how to show FreeIPA/Kerberos Password expired on webmail login

[Robert Kudyba]

Using dovecot-2.3.14-1.fc33.x86_64 with FreeIPA & Kerberos if a user's
password is expired in a web mail login, e.g., with Squirrelmail, the user
sees:
"Unknown user or password incorrect."

The dovecot logs show:
auth: Debug: client passdb out: FAIL1   user=ouru...@ourdomain.edu
code=pass_expired reason=Password expired  original_user=ouruser
imap-login: Debug: Ignoring unknown passdb extra field: original_user
imap-login: Info: Aborted login (password expired): user=<
ouru...@ourdomain.edu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured, session=

Would this  be a feature request to show this message to users?

Also with debug logging there is a lot of log noise and are these errors
normal?

Error: passwd-file: open(/etc/dovecot/users) failed: No such file or
directory

as well as:

auth: Debug: http-client: conn x.x.x.x:8084 [1]: Client connection failed
(fd=23)
auth: Debug: http-client[1]: peer x.x.x.x:8084: Connection failed (1
connections exist, 0 pending)
auth: Debug: http-client: peer x.x.x.x:8084: Failed to make connection (1
connections exist, 0 pending)
auth: Debug: http-client[1]: peer x.x.x.x:8084: Failed to establish any
connection within our peer pool: connect(x.x.x.x:8084) failed: Connection
refused (1 connections exist, 0 pending)
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Failed to set up
connection to x.x.x.x:8084 (SSL=x.x.x.x): connect(x.x.x.x:8084) failed:
Connection refused (1 peers pending, 1 requests pending)
auth: Debug: http-client[1]: peer x.x.x.x:8084: Unlinked queue
https://x.x.x.x:8084 (0 queues linked)
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Failed to set up
any connection; failing all queued requests
auth: Debug: http-client[1]: request [Req1: POST
https://x.x.x.x:8084/?command=allow]: Error: 9003 connect(x.x.x.x:8084)
failed: Connection refused
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Dropping request
[Req1: POST https://x.x.x.x:8084/?command=allow]
auth: Debug: http-client: host x.x.x.x: Host is idle (timeout = 100 msecs)
auth: Error: policy(ouru...@ourdomain.edu,127.0.0.1,):
Policy server HTTP error: connect(x.x.x.x:8084) failed: Connection refused

Dovecot integration w/ FreeIPA expired password as well as if over quota login notice; local user can't login

[Robert Kudyba]

As I continue to test freeipa-server-4.9.3-1,  on Fedora 33 with
dovecot-2.3.14-1 I've run into the following issues with web mail and
Dovecot integration.

1. I followed
https://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On
but
I couldn't get web mail to login until I used the suggestion from
https://blog.delouw.ch/2017/02/19/integrate-dovecot-imap-with-freeipa-using-kerberos-sso/
and
changed logins auth_mechanisms = plain gssapi login which allowed logins of
FreeIPA Kerberos users.

2. even with auth_mechanisms = plain gssapi login, I could then no longer
login to SquirrelMail webmail with any local Unix (non-Kerberized) users.
The dovecot logs show:

auth: Error: policy(localu...@ourdomain.edu,127.0.0.1,):
Policy server HTTP error: connect(x.x.x.x:8084) failed: Connection refused
auth: Debug: policy(localu...@ourdomain.edu,127.0.0.1,):
Policy report action finished
auth: Debug: http-client[1]: request [Req2: POST
https://x.x.x.x:8084/?command=report]: Destroy (requests left=1)
auth: Debug: http-client[1]: request [Req2: POST
https://x.x.x.x:8084/?command=report]: Free (requests left=0)
auth: Debug: http-client: conn x.x.x.x[2]: Connection close
auth: Debug: http-client: conn x.x.x.x[2]: Connection disconnect
auth: Debug: http-client: conn x.x.x.x[2]: Disconnected: connect() failed:
Connection refused (fd=23)
auth: Debug: http-client: conn x.x.x.x[2]: Detached peer
auth: Debug: http-client: conn x.x.x.x[2]: Connection destroy
auth: Debug: http-client: host x.x.x.x: Idle host timed out
auth: Debug: http-client: host x.x.x.x: Host destroy
auth: Debug: http-client: host x.x.x.x: Host session destroy
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Destroy
auth: Debug: client passdb out: FAIL1   user=localu...@ourdomain.edu
 original_user=localuser
imap-login: Debug: Ignoring unknown passdb extra field: original_user
imap-login: Info: Aborted login (auth failed, 1 attempts in 3 secs): user=<
localu...@ourdomain.edu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured, session=

3. If a user was over quota there was no way to tell on the webmail page
that they were over quota but the dovecot logs show imap(ouruser): Error:
mkdir(/path/to/ouruser/mail/.imap) failed: Disk quota exceeded.

Would there be a security risk if the web page displayed a warning that
could be generalized to inform the user to either check their quota or
password reset being needed?

Re: Mail account brute force / harassment

[Robert Kudyba via dovecot]

>
> > On 12 April 2019 21:45 Robert Kudyba via dovecot 
> wrote:
> >
> >
> > > You are running some kind of proxy in front of it.
> >
> > No proxy. Just sendmail with users using emacs/Rmail or
> Webmail/Squirrelmail.
> >
> > > If you want it to show real client IP, you need to enable forwarding
> of said data. With dovecot it's done by setting
> > >
> > >  login_trusted_networks = your-upstream-host-or-net
> > >
> > >  in backend config file.
> >
> > OK I changed it and restarted wforce and dovecot. Still seeing this:
> > Apr 12 14:38:55 auth: Debug:
> policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON:
> {"device_id":"","login":"
> ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}
> >
> > > For webmails, this requires both login_trusted_networks and also
> support from the webmail software to forward client IP.
> >
> > I did get a reply from the Squirrelmail list:
> > "Well, I've had code sitting around for a while that implements RFC2971
> (ID command), so I just committed it. You can use it for this purpose by
> putting something like this into your config/config_local.php
> > $imap_id_command_args = array('remote-host' => '###REMOTE ADDRESS###');"
> >
> > Which I also added previously. But that doesn't address emacs/RMail
> users.
> >
> > Could there be a setting in sendmail.mc/cf (
> https://urldefense.proofpoint.com/v2/url?u=http-3A__sendmail.mc_cf&d=DwICaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=CsaMqvBelGXz-_ClT0RDzwqz0tH3cTGNItJktQeULLs&s=JnUd5ej3Twniz2q3fiWUrV_qOFlAwvFHquFjfgsoQJ0&e=)
> file that I'm missing?
>
> Can you verify following?
>
> doveconf auth_policy_request_attributes
>
> auth_policy_request_attributes = login=%{requested_username}
> pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
>
> On some versions remote is mistakenly %{real_rip} which expands into where
> the connection came from instead of client IP.
>
> If it's wrong just feel free to copypaste the setting above into dovecot
> config.
>

Verified. I believe you told me that on the other thread and I made that
change a while back.

Re: Mail account brute force / harassment

[Robert Kudyba via dovecot]

>
> You are running some kind of proxy in front of it.


No proxy. Just sendmail with users using emacs/Rmail or
Webmail/Squirrelmail.


> If you want it to show real client IP, you need to enable forwarding of
> said data. With dovecot it's done by setting
>
> login_trusted_networks = your-upstream-host-or-net
>
> in backend config file.
>

OK I changed it and restarted wforce and dovecot. Still seeing this:
Apr 12 14:38:55 auth: Debug: policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>):
Policy server request JSON: {"device_id":"","login":"
ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}


> For webmails, this requires both login_trusted_networks and also support
> from the webmail software to forward client IP.
>

I did get a reply from the Squirrelmail list:
"Well, I've had code sitting around for a while that implements RFC2971 (ID
command), so I just committed it.  You can use it for this purpose by
putting something like this into your config/config_local.php
$imap_id_command_args = array('remote-host' => '###REMOTE ADDRESS###');"

Which I also added previously. But that doesn't address emacs/RMail users.

Could there be a setting in sendmail.mc/cf file that I'm missing?

Re: Mail account brute force / harassment

[Robert Kudyba via dovecot]

>
> Probably there's an existing solution for both problems (subsequent
> attempts and dnsbl):
>
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=stCCTTs65S9mjT4ITx-MfXyqnP1M0FoOlvIsEA-iwdQ&e=
>
> It was also discussed recently on this list:
>
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dovecot.org_list_dovecot_2019-2DMarch_114921.html&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX0uEDwDWiGtbHA7-LMVH6EXlblUpquQsx9Y&s=F_MZgSGFbhEPpQAsxd5uZPK_fbOBWgG4SIvzIXCWC1U&e=
>
>
> Has already been on my personal todo list for some time, so I have no
> experience how (good) it actually works.
>

That was a thread I started. I got wforce to work. However the "reporting
IP" in the logs always shows as 127.0.0.1, so I risk banning myself. Here's
the log entry:
Apr 12 10:06:12 auth: Debug: policy(ouruser,127.0.0.1,):
Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"2a","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}

I've tried setting auth_policy_server_url to examples such as:

   - auth_policy_server_url = http://localhost:8084/
   - auth_policy_server_url = http://0.0.0.0:8084/
   - auth_policy_server_url = https://ourdomain.edu:8084/

in the custom config file for wforce and the rip (reporting IP, e.g., Apr
12 10:06:10 auth: Debug: client in: AUTH1   PLAIN   service=imap
secured session=OWoLzlWGDrh/AAABlip=127.0.0.1   rip=127.0.0.1
 lport=143   rport=47118 resp=) is either 127.0.0.1 or
ourdomain.edu.

Re: Editing fail2ban page?

[Robert Kudyba via dovecot]

> On Apr 9, 2019, at 9:03 AM, Mauricio Tavares via dovecot 
>  wrote:
> 
> In 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.dovecot.org_HowTo_Fail2Ban&d=DwIBaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=pvPczF9hPXSNtmAKNFK4BCXvgxuaUKHd2Ur3lh4S7qQ&s=_kg3Hgc3N8Dk4K_fGw94IDAeC1tvlMTQ9w3Ocfzm3Ts&e=,
>  for a current (I know for
> a fact in 2.2.36) I believe it should be
> 
> filter = dovecot
> 
> instead of
> 
> filter = dovecot-pop3imap
> 
> [root@mail ~]# ls -l /etc/fail2ban/filter.d/doveco*
> 
> -rw-r--r-- 1 root root 1875 May 11  2017 /etc/fail2ban/filter.d/dovecot.conf

I believe that’s a different jail:

diff /etc/fail2ban/filter.d/dovecot-pop3imap.conf 
/etc/fail2ban/filter.d/dovecot.conf 
0a1,7
> # Fail2Ban filter Dovecot authentication and pop3/imap server
> #
> 
> [INCLUDES]
> 
> before = common.conf
> 
2,3c9,47
< failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted 
login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth 
failed|Aborted login \(\d+ authentication attempts).*rip=``
< ignoreregex =
---
> 
> _auth_worker = (?:dovecot: )?auth(?:-worker)?
> _daemon = (?:dovecot(?:-auth)?|auth)
> 
> prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: 
> )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: 
> )?.+$
> 
> failregex = ^authentication failure; logname=\S* 
> uid=\S* euid=\S* tty=dovecot ruser=\S* 
> rhost=(?:\s+user=\S*)?\s*$
> ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth 
> failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) 
> \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: 
> method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$
> ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User 
> not known to the underlying authentication module: \d+ 
> Time\(s\)|Authentication failure \(password mismatch\?\)|Permission 
> denied)\s*$
> ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:unknown user|invalid 
> credentials|Password mismatch)\s*$
> >
> 
> mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no 
> auth attempts|disconnected before auth was ready,|client didn't finish \S+ 
> auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? 
> rip=(?:[^>]*(?:, session=<\S+>)?)\s*$
> 
> mdre-normal = 
> 
> # Parameter `mode` - `normal` or `aggressive`.
> # Aggressive mode can be used to match log-entries like:
> #   'no auth attempts', 'disconnected before auth was ready', 'client didn't 
> finish SASL auth'.
> # Note it may produce lots of false positives on misconfigured MTAs.
> # Ex.:
> # filter = dovecot[mode=aggressive]
> mode = normal
> 
> ignoreregex = 
> 
> journalmatch = _SYSTEMD_UNIT=dovecot.service
> 
> datepattern = {^LN-BEG}TAI64N
>   {^LN-BEG}
> 
> # DEV Notes:
> # * the first regex is essentially a copy of pam-generic.conf
> # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 
> 21/03/2016)
> #
> # Author: Martin Waschbuesch
> # Daniel Black (rewrote with begin and end anchors)
> # Martin O'Neal (added LDAP authentication failure regex)
> # Sergey G. Brester aka sebres (reviewed, optimized, 
> IPv6-compatibility)

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

[Robert Kudyba via dovecot]

>
> Well, as I said, it's up to squirrelmail to actually provide the real
> client IP. Otherwise dovecot cannot know it. You can try turning on imap
> rawlogs (see https://wiki.dovecot.org/Debugging/Rawlog
> )
> and check if squirrelmail is forwarding client ip or not.
>
I added:to  /etc/dovecot/conf.d/10-master.conf

service postlogin {
  executable = script-login -d rawlog
  unix_listener postlogin {
  }
}

restarted Dovecot and wforce only seeing this, which shows the loopback
address:

*Mar 29 10:10:51 imap-login: Info: Login: user=, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, mpid=10385, secured,
session=<8KTTPDyFVIh/AAAB>*
Mar 29 10:10:51 imap(ouruser)<10385><8KTTPDyFVIh/AAAB>: Info: Connection
closed (UID FETCH finished 0.030 secs ago) in=308 out=27743 deleted=0
expunged=0 trashed=0 hdr_count=50 hdr_bytes=10263 body_count=0 body_bytes=0
Mar 29 10:10:51 auth: Debug: auth client connected (pid=10389)
Mar 29 10:10:51 auth: Debug: client in: AUTH1   PLAIN
 service=imapsecured session=2MwBPTyFWoh/AAABlip=127.0.0.1
 rip=127.0.0.1   lport=143   rport=34906 resp=
Mar 29 10:10:51 auth: Debug: policy(ouruser,127.0.0.1,<2MwBPTyFWoh/AAAB>):
Policy request https://ourdomain:8084/?command=allow
Mar 29 10:10:51 auth: Debug: policy(ouruser,127.0.0.1,<2MwBPTyFWoh/AAAB>):
Policy server request JSON:
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
Mar 29 10:10:51 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared):
Peer reused
Mar 29 10:10:51 auth: Debug: http-client[1]: queue https://ourdomain:8084:
Setting up connection to ip.of.se.vr:8084 (SSL=ourdomain) (2 requests
pending)
Mar 29 10:10:51 auth: Debug: http-client[1]: request [Req7: POST
https://ourdomain:8084/?command=allow]: Submitted (requests left=2)
Mar 29 10:10:51 auth: Debug: http-client[1]: peer ip.of.se.vr:8084:
Creating 1 new connections to handle requests (already 0 usable, connecting
to 0, closing 0)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared):
Backoff timer expired
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084: Making
new connection 1 of 1 (0 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]:
HTTPS connection created (1 parallel connections exist)
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]:
Connected
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]:
Starting SSL handshake
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: SSL
handshake to ip.of.se.vr:8084 failed: Connection closed
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084:
Connection failed (1 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084: Failed to
make connection (1 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084: Failed
to establish any connection within our peer pool: SSL handshake to
ip.of.se.vr:8084 failed: Connection closed (1 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: queue https://ourdomain:8084:
Failed to set up connection to ip.of.se.vr:8084 (SSL=ourdomain): SSL
handshake to ip.of.se.vr:8084 failed: Connection closed (1 peers pending, 2
requests pending)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared):
Peer reused
Mar 29 10:10:52 auth: Debug: http-client[1]: queue https://ourdomain:8084:
Setting up connection to ip.of.se.vr:8084 (SSL=ourdomain) (2 requests
pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: queue https://ourdomain:8084:
Started new connection to ip.of.se.vr:8084 (SSL=ourdomain)
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]:
Connection close
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]:
Connection disconnect
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]:
Detached peer
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]:
Connection destroy
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084:
Creating 1 new connections to handle requests (already 0 usable, connecting
to 0, closing 0)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared):
Starting backoff timer for 6400 msecs
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084:
Timeout (now: 2019-03-29 10:10:53.503)
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084:
Absolute timeout expired for request [Req6: POST
https://ourdomain:8084/?command=report] (Request queued 2.001 secs ago, not
yet sent, 0.000 in other ioloops)
Mar 29 10:10:53 auth: Debu

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

[Robert Kudyba via dovecot]

 Set
 
 ssl_client_ca_file=/path/to/cacert.pem to validate the certificate 
>>> 
>>> Can this be the Lets Encrypt cert that we already have? In other words we 
>>> have:
>>> ssl_cert = >> ssl_key = >> 
>>> Can those be used?
>> 
>> Set it to *CA* cert. You can also use
>> 
>> ssl_client_ca_file=/etc/pki/tls/ca-bundle crt (on centos) 

OK did that.

>> ssl_client_ca_dir=/etc/ssl/certs (on debian based)
 Are you using haproxy or something in front of dovecot?
>>> 
>>> No. Just Squirrelmail webmail with sendmail.
>>> 
>> Maybe squirrelmail supports forwarding original client ip with ID command. 
>> Otherwise dovecot cannot know it. Or you could configure squirrelmail to use 
>> weakforced ?

I see some options in http://squirrelmail.org/docs/admin/admin-5.html#ss5.3 
. Would it be a plugin?

> Also check that auth_policy_request_attributes use %{rip} and not 
> %{real_rip}. You can see this with 
> 
> `doveconf auth_policy_request_attributes`

Yes I’ve confirmed it matches. Still getting the URL or IP of the webmail 
address as well as errors like SSL handshake to ex.ter.na.lip:8084 failed: 
Connection closed

Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: 
Timeout (now: 2019-03-28 16:13:36.300)
Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: 
Absolute timeout expired for request [Req10: POST 
https://ourdomain:8084/?command=allow] (Request queued 2.002 secs ago, not yet 
sent, 0.000 in other ioloops)
Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST 
https://ourdomain:8084/?command=allow]: Error: 9008 Absolute request timeout 
expired (Request queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:36 auth: Debug: http-client[1]: queue https://ourdomain:8084: 
Dropping request [Req10: POST https://ourdomain:8084/?command=allow]
Mar 28 16:13:36 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy 
server HTTP error: Absolute request timeout expired (Request queued 2.002 secs 
ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST 
https://ourdomain:8084/?command=allow]: Destroy (requests left=1)
Mar 28 16:13:36 auth: Debug: http-client[1]: request [Req10: POST 
https://ourdomain:8084/?command=allow]: Free (requests left=0)
Mar 28 16:13:36 auth-worker(32249): Debug: 
pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): lookup service=dovecot
Mar 28 16:13:36 auth-worker(32249): Debug: 
pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): #1/1 style=1 msg=Password: 
Mar 28 16:13:38 auth-worker(32249): Info: 
pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): unknown user
Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy 
request https://ourdomain:8084/?command=report
Mar 28 16:13:38 auth: Debug: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy 
server request JSON: 
{"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}
Mar 28 16:13:38 auth: Debug: http-client[1]: queue https://ourdomain:8084: Set 
request timeout to 2019-03-28 16:13:40.625 (now: 2019-03-28 16:13:38.625)
Mar 28 16:13:38 auth: Debug: http-client: peer ex.ter.na.lip:8084 (shared): 
Peer reused
Mar 28 16:13:38 auth: Debug: http-client[1]: queue https://ourdomain:8084: 
Setting up connection to ex.ter.na.lip:8084 (SSL=ourdomain) (1 requests pending)
Mar 28 16:13:38 auth: Debug: http-client[1]: request [Req11: POST 
https://ourdomain:8084/?command=report]: Submitted (requests left=1)
Mar 28 16:13:38 auth: Debug: http-client[1]: peer ex.ter.na.lip:8084: Creating 
1 new connections to handle requests (already 0 usable, connecting to 0, 
closing 0)
Mar 28 16:13:40 auth: Debug: client passdb out: FAIL1   user=abc
Mar 28 16:13:40 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 
secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, 
session=<5aBSMC2FROF/AAAB>
Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: 
Timeout (now: 2019-03-28 16:13:40.626)
Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: 
Absolute timeout expired for request [Req11: POST 
https://ourdomain:8084/?command=report] (Request queued 2.000 secs ago, not yet 
sent, 0.000 in other ioloops)
Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST 
https://ourdomain:8084/?command=report]: Error: 9008 Absolute request timeout 
expired (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:40 auth: Debug: http-client[1]: queue https://ourdomain:8084: 
Dropping request [Req11: POST https://ourdomain:8084/?command=report]
Mar 28 16:13:40 auth: Error: policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy 
server HTTP error: Absolute request timeout expired (Request queued 2.000 secs 
ago, not yet sent, 0.000 in other ioloops)
Mar 28 16:13:40 auth: Debug: http-client[1]: request [Req11: POST 
https

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

[Robert Kudyba via dovecot]

> Set
> 
> ssl_client_ca_file=/path/to/cacert.pem to validate the certificate 

Can this be the Lets Encrypt cert that we already have? In other words we have:
ssl_cert =  Are you using haproxy or something in front of dovecot?

No. Just Squirrelmail webmail with sendmail.

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

[Robert Kudyba via dovecot]

> On Mar 28, 2019, at 10:29 AM, Aki Tuomi via dovecot  
> wrote:
> 
>> On 28 March 2019 16:08 Robert Kudyba via dovecot  wrote:
>> 
>> 
>> dovecot-2.3.3-1.fc29.x86_64
>> 
>> Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 
>> (http_client_request_unref): assertion failed: (req->refcount > 0)
>> Mar 28 10:04:47 auth: Error: Raw backtrace: 
>> /usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] -> 
>> /usr/lib64/dovecot/libdovecot.so.0(+0xe3597) [0x7fe76e083597] -> 
>> /usr/lib64/dovecot/libdovecot.so.0(+0x51207) [0x7fe76dff1207] -> 
>> /usr/lib64/dovecot/libdovecot.so.0(+0x4972b) [0x7fe76dfe972b] -> 
>> /usr/lib64/dovecot/libdovecot.so.0(http_client_request_destroy+0x107) 
>> [0x7fe76e02cf87] -> 
>> /usr/lib64/dovecot/libdovecot.so.0(http_client_deinit+0x4c) [0x7fe76e03b9ec] 
>> -> dovecot/auth(auth_policy_deinit+0x1e) [0x55facfdb350e] -> 
>> dovecot/auth(main+0x3e1) [0x55facfdae3c1] -> 
>> /lib64/libc.so.6(__libc_start_main+0xf3) [0x7fe76dd93413] -> 
>> dovecot/auth(_start+0x2e) [0x55facfdae57e]
>> Mar 28 10:04:47 auth: Fatal: master: service(auth): child 31162 killed with 
>> signal 6 (core not dumped - https://dovecot.org/bugreport.html#coredumps 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__dovecot.org_bugreport.html-23coredumps&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=IGBmGF0IssHPP5aIO3xrxNm2mUwwDP12018rdFC0vuo&s=IoU3mYEwgiux42XqobrYw4SyE39GjhvuBXoXWA42HKY&e=>
>>  - set /proc/sys/fs/suid_dumpable to 2)
>> Mar 28 10:04:48 master: Info: Dovecot v2.3.3 (dcead646b) starting up for 
>> imap, pop3
>> 
> Hi,
> 
> this is a known issue as DOV-3019 and we are fixing this. It happens during 
> auth process shutdown if there are pending requests.


Another issue is that the dovecot logs always report the offending URL or IP as 
what’s in /etc/dovecot/conf.d/95-auth.conf in our case:
auth_policy_server_url = https://ourdomain:8084/ 
<https://dsm.dsm.fordham.edu:8084/>

These are HTTP errors in the logs:

Mar 28 09:58:04 auth: Debug: client in: AUTH1   PLAIN   service=imap
secured session=lmNw8SeFoMl/AAABlip=127.0.0.1   rip=127.0.0.1   
lport=143   rport=51616 resp=
Mar 28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,): 
Policy request https://ourdomain:8084/?command=allow 
<https://dsm.dsm.fordham.edu:8084/?command=allow>
Mar 28 09:58:04 auth: Debug: policy(unclroot,127.0.0.1,): 
Policy server request JSON: 
{"device_id":"","login":"unclroot","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST 
https://ourdomain:8084/?command=allow]: 
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Error: 9003 Couldn't 
initialize SSL context: Can't verify remote server certs without trusted CAs 
(ssl_client_ca_* settings)
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST 
https://ourdomain:8084/?command=allow]: 
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Submitted (requests 
left=3)
Mar 28 09:58:04 auth: Error: policy(unclroot,127.0.0.1,): 
Policy server HTTP error: Couldn't initialize SSL context: Can't verify remote 
server certs without trusted CAs (ssl_client_ca_* settings)
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST 
https://ourdomain:8084/?command=allow]: 
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Destroy (requests left=3)
Mar 28 09:58:04 auth: Debug: http-client[1]: request [Req11: POST 
https://ourdomain:8084/?command=allow]: 
<https://dsm.dsm.fordham.edu:8084/?command=allow%5D:> Free (requests left=2)


So wforce is always recording the “bad” IP as 127.0.0.1 or the FQDN, and not 
the actual user IP. Is there another place to set this?

Perhaps I have to set this in wforce.conf?
webserver("0.0.0.0:8084", “ourpassword")

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

[Robert Kudyba via dovecot]

dovecot-2.3.3-1.fc29.x86_64

Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 
(http_client_request_unref): assertion failed: (req->refcount > 0)
Mar 28 10:04:47 auth: Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] -> 
/usr/lib64/dovecot/libdovecot.so.0(+0xe3597) [0x7fe76e083597] -> 
/usr/lib64/dovecot/libdovecot.so.0(+0x51207) [0x7fe76dff1207] -> 
/usr/lib64/dovecot/libdovecot.so.0(+0x4972b) [0x7fe76dfe972b] -> 
/usr/lib64/dovecot/libdovecot.so.0(http_client_request_destroy+0x107) 
[0x7fe76e02cf87] -> /usr/lib64/dovecot/libdovecot.so.0(http_client_deinit+0x4c) 
[0x7fe76e03b9ec] -> dovecot/auth(auth_policy_deinit+0x1e) [0x55facfdb350e] -> 
dovecot/auth(main+0x3e1) [0x55facfdae3c1] -> 
/lib64/libc.so.6(__libc_start_main+0xf3) [0x7fe76dd93413] -> 
dovecot/auth(_start+0x2e) [0x55facfdae57e]
Mar 28 10:04:47 auth: Fatal: master: service(auth): child 31162 killed with 
signal 6 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set 
/proc/sys/fs/suid_dumpable to 2)
Mar 28 10:04:48 master: Info: Dovecot v2.3.3 (dcead646b) starting up for imap, 
pop3

lua policy for Weakforce and web mail failed login attempts

[Robert Kudyba via dovecot]

The good news is I believe I got Weakforce running
1) curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:ourpassword
{"status":"ok"}[

2) after running the sample for loop:
for a in {1..101};   do curl -X POST -H "Content-Type:
application/json" --data '{"login":"ahu", "remote": "127.0.0.1",
"pwhash":"1234'$a'", "success":"false"}'
http://127.0.0.1:8084/?command=report -u wforce:ourpassword;   done

The result is:

{"status":"ok"}{"status":"ok"}{"status":"ok"}{

3) So checking the stats:

curl -X POST -H "Content-Type: application/json" --data
'{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u
wforce:ourpassword

{"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1",
"stats": {"OneHourDB": {"diffFailedPasswords": 93}}}

Notice the 93.

4) the reset works but I believe there's a bug in Getdbstats v2.0.0 where
"blacklisted" is always shown:
curl -X POST -H "Content-Type: application/json" --data
'{"ip":"127.0.0.1"}' http://127.0.0.1:8084/?command=getDBStats -u
wforce:ourpassword

{"bl_expire": "", "bl_reason": "", "blacklisted": false, "ip": "127.0.0.1",
"stats": {"OneHourDB": {"diffFailedPasswords": 0}}}[

5)
wforce -c
Read configuration from '/usr/local/etc/wforce.conf'
Connecting to 127.0.0.1:4004
> stats()
101 reports, 0 allow-queries (0 denies)

The 3 big questions I have:
a: how do I know IP's are being banned/rejected? Is there an alert creation
or a way to see in the logs that the rules are in affect?
b: since I installed via Git and ran "make" how to I get wforce --daemon to
start on reboot? Is there a systemd file available?
c: How do I create a lua policy that would catch these web dovecot login
attempts?

Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:19:53 ourserver auth[15085]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
u...@ourserver.ourdomain.edu rhost=177.72.0.158
Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:20:35 ourserver auth[15085]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user
rhost=213.156.111.236
Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:27:07 ourserver auth[16831]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
nob...@ourserver.ourdomain.edu rhost=79.106.35.59
Feb 27 08:27:27 ourserver auth[16831]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody
rhost=95.38.212.65  user=nobody
Feb 27 08:27:27 ourserver auth[16831]: pam_succeed_if(dovecot:auth):
requirement "uid >= 1000" not met by user "nobody"
Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 08:31:12 ourserver auth[17875]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
ouru...@ourserver.ourdomain.edu rhost=80.78.70.1
Feb 27 08:31:33 ourserver auth[17875]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser
rhost=45.225.236.198  user=ouruser
Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:32:22 ourserver auth[32689]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
nob...@ourserver.ourdomain.edu rhost=37.205.81.41
Feb 27 09:32:42 ourserver auth[32689]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=nobody
rhost=201.148.100.198  user=nobody
Feb 27 09:32:42 ourserver auth[32689]: pam_succeed_if(dovecot:auth):
requirement "uid >= 1000" not met by user "nobody"
Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:44:09 ourserver auth[3271]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
otheru...@ourserver.ourdomain.edu rhost=177.69.145.193
Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:44:35 ourserver auth[3271]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=otheruser
rhost=175.143.51.221
Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth): check pass;
user unknown
Feb 27 09:47:32 ourserver auth[4048]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=
yetanotheru...@ourserver.ourdomain.edu rhost=162.245.81.231
Feb 27 09:47:56 ourserver auth[4048]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot
ruser=yetanotheruser rhost=83.243.88.236  user=yetanotheruser
Feb 27 20:44:41 ourserver auth[5828]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ouruser
rhost=166.171.184.200  user=ouruser

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

[Robert Kudyba via dovecot]

I think I’m getting closer:

/var/log/messages shows:

Mar  7 12:01:35 olddsm wforce[22993]: WforceWebserver: HTTP Request "/" from 
127.0.0.1:59188: Web Authentication failed
Mar  7 12:02:43 olddsm wforce[22993]: allowLog too many different failed 
password attempts by IP: allow="-1" remote="127.0.0.1" login="localguy" 
protocol="" device_id="" device_attrs={} attrs={} rattrs={attempts="50" }
Mar  7 12:03:10 olddsm wforce[22993]: deleteBLEntry login_bl: login=localguy
Mar  7 12:03:12 olddsm wforce[22993]: allowLog too many different failed 
password attempts by IP: allow="-1" remote="127.0.0.1" login="localguy" 
protocol="" device_id="" device_attrs={} attrs={} rattrs={attempts="50" }

But this for loop looks to be working (note the instructions say To report (if 
you configured with 'webserver("127.0.0.1:8084", "secret")') but the actual 
value is 0.0.0.0)

for a in {1..101}; do curl -X POST -H "Content-Type: application/json" --data 
'{"login”:”ouruser”, "remote": "127.0.0.1", "pwhash":"1234'$a'", 
"success":"false"}'  http://127.0.0.1:8084/?command=report -u 
wforce:ourpassword; done
{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}[

Then:
curl -X POST -H "Content-Type: application/json" --data '{"login”:”our

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

[Robert Kudyba via dovecot]

So for auth_policy_server_api_header. is the value of our_password come from 
the hashed response or the plain-text password? What else am I doing wrong?

Mar  7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 
127.0.0.1:56416: Web Authentication failed

curl -X POST -H "Content-Type: application/json" --data '{"login”:”ouruser”, 
"remote": "127.0.0.1", "pwhash”:”hashed-password”}’  
http://127.0.0.1:8084/?command=allow -u wforce:super
{"status":"failure", "reason":"Unauthorized"}

Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: 
/usr/lib64/dovecot/auth
Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: 
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Mar 07 09:32:15 auth-worker(18933): Debug: 
pam(ouruser,127.0.0.1,): lookup service=dovecot
Mar 07 09:32:15 auth-worker(18933): Debug: 
pam(ouruser,127.0.0.1,): #1/1 style=1 msg=Password: 
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,): 
Policy request http://localhost:8084/?command=allow
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,): 
Policy server request JSON: 
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Set 
request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520)
Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Using 
existing connection to 127.0.0.1:8084 (1 requests pending)
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST 
http://localhost:8084/?command=allow]: Submitted (requests left=1)
Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle 
connections to handle 1 requests (1 total connections ready)
Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: 
Connection to peer 127.0.0.1:8084 claimed request [Req2: POST 
http://localhost:8084/?command=allow] 
Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed 
request [Req2: POST http://localhost:8084/?command=allow]
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST 
http://localhost:8084/?command=allow]: Sent header
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST 
http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357)
Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST 
http://localhost:8084/?command=allow]: Finished sending payload
Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more 
requests to service for this peer (1 connections exist, 0 pending)
Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 
response for request [Req2: POST http://localhost:8084/?command=allow] (took 0 
ms + 0 ms in queue)
Mar 07 09:32:15 auth: Error: policy(ouruser,127.0.0.1,): 
Policy server HTTP error: 401 Unauthorized
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,): 
Policy request http://localhost:8084/?command=report
Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,): 
Policy server request JSON: 
{"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false}


> On Mar 7, 2019, at 2:42 AM, Aki Tuomi  wrote:
> 
> wforce is the username always.
> 
> auth_policy_hash_nonce should be set to a pseudorandom value that is shared 
> by your server(s). Weakforced does not need it for anything.
> 
> auth_policy_server_api_header should be set to Authorization: Basic  wforce:our_password | base64>
> 
> without the < >.
> Aki
> On 6.3.2019 20.42, Robert Kudyba via dovecot wrote:
>> I took suggestions from https://forge.puppet.com/fraenki/wforce 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=>
>>  to set these in /etc/dovecot/conf.d/95-auth.conf
>> 
>> auth_policy_server_url = http://localhost:8084/ 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=>
>> auth_policy_ha

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

[Robert Kudyba via dovecot]

p://localhost:8084:
Using existing connection to 127.0.0.1:8084 (1 requests pending)
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Submitted (requests left=1)
Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1
idle connections to handle 1 requests (1 total connections ready)
Mar 06 13:32:16 auth: Debug: http-client[1]: queue http://localhost:8084:
Connection to peer 127.0.0.1:8084 claimed request [Req2: POST
http://localhost:8084/?command=allow]
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]:
Claimed request [Req2: POST http://localhost:8084/?command=allow]
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Sent header
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357)
Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST
http://localhost:8084/?command=allow]: Finished sending payload
Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more
requests to service for this peer (1 connections exist, 0 pending)
Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got
401 response for request [Req2: POST http://localhost:8084/?command=allow]
(took 0 ms + 0 ms in queue)



On Wed, Mar 6, 2019 at 11:54 AM Aki Tuomi 
wrote:

>
> On 6 March 2019 18:25 Robert Kudyba via dovecot 
> wrote:
>
>
> We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to
> test wforce, from https://github.com/PowerDNS/weakforced
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=ad_d6ykCRpPOr4ehYd6VB7xXoluB7mfL-zP1nLP1zYM&e=>.
>
>
> I see instructions at the Authentication policy support page,
> https://wiki2.dovecot.org/Authentication/Policy
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki2.dovecot.org_Authentication_Policy&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=oUIaxcC0ZNouGhsggz0iRH5_TgJnMThAWf0hdo61_DE&e=>
>
> I see the Required Minimum Configuration:
> auth_policy_server_url = http://example.com:4001/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com-3A4001_&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=lj8gokzfoeFyaB5N_6VhObmjQ3VNkyPEyQLhuMxK_fk&e=>
> auth_policy_hash_nonce = localized_random_string
>
> But when I search for these directives, they're not found:
> grep auth_policy_server_url /etc/dovecot/conf.d/*
>
> Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does
> anyone know if a good tutorial?
>
>
> You can add them there if you want, dovecot combines all the files into
> one in the end.
>
> ---
> Aki Tuomi
>
>

how to enable PowerDNS/Weakforced with Fedora and sendmail

[Robert Kudyba via dovecot]

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to
test wforce, from https://github.com/PowerDNS/weakforced.

I see instructions at the Authentication policy support page,
https://wiki2.dovecot.org/Authentication/Policy

I see the Required Minimum Configuration:
auth_policy_server_url = http://example.com:4001/
auth_policy_hash_nonce = localized_random_string

But when I search for these directives, they're not found:
grep auth_policy_server_url /etc/dovecot/conf.d/*

Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does
anyone know if a good tutorial?

after reboot listen(*, 995) failed: Address already in use/listen(*, 993) failed: Address already in use

[Robert Kudyba]

This is still happening after a reboot, Fedora 28. Restarting dovecot fixes
the problem. Does anyone know if it could be related to this bug
report? *https://bugzilla.redhat.com/show_bug.cgi?id=103401#c130
 * and suggested
work around to add ports to /proc/sys/net/ipv4/ip_local_reserved_ports?

Nov  8 12:21:41 ourdomain dovecot[1386]: Error: service(pop3-login):
listen(*, 995) failed: Address already in use
Nov  8 12:21:41 ourdomain dovecot[1386]: Error: service(pop3-login):
listen(::, 995) failed: Address already in use
Nov  8 12:21:41 ourdomain dovecot[1386]: Error: service(imap-login):
listen(*, 993) failed: Address already in use
Nov  8 12:21:41 ourdomain dovecot[1386]: Error: service(imap-login):
listen(::, 993) failed: Address already in use


dovecot --version
2.2.36 (1f10bfa63)

dovecot -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.16-200.fc28.x86_64 x86_64 Fedora release 28 (Twenty Eight)
# Hostname: ourdomain.com
auth_debug = yes
debug_log_path = /var/log/dovecot-debug.log
mail_debug = yes
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
ssl = required
ssl_cert = 

imap Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0 on Fedora 24

[Robert Kudyba]

Seems to be related to https://bugzilla.redhat.com/show_bug.cgi?id=1189198 
. Separate note the link 
to Overview of all dovecot.org mailing lists 
 http://dovecot.org/mailman/listinfo 
 is broken as are the images on the page.

Here’s the backtrace.

dovecot[12438]: imap(username): Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0(+0x91ab2) [0x7ff01e98cab2] -> 
/usr/lib64/dovecot/libdovecot.so.0(+0x91bad) [0x7ff01e98cbad] -> 
/usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff01e925f41] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(+0xaa1ed) [0x7ff01ecc01ed] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(index_mail_get_first_header+0xd2) 
[0x7ff01ecc0652] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_get_first_header+0x3d) 
[0x7ff01ec4c88d] -> /usr/lib64/dovecot/libdovecot-storage.so.0(+0xbe717) 
[0x7ff01ecd4717] -> /usr/lib64/dovecot/libdovecot-storage.so.0(+0xbe952) 
[0x7ff01ecd4952] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read+0x53) 
[0x7ff01e997653] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read_data+0x3d) 
[0x7ff01e99807d] -> 
/usr/lib64/dovecot/libdovecot.so.0(message_parse_header_next+0x72) 
[0x7ff01e9748e2] -> /usr/lib64/dovecot/libdovecot.so.0(+0x73d91) 
[0x7ff01e96ed91] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read+0x53) 
[0x7ff01e997653] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read_data+0x3d) 
[0x7ff01e99807d] -> 
/usr/lib64/dovecot/libdovecot.so.0(message_parse_header_next+0x72) 
[0x7ff01e9748e2] -> 
/usr/lib64/dovecot/libdovecot.so.0(message_parse_header+0x4f) [0x7ff01e97527f] 
-> /usr/lib64/dovecot/libdovecot-storage.so.0(+0xb0d4b) [0x7ff01ecc6d4b] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(+0xb2e63) [0x7ff01ecc8e63] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(index_storage_search_next_nonblock+0x114)
 [0x7ff01ecc9574] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_search_next_nonblock+0x22) 
[0x7ff01ec56d52] -> dovecot/imap(+0x221ff) [0x559b559541ff] -> 
dovecot/imap(imap_search_start+0xd1) [0x559b559545c1] -> 
dovecot/imap(cmd_search+0xd3) [0x559b55946063] -> 
dovecot/imap(command_exec+0xa5) [0x559b5594d5d5] -> dovecot/imap(+0x19852) 
[0x559b5594b852] -> dovecot/imap(+0x198de) [0x559b5594b8de] -> 
dovecot/imap(client_handle_input+0x1b5) [0x559b5594bce5] -> 
dovecot/imap(client_input+0x82) [0x559b5594c262]

dovecot[12438]: imap(username): Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0(+0x91ab2) [0x7f77a0cd7ab2] -> 
/usr/lib64/dovecot/libdovecot.so.0(+0x91bad) [0x7f77a0cd7bad] -> 
/usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f77a0c70f41] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(+0xaa1ed) [0x7f77a100b1ed] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(index_mail_get_first_header+0xd2) 
[0x7f77a100b652] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_get_first_header+0x3d) 
[0x7f77a0f9788d] -> /usr/lib64/dovecot/libdovecot-storage.so.0(+0xbe717) 
[0x7f77a101f717] -> /usr/lib64/dovecot/libdovecot-storage.so.0(+0xbe952) 
[0x7f77a101f952] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read+0x53) 
[0x7f77a0ce2653] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read_data+0x3d) 
[0x7f77a0ce307d] -> 
/usr/lib64/dovecot/libdovecot.so.0(message_parse_header_next+0x72) 
[0x7f77a0cbf8e2] -> /usr/lib64/dovecot/libdovecot.so.0(+0x73d91) 
[0x7f77a0cb9d91] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read+0x53) 
[0x7f77a0ce2653] -> /usr/lib64/dovecot/libdovecot.so.0(i_stream_read_data+0x3d) 
[0x7f77a0ce307d] -> 
/usr/lib64/dovecot/libdovecot.so.0(message_parse_header_next+0x72) 
[0x7f77a0cbf8e2] -> 
/usr/lib64/dovecot/libdovecot.so.0(message_parse_header+0x4f) [0x7f77a0cc027f] 
-> /usr/lib64/dovecot/libdovecot-storage.so.0(+0xb0d4b) [0x7f77a1011d4b] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(+0xb2e63) [0x7f77a1013e63] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(index_storage_search_next_nonblock+0x114)
 [0x7f77a1014574] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_search_next_nonblock+0x22) 
[0x7f77a0fa1d52] -> dovecot/imap(+0x221ff) [0x563492d1d1ff] -> 
dovecot/imap(imap_search_start+0xd1) [0x563492d1d5c1] -> 
dovecot/imap(cmd_search+0xd3) [0x563492d0f063] -> 
dovecot/imap(command_exec+0xa5) [0x563492d165d5] -> dovecot/imap(+0x19852) 
[0x563492d14852] -> dovecot/imap(+0x198de) [0x563492d148de] -> 
dovecot/imap(client_handle_input+0x1b5) [0x563492d14ce5] -> 
dovecot/imap(client_input+0x82) [0x563492d15262]


dovecot --version
2.2.26.0 (23d1de6)


dovecot -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# OS: Linux 4.8.4-200.fc24.x86_64 x86_64 Fedora release 24 (Twenty Four) 
mail_fsync = always
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mail_nfs_index = yes
mail_nfs_storage = yes
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Se