how to enable PowerDNS/Weakforced with Fedora and sendmail

Aki Tuomi aki.tuomi at open-xchange.com
Thu Mar 7 18:33:48 EET 2019


In weakforced you have

 webserver("0.0.0.0:8084", "THIS-IS-THE-PASSWORD-FOR-WFORCE")

Thus, you make the base64 blob as

~$ echo -n wforce:THIS-IS-THE-PASSWORD-FOR-WFORCE | base64
d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U=

And in dovecot you put

auth_policy_server_api_header = Authorization Basic d2ZvcmNlOlRISVMtSVMtVEhFLVBBU1NXT1JELUZPUi1XRk9SQ0U

Aki

> On 7 March 2019 16:41 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote:
> 
> 
> So for auth_policy_server_api_header. is the value of our_password come from the hashed response or the plain-text password? What else am I doing wrong?
> 
> Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed
> 
> curl -X POST -H "Content-Type: application/json" --data '{"login”:”ouruser”, "remote": "127.0.0.1", "pwhash”:”hashed-password”}’ http://127.0.0.1:8084/?command=allow -u wforce:super
> {"status":"failure", "reason":"Unauthorized"}
> 
> 
> Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: /usr/lib64/dovecot/auth
> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot
> Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password:
> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request http://localhost:8084/?command=allow
> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
> Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Set request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520)
> Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Using existing connection to 127.0.0.1:8084 (1 requests pending)
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Submitted (requests left=1)
> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready)
> Mar 07 09:32:15 auth: Debug: http-client[1]: queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed request [Req2: POST http://localhost:8084/?command=allow]
> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed request [Req2: POST http://localhost:8084/?command=allow]
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Sent header
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Send more (sent 100, buffered=357)
> Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST http://localhost:8084/?command=allow]: Finished sending payload
> Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending)
> Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST http://localhost:8084/?command=allow] (took 0 ms + 0 ms in queue)
> Mar 07 09:32:15 auth: Error: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server HTTP error: 401 Unauthorized
> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request http://localhost:8084/?command=report
> Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false}
> 
> 
> 
> 
> > On Mar 7, 2019, at 2:42 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
> > 
> > 
> > wforce is the username always.
> > auth_policy_hash_nonce should be set to a pseudorandom value that is shared by your server(s). Weakforced does not need it for anything.
> > auth_policy_server_api_header should be set to Authorization: Basic <echo -n wforce:our_password | base64>
> > without the < >.
> > 
> > Aki
> > 
> >  
> > On 6.3.2019 20.42, Robert Kudyba via dovecot wrote:
> > 
> >  
> > > I took suggestions from https://forge.puppet.com/fraenki/wforce (https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=) to set these in /etc/dovecot/conf.d/95-auth.conf
> > >  
> > > 
> > > 
> > >  
> > > auth_policy_server_url = http://localhost:8084/ (https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=)
> > >  
> > > auth_policy_hash_nonce = our_password
> > >  
> > > auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64"
> > >  
> > > auth_policy_server_timeout_msecs = 2000
> > >  
> > > auth_policy_hash_mech = sha256
> > >  
> > > auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
> > >  
> > > auth_policy_reject_on_fail = no
> > >  
> > > auth_policy_hash_truncate = 8
> > >  
> > > auth_policy_check_before_auth = yes
> > >  
> > > auth_policy_check_after_auth = yes
> > >  
> > > auth_policy_report_after_auth = yes
> > >  
> > > 
> > > 
> > >  
> > > And auth_debug=yes
> > >  
> > > 
> > > 
> > >  
> > > in /usr/local/etc/wforce.conf
> > >  
> > > webserver("0.0.0.0:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=)", "our_password")
> > > 
> > >  
> > > So when I run:
> > >  
> > > curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhash":"our_password"}' http://127.0.0.1:8084/?command=allow (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=) -u wforce:our_passwordi
> > >  
> > > {"msg": "", "r_attrs": {"defaultReturn": "1"}, "status": 0}
> > > 
> > >  
> > > 
> > > 
> > >  
> > > What's the value of wforce and super represent? -u for user? and super is the password for the user?
> > >  
> > > curl -X GET http://127.0.0.1:8084/?command=ping (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=) -u wforce:super
> > >  
> > > I always get:
> > >  
> > > {"status":"failure", "reason":"Unauthorized"}
> > > 
> > >  
> > > 
> > > 
> > >  
> > > Using Squirrelmail and logging in brings up the mails but I see these Policy server HTTP error: 401 Unauthorized errors over and over:
> > >  
> > > 
> > > 
> > >  
> > > Mar 06 13:32:16 auth: Debug: http-client: peer 127.0.0.1:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=): Successfully connected (1 connections exist, 0 pending)
> > >  
> > > Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084 (https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=): Using 1 idle connections to handle 1 requests (1 
> > > 
>


More information about the dovecot mailing list