Re: Auth Policy Server/wforce/weakforced
On 04.08.2017 23:10, Daniel Miller wrote:
> On 8/4/2017 12:48 PM, Daniel Miller wrote:
>> On 8/3/2017 6:11 AM, Teemu Huovila wrote:
>>>
>>> On 02.08.2017 23:35, Daniel Miller wrote:
Is there explicit documentation available for the (probably trivial)
configuration needed for Dovecot and Wforce? I'm probably missing
something that should be perfectly obvious...
Wforce appears to start without errors. I added a file to dovecot's
conf.d:
95-policy.conf:
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = this_is_my_super_secret_something
Looking at the Wforce console I see:
WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication
failed
In wforce.conf I have the (default):
webserver("0.0.0.0:8084", "--WEBPWD")
Do I need to change the "--WEBPWD"? Do I need to specify something in the
Dovecot config?
>>> You could try putting an actual password, in plain text, where --WEBPWD is.
>>> Then add that base64 encoded to dovecot setting
>>> auth_policy_server_api_header.
>>>
>> I knew it would be something like that. I've made some changes but I'm
>> still not there. I presently have:
>>
>> webserver("0.0.0.0:8084", "--WEBPWD ultra-secret-secure-safe")
>> in wforce.conf (and I've tried with and without the --WEBPWD)
>>
>> and
>>
>> auth_policy_server_api_header = Authorization: Basic
>> dWx0cmEtc2VjcmV0LXNlY3VyZS1zYWZl
>> in 95-policy.conf for dovecot
>>
>> Obviously I'm still formatting something wrong.
>>
> I think I've got something working a little better. I'm using:
> webserver("0.0.0.0:8084", "ultra-secret-secure-safe")
> (so I remove the --WEBPWD - that's a placeholder, not a argument declaration)
>
> and for dovecot, the base64 encoding needs to be "wforce:password" instead of
> just the password.
>
> Now I have to see what else needs to be tweaked.
>
> Daniel
Glad you got it working. Lua comments, prefixed with "--" can indeed be a bit
misleading. My sloppy answer omitting HTTP Basic auth hash contents did not
help either.
br,
Teemu
Re: Auth Policy Server/wforce/weakforced
On 8/4/2017 12:48 PM, Daniel Miller wrote:
On 8/3/2017 6:11 AM, Teemu Huovila wrote:
On 02.08.2017 23:35, Daniel Miller wrote:
Is there explicit documentation available for the (probably trivial)
configuration needed for Dovecot and Wforce? I'm probably missing
something that should be perfectly obvious...
Wforce appears to start without errors. I added a file to dovecot's
conf.d:
95-policy.conf:
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = this_is_my_super_secret_something
Looking at the Wforce console I see:
WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web
Authentication failed
In wforce.conf I have the (default):
webserver("0.0.0.0:8084", "--WEBPWD")
Do I need to change the "--WEBPWD"? Do I need to specify something
in the Dovecot config?
You could try putting an actual password, in plain text, where
--WEBPWD is. Then add that base64 encoded to dovecot setting
auth_policy_server_api_header.
I knew it would be something like that. I've made some changes but
I'm still not there. I presently have:
webserver("0.0.0.0:8084", "--WEBPWD ultra-secret-secure-safe")
in wforce.conf (and I've tried with and without the --WEBPWD)
and
auth_policy_server_api_header = Authorization: Basic
dWx0cmEtc2VjcmV0LXNlY3VyZS1zYWZl
in 95-policy.conf for dovecot
Obviously I'm still formatting something wrong.
I think I've got something working a little better. I'm using:
webserver("0.0.0.0:8084", "ultra-secret-secure-safe")
(so I remove the --WEBPWD - that's a placeholder, not a argument
declaration)
and for dovecot, the base64 encoding needs to be "wforce:password"
instead of just the password.
Now I have to see what else needs to be tweaked.
Daniel
Re: Auth Policy Server/wforce/weakforced
On 8/3/2017 6:11 AM, Teemu Huovila wrote:
On 02.08.2017 23:35, Daniel Miller wrote:
Is there explicit documentation available for the (probably trivial)
configuration needed for Dovecot and Wforce? I'm probably missing something
that should be perfectly obvious...
Wforce appears to start without errors. I added a file to dovecot's conf.d:
95-policy.conf:
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = this_is_my_super_secret_something
Looking at the Wforce console I see:
WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication
failed
In wforce.conf I have the (default):
webserver("0.0.0.0:8084", "--WEBPWD")
Do I need to change the "--WEBPWD"? Do I need to specify something in the
Dovecot config?
You could try putting an actual password, in plain text, where --WEBPWD is.
Then add that base64 encoded to dovecot setting auth_policy_server_api_header.
I knew it would be something like that. I've made some changes but I'm
still not there. I presently have:
webserver("0.0.0.0:8084", "--WEBPWD ultra-secret-secure-safe")
in wforce.conf (and I've tried with and without the --WEBPWD)
and
auth_policy_server_api_header = Authorization: Basic
dWx0cmEtc2VjcmV0LXNlY3VyZS1zYWZl
in 95-policy.conf for dovecot
Obviously I'm still formatting something wrong.
Daniel
Re: Auth Policy Server/wforce/weakforced
On 02.08.2017 23:35, Daniel Miller wrote:
> Is there explicit documentation available for the (probably trivial)
> configuration needed for Dovecot and Wforce? I'm probably missing something
> that should be perfectly obvious...
>
> Wforce appears to start without errors. I added a file to dovecot's conf.d:
>
> 95-policy.conf:
> auth_policy_server_url = http://localhost:8084/
> auth_policy_hash_nonce = this_is_my_super_secret_something
>
> Looking at the Wforce console I see:
>
> WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication
> failed
>
> In wforce.conf I have the (default):
>
> webserver("0.0.0.0:8084", "--WEBPWD")
>
> Do I need to change the "--WEBPWD"? Do I need to specify something in the
> Dovecot config?
You could try putting an actual password, in plain text, where --WEBPWD is.
Then add that base64 encoded to dovecot setting auth_policy_server_api_header.
hope this helps,
Teemu
Auth Policy Server/wforce/weakforced
Is there explicit documentation available for the (probably trivial)
configuration needed for Dovecot and Wforce? I'm probably missing
something that should be perfectly obvious...
Wforce appears to start without errors. I added a file to dovecot's conf.d:
95-policy.conf:
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = this_is_my_super_secret_something
Looking at the Wforce console I see:
WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web
Authentication failed
In wforce.conf I have the (default):
webserver("0.0.0.0:8084", "--WEBPWD")
Do I need to change the "--WEBPWD"? Do I need to specify something in
the Dovecot config?
--
Daniel
Re: Auth Policy Server
> On June 30, 2017 at 10:24 PM Daniel Miller wrote: > > > On 6/30/2017 12:05 PM, Aki Tuomi wrote: > >> On June 30, 2017 at 9:49 PM Daniel Miller wrote: > >> > >> > >> I've made a preliminary auth policy server in Perl - and it sort of > >> works (mostly) - but I've got some questions on "proper" implementation. > >> > >> > > Hi! > > > > First of all, which version are you running, and can you get a bt full > > backtrace of the crash? > > > > Secondly, the endpoint does not need to be a proper web server, you can > > compare with https://github.com/PowerDNS/weakforced which is another > > implementation of auth policy server. > > > > Aki > > That link helped a lot - among other things forcing me to read. I > actually broke my policy server trying to "improve" it - I implemented a > 30-second auth delay on valid logins! Setting that back to 0 seems to > do the trick... > > I running Dovecot 2.2.28. For the bt - I'll be happy to if still > desired, but you'll have to give me instructions as I don't know how. > > As I continue tweaking this, if there's any interest I'll see about > sharing this. For my own needs I wanted a GeoIP based policy. My > thinking, skewed as it is, is that while SMTP needs to be relatively > open - as I have friends & business contacts in other countries - the > only people who access my IMAP server are somewhere in my country. > Therefore, simply restricting login attempts to only be from IP's in my > country will block the majority of botnets (at least, that's what I > think I'm seeing from my logs). > > Daniel Hi! Please upgrade to at least 2.2.29, there are bugs fixed related to auth policy server, most likely your bug is fixed there too. Aki
Re: Auth Policy Server
On 6/30/2017 12:05 PM, Aki Tuomi wrote: On June 30, 2017 at 9:49 PM Daniel Miller wrote: I've made a preliminary auth policy server in Perl - and it sort of works (mostly) - but I've got some questions on "proper" implementation. Hi! First of all, which version are you running, and can you get a bt full backtrace of the crash? Secondly, the endpoint does not need to be a proper web server, you can compare with https://github.com/PowerDNS/weakforced which is another implementation of auth policy server. Aki That link helped a lot - among other things forcing me to read. I actually broke my policy server trying to "improve" it - I implemented a 30-second auth delay on valid logins! Setting that back to 0 seems to do the trick... I running Dovecot 2.2.28. For the bt - I'll be happy to if still desired, but you'll have to give me instructions as I don't know how. As I continue tweaking this, if there's any interest I'll see about sharing this. For my own needs I wanted a GeoIP based policy. My thinking, skewed as it is, is that while SMTP needs to be relatively open - as I have friends & business contacts in other countries - the only people who access my IMAP server are somewhere in my country. Therefore, simply restricting login attempts to only be from IP's in my country will block the majority of botnets (at least, that's what I think I'm seeing from my logs). Daniel
Re: Auth Policy Server
> On June 30, 2017 at 9:49 PM Daniel Miller wrote: > > > I've made a preliminary auth policy server in Perl - and it sort of > works (mostly) - but I've got some questions on "proper" implementation. > > It appears the communication is HTTP based - is the intent to talk to a > "proper" webserver, or is a simple dedicated daemon appropriate (which > is what I made)? > > Should connections be maintained, or terminated after each response > (which is my current setup)? > > If my implementation is correct, I may have found a bug, as I have some > log entries like: > > Jun 30 08:24:20 bubba dovecot: imap-login: Warning: Auth connection > closed with 1 pending requests (max 31 secs, pid=10253, EOF) > Jun 30 08:24:20 bubba dovecot: auth: Fatal: master: service(auth): child > 31631 killed with signal 11 (core dumped) > > Guidance would be appreciated. > > -- > Daniel Hi! First of all, which version are you running, and can you get a bt full backtrace of the crash? Secondly, the endpoint does not need to be a proper web server, you can compare with https://github.com/PowerDNS/weakforced which is another implementation of auth policy server. Aki
Auth Policy Server
I've made a preliminary auth policy server in Perl - and it sort of works (mostly) - but I've got some questions on "proper" implementation. It appears the communication is HTTP based - is the intent to talk to a "proper" webserver, or is a simple dedicated daemon appropriate (which is what I made)? Should connections be maintained, or terminated after each response (which is my current setup)? If my implementation is correct, I may have found a bug, as I have some log entries like: Jun 30 08:24:20 bubba dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 31 secs, pid=10253, EOF) Jun 30 08:24:20 bubba dovecot: auth: Fatal: master: service(auth): child 31631 killed with signal 11 (core dumped) Guidance would be appreciated. -- Daniel
