Dovecot + Weakforced Policy server

Wed Jan 16 12:05:15 EET 2019

Hi Aki,

I've configured in this way:

vm-weakforced:~# printf 'wforce:super' | base64
d2ZvcmNlOnN1cGVy

vm-weakforced:~# cat /etc/dovecot/conf.d/95-policy.conf
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = some random string
auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOnN1cGVy

With the same result...

 > WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web 
Authentication failed
WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web 
Authentication failed
WforceWebserver: HTTP Request "/" from 127.0.0.1:39752: Web 
Authentication failed

I'm not considering some detail

Regards,

El 16/01/19 a las 09:26, Aki Tuomi escribió:
> Hi!
>
> You configure it like this:
>
> auth_policy_server_url = http://localhost:8084/
> auth_policy_hash_nonce = some random string
> auth_policy_server_api_header = "Authorization: Basic d2ZvcmNlOkJydHpUNlRuTkZ4UUU="
>
> the authorization blob is basically
>
> printf 'wforce:super' | base64
>
> Aki
>
>> On 16 January 2019 at 10:06 alberto bersol <alberto at bersol.info> wrote:
>>
>>
>> Hi,
>> I'm trying to set Weakforced with Dovecot and I cannot log in policy
>> server. This is the config:
>>
>> /root/weakforced/wforce/wforce.conf
>> -----------------------------------
>> ...
>> webserver("0.0.0.0:8084", "super")
>> ...
>>
>> /etc/dovecot/conf.d/95-policy.conf
>> ----------------------------------
>> auth_policy_server_url = http://localhost:8084/
>> #auth_policy_hash_nonce = wforce:super
>> auth_policy_hash_nonce =
>> {SHA256-CRYPT}$5$Ue5UrToV.Bam02bQ$Bi9OJ62Mkgc20L2HnLVmD2OCHyXaKje6Hh7qNjnOkB9
>>
>> I'm following the instructions of Dovecot's wiki:
>> https://wiki.dovecot.org/Authentication/Policy
>> ...
>> "To generate the hash, you concatenate nonce, login name, nil byte,
>> password and run it through the hash algorithm once. The hash is
>> truncated when truncation is set to non-zero. The hash is truncated by
>> first choosing bits from MSB to byte boundary (rounding up), then
>> right-shifting the remainding bits.
>>
>> hash = H(nonce||user||'\x00'||password)
>> bytes = round8(bits*8)
>> hash = HEX(hash[0:bytes] >> (bytes-bits*8))
>>
>> And I set hash with password (super) in this way:
>>
>> vm-weakforced:~# doveadm pw -p noncewforce\x00super -s SHA256-CRYPT
>> {SHA256-CRYPT}$5$ZWIX2dnU7NJvGHgC$hYFbeCCaHYZv0yPP80GHygxQMPmI5BjMx2ttRe9zti2
>>
>>
>> But if I log in Dovecot Server:
>>
>> vm-weakforced:~# doveadm auth login usuario
>> Password:
>> passdb: usuario auth succeeded
>> extra fields:
>>     user=usuario
>>
>> userdb extra fields:
>>     usuario
>>     system_groups_user=usuario
>>     uid=1000
>>     gid=1000
>>     home=/home/usuario
>>
>> Answer of Weakforced is always "...authentication failed":
>>
>> WforceWebserver: HTTP Request "/" from 127.0.0.1:39720: Web
>> Authentication failed
>>
>> And Dovecot logs don't show anything else:
>> ...
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: auth client
>> connected (pid=967)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: client in:
>> AUTH#0111#011PLAIN#011service=doveadm#011resp=dXN1YXJpbwB1c3VhcmlvAHVzdWFyaW8=
>> (previous base64 data may contain sensitive data)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: policy(usuario):
>> Policy request http://localhost:8084/?command=allow
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: policy(usuario):
>> Policy server request JSON:
>> {"device_id":"","login":"usuario","protocol":"doveadm","pwhash":"0a00","remote":"","tls":false}
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> queue http://localhost:8084: Set request timeout to 2019-01-15
>> 16:50:52.236 (now: 2019-01-15 16:50:50.236)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer
>> 127.0.0.1:8084 (shared): Peer created
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer
>> 127.0.0.1:8084: Peer pool created
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: Peer created
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> queue http://localhost:8084: Setting up connection to 127.0.0.1:8084 (1
>> requests pending)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: Linked queue http://localhost:8084 (1 queues linked)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> queue http://localhost:8084: Started new connection to 127.0.0.1:8084
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> request [Req4: POST http://localhost:8084/?command=allow]: Submitted
>> (requests left=1)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: Creating 1 new connections to handle requests (already 0
>> usable, connecting to 0, closing 0)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: Making new connection 1 of 1 (0 connections exist, 0
>> pending)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: (127.0.0.1:8084): Connecting
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: (127.0.0.1:8084): Waiting for connect (fd=20) to
>> finish for max 0 msecs
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: HTTP connection created (1 parallel connections exist)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: (127.0.0.1:8084): Client connected (fd=20)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: Connected
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: Ready for requests
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: Successfully connected (1 connections exist, 0 pending)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client: peer
>> 127.0.0.1:8084: Successfully connected (1 connections exist, 0 pending)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total
>> connections ready)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> queue http://localhost:8084: Connection to peer 127.0.0.1:8084 claimed
>> request [Req4: POST http://localhost:8084/?command=allow]
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: Claimed request [Req4: POST
>> http://localhost:8084/?command=allow]
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> request [Req4: POST http://localhost:8084/?command=allow]: Sent header
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> request [Req4: POST http://localhost:8084/?command=allow]: Send more
>> (sent 95, buffered=303)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> request [Req4: POST http://localhost:8084/?command=allow]: Finished
>> sending payload
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: No more requests to service for this peer (1 connections
>> exist, 0 pending)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: Got 401 response for request [Req4: POST
>> http://localhost:8084/?command=allow] (took 4 ms + 3 ms in queue)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Error: policy(usuario):
>> Policy server HTTP error: 401 Unauthorized
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: Response payload stream destroyed (0 ms after
>> initial response)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> request [Req4: POST http://localhost:8084/?command=allow]: Finished
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> queue http://localhost:8084: Dropping request [Req4: POST
>> http://localhost:8084/?command=allow]
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]:
>> request [Req4: POST http://localhost:8084/?command=allow]: Free
>> (requests left=1)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: peer
>> 127.0.0.1:8084: No requests to service for this peer (1 connections
>> exist, 0 pending)
>> Jan 15 16:50:50 vm-weakforced dovecot: auth: Debug: http-client[1]: conn
>> 127.0.0.1:8084 [2]: No more requests queued; going idle (timeout = 10000
>> msecs)
>> ...
>>
>> Any idea?
>>
>> Thank you so much
>> Regards,
>>