I've made a preliminary auth policy server in Perl - and it sort of works (mostly) - but I've got some questions on "proper" implementation.
It appears the communication is HTTP based - is the intent to talk to a "proper" webserver, or is a simple dedicated daemon appropriate (which is what I made)?
Should connections be maintained, or terminated after each response (which is my current setup)?
If my implementation is correct, I may have found a bug, as I have some log entries like:
Jun 30 08:24:20 bubba dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 31 secs, pid=10253, EOF) Jun 30 08:24:20 bubba dovecot: auth: Fatal: master: service(auth): child 31631 killed with signal 11 (core dumped)
Guidance would be appreciated.
-- Daniel
On June 30, 2017 at 9:49 PM Daniel Miller dmiller@amfes.com wrote:
I've made a preliminary auth policy server in Perl - and it sort of works (mostly) - but I've got some questions on "proper" implementation.
It appears the communication is HTTP based - is the intent to talk to a "proper" webserver, or is a simple dedicated daemon appropriate (which is what I made)?
Should connections be maintained, or terminated after each response (which is my current setup)?
If my implementation is correct, I may have found a bug, as I have some log entries like:
Jun 30 08:24:20 bubba dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 31 secs, pid=10253, EOF) Jun 30 08:24:20 bubba dovecot: auth: Fatal: master: service(auth): child 31631 killed with signal 11 (core dumped)
Guidance would be appreciated.
-- Daniel
Hi!
First of all, which version are you running, and can you get a bt full backtrace of the crash?
Secondly, the endpoint does not need to be a proper web server, you can compare with https://github.com/PowerDNS/weakforced which is another implementation of auth policy server.
Aki
On 6/30/2017 12:05 PM, Aki Tuomi wrote:
On June 30, 2017 at 9:49 PM Daniel Miller dmiller@amfes.com wrote:
I've made a preliminary auth policy server in Perl - and it sort of works (mostly) - but I've got some questions on "proper" implementation.
Hi!
First of all, which version are you running, and can you get a bt full backtrace of the crash?
Secondly, the endpoint does not need to be a proper web server, you can compare with https://github.com/PowerDNS/weakforced which is another implementation of auth policy server.
Aki
That link helped a lot - among other things forcing me to read. I actually broke my policy server trying to "improve" it - I implemented a 30-second auth delay on valid logins! Setting that back to 0 seems to do the trick...
I running Dovecot 2.2.28. For the bt - I'll be happy to if still desired, but you'll have to give me instructions as I don't know how.
As I continue tweaking this, if there's any interest I'll see about
sharing this. For my own needs I wanted a GeoIP based policy. My
thinking, skewed as it is, is that while SMTP needs to be relatively
open - as I have friends & business contacts in other countries - the
only people who access my IMAP server are somewhere in my country.
Therefore, simply restricting login attempts to only be from IP's in my
country will block the majority of botnets (at least, that's what I
think I'm seeing from my logs).
Daniel
On June 30, 2017 at 10:24 PM Daniel Miller dmiller@amfes.com wrote:
On 6/30/2017 12:05 PM, Aki Tuomi wrote:
On June 30, 2017 at 9:49 PM Daniel Miller dmiller@amfes.com wrote:
I've made a preliminary auth policy server in Perl - and it sort of works (mostly) - but I've got some questions on "proper" implementation.
Hi!
First of all, which version are you running, and can you get a bt full backtrace of the crash?
Secondly, the endpoint does not need to be a proper web server, you can compare with https://github.com/PowerDNS/weakforced which is another implementation of auth policy server.
Aki
That link helped a lot - among other things forcing me to read. I actually broke my policy server trying to "improve" it - I implemented a 30-second auth delay on valid logins! Setting that back to 0 seems to do the trick...
I running Dovecot 2.2.28. For the bt - I'll be happy to if still desired, but you'll have to give me instructions as I don't know how.
As I continue tweaking this, if there's any interest I'll see about sharing this. For my own needs I wanted a GeoIP based policy. My thinking, skewed as it is, is that while SMTP needs to be relatively open - as I have friends & business contacts in other countries - the only people who access my IMAP server are somewhere in my country.
Therefore, simply restricting login attempts to only be from IP's in my country will block the majority of botnets (at least, that's what I think I'm seeing from my logs).Daniel
Hi!
Please upgrade to at least 2.2.29, there are bugs fixed related to auth policy server, most likely your bug is fixed there too.
Aki
participants (2)
-
Aki Tuomi
-
Daniel Miller