similar to: SASL LOGIN mechanism with nopassword

Dear subscribers, we're sharing our latest advisory with you and would like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. Please find patches for v2.2.36 and v2.3.4 attached, or download new version from https://dovecot.org Yours sincerely, Aki Tuomi Open-Xchange Oy

Hi, I've been having some problems getting GSSAPI authentication going against a samba (4.2) server and am hoping someone can point me in the right direction. I've searched through Google and haven't managed to find a solution yet. I followed the config instructions at http://wiki2.dovecot.org/Authentication/Kerberos and run through the testing. Testing from the server with telnet

HI All I have setup a dovecot proxy with remote auth, value nopassword in the passdb to make the auth remotely. With pop3 and imap the authentication is made on the remote server and this work perfectly. I have tested with wrong and correct password. Then I have added the postfix sasl and this also works fine, the request is made to dovecot. My problem is that with this method I can give any

Hi, This is my first post to the list, so greetings to you all! I am seeking your help with SSL/TLS client authentication. I currently have the following setup: * Server: - Debian Squeeze (fully patched) - OpenSSL 0.9.8o - Dovecot v2.1.10 (Debian backport package from Wheezy) - SSL listener on port 993 with the Dovecot selfsigned certificate that was created during

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> </div> <blockquote type="cite"> <div> On 20/08/2020 17:28 Steffen Nurpmeso <<a href="mailto:steffen@sdaoden.eu">steffen@sdaoden.eu</a>> wrote: </div> <div>

Hi list, I've just set up a 2.1.7 server, and have migrated a couple of accounts across from a 2.0.15 server, keeping the old configs. I have a strange problem on the new box in that altmove just doesn't work. I have my main storage under /home/email, indexes under /home/indexes and ALT under /home/email_archive. When I run the altmove command, the following broken symlink is created

Hello In my installation the disable_plaintext_auth does not appear to take effect. I can see that the value is correct using doveconf -a but it doesn't change anything. Whenever attempting to log in using IMAP I get this: * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed. ls NO

On 17.11.2016 10:30, Arkadiusz Mi?kiewicz wrote: > On Thursday 17 of November 2016, Aki Tuomi wrote: >> On 17.11.2016 10:14, Arkadiusz Mi?kiewicz wrote: >>> Hello. >>> >>> dovecot 2.2.26.0 >>> >>> When testing nopassword extra field >>> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5 >>> dovecot

Hi, all I've recently upgraded to 2.1.16 and found my self in deep .... There are 4 accounts in my setup that need to be accessed simultaneously by 5-6 PCs on a local lan. The thing is if a user A updates, deletes, flags mail messages in the imap folders the changes don't get propagated to the other mail clients. To state this clearly, PC (A) thunderbird has an account SALES, Maildir

On 17.11.2016 10:30, Arkadiusz Mi?kiewicz wrote: > On Thursday 17 of November 2016, Aki Tuomi wrote: >> On 17.11.2016 10:14, Arkadiusz Mi?kiewicz wrote: >>> Hello. >>> >>> dovecot 2.2.26.0 >>> >>> When testing nopassword extra field >>> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5 >>> dovecot

Hi, I have a problem with dovecot auth and i don't know what happen .. running dovecot 2.1.7 When i try a login with user there is a crash in auth process: Jan 16 02:56:52 az-mail14 dovecot: auth: Panic: file auth-request.c: line 618 (auth_request_is_disabled_master_user): assertion failed: (request->requested_login_user != NULL) Jan 16 02:56:52 az-mail14 dovecot: auth: Error: Raw

hello, i get these lines in syslog when using post-login within imap-login: imap-login: Fatal: master: service(imap-login): child 574 killed with signal 11 (core dumps disabled) imap[5523]: segfault at 14 ip b7556276 sp bfc1c940 error 4 in libdovecot.so.0.0.0[b7529000+d4000] these are the relevant sections i added: service imap-login { executable = imap post-login } service post-login {

I am trying to get Dovecot IMAP and Outlook to talk to each other with SSL and client certificates enabled. In Dovecot, I have the following options enabled: ssl_ca = ... ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes when I try to connect with Outlook, I get: May 12 08:07:50 mail dovecot: imap-login: Disconnected (client didn't

Hello, I would like to set up an authentication using certificate with Dovecot: A user sends mail to Postfix and Dovecot authentication is valid only if certificate is trusted. So, I enable the parameter auth_ssl_require_client_cert in dovecot configuration but it is not running. Here are the postfix logs: Aug 16 09:51:48 myserver dovecot: auth: Debug: Loading modules from directory:

Hello. dovecot 2.2.26.0 When testing nopassword extra field (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5 dovecot doesn't allow any password (while it should) and returns " Authentication failed" while in logs: Nov 17 08:22:34 auth-worker(1551): Info: sql(pepe,127.0.0.1,<Y8amDXpBptV/AAAB>): Requested CRAM-MD5 scheme, but we have a NULL password

On 17.11.2016 10:14, Arkadiusz Mi?kiewicz wrote: > Hello. > > dovecot 2.2.26.0 > > When testing nopassword extra field > (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5 dovecot > doesn't allow any password (while it should) and returns > > " Authentication failed" > > while in logs: > > Nov 17 08:22:34 auth-worker(1551):

Hello. I am not subscribed and new here, so first of all i want to thank you for dovecot. I personally do not use it in "production" (yet), but it is my sole point of interaction for testing the little MUA i maintain for quite some years. I also have used its code for affirmation purposes. (Interesting that OAUTHBEARER treats hostname and port as optional. I currently do

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 29 Jun 2015, Leon Kyneur wrote: > I have a configuration that works something like this on my front end proxy: > > pass_attrs = mail=user,\ > =nopassword=y,\ > =proxy=y,\ > =host=mail.%d > > The above works perfectly well even though it seems a bit hack. > > I want to fetch the host field from LDAP and default

Hello, Thanks for the advice, I have made that change now but the server is still doing the same fail with no logs thing it was before. # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.9.0-8-amd64 x86_64 Debian 9.6 auth_debug = yes auth_mechanisms = plain login auth_verbose = yes disable_plaintext_auth = no login_greeting = Welcome to easyMail.

Hi, We are trying to implement a highly secure mail server with user authentication restricted to SSL certificates only (not using passwords at all). Still, user information is stored in a LDAP directory. In this configuration LDAP is used to check whether the user is registered (and probably supply quota and other info), and actual authentication is done by SSL layer. According to wiki, a