wiki2.dovecot.org/PasswordDatabase + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit the transaction after saving this many new messages. Because of the way dsync works, it may not always be possible if mail...

...t shutdown, which instructs them to close all the socket listeners immediately. This way restarting Dovecot should no longer fail due to some processes keeping the listeners open for a long time. + auth: Add passdb { mechanisms=none } to match separate passdb lookup + auth: Add passdb { username_filter } to use passdb only if user matches the filter. See https://wiki2.dovecot.org/PasswordDatabase + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit the transaction after saving this many new messages. Because of the way dsync works, it may not always be possible if mail...

...ts them to close all the socket listeners immediately. > This way restarting Dovecot should no longer fail due to some > processes keeping the listeners open for a long time. > > + auth: Add passdb { mechanisms=none } to match separate passdb lookup > + auth: Add passdb { username_filter } to use passdb only if user > matches the filter. See https://wiki2.dovecot.org/PasswordDatabase Shouldn't the wiki be corrected ? we have: mechanisms: Skip, if non-empty and the current auth mechanism is listed here. but the intended meaning is: mechanisms: Skip, if non-empty and the...