<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>I took suggestions from <a href="https://forge.puppet.com/fraenki/wforce">https://forge.puppet.com/fraenki/wforce</a> to set these in /etc/dovecot/conf.d/95-auth.conf</div><div><br></div><div>auth_policy_server_url = <a href="http://localhost:8084/">http://localhost:8084/</a></div><div>auth_policy_hash_nonce = our_password</div><div>auth_policy_server_api_header = "Authorization: Basic hash_from_running_echo-n_base64"</div><div>auth_policy_server_timeout_msecs = 2000</div><div>auth_policy_hash_mech = sha256</div><div>auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s</div><div>auth_policy_reject_on_fail = no</div><div>auth_policy_hash_truncate = 8</div><div>auth_policy_check_before_auth = yes</div><div>auth_policy_check_after_auth = yes</div><div>auth_policy_report_after_auth = yes</div><div><br></div><div>And auth_debug=yes</div><div><br></div><div>in /usr/local/etc/wforce.conf</div><div>webserver("<a href="http://0.0.0.0:8084">0.0.0.0:8084</a>", "our_password")<br></div><div>So when I run:</div><div>curl -X POST -H "Content-Type: application/json" --data '{"login":"ouruser", "remote": "127.0.0.1", "pwhash":"our_password"}' <a href="http://127.0.0.1:8084/?command=allow">http://127.0.0.1:8084/?command=allow</a> -u wforce:our_passwordi</div><div>{"msg": "", "r_attrs": {"defaultReturn": "1"}, "status": 0}<br></div><div><br></div><div>What's the value of wforce and super represent? -u for user? and super is the password for the user?</div><div><pre style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:13.6px;margin-bottom:16px;margin-top:0px;background-color:rgb(246,248,250);border-radius:3px;line-height:1.45;overflow:auto;padding:16px;color:rgb(36,41,46)"><code style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;background:transparent;border-radius:3px;margin:0px;padding:0px;border:0px;word-break:normal;display:inline;line-height:inherit;overflow:visible">curl -X GET <a href="http://127.0.0.1:8084/?command=ping">http://127.0.0.1:8084/?command=ping</a> -u wforce:super</code></pre></div><div>I always get: </div><div>{"status":"failure", "reason":"Unauthorized"}<br></div><div><br></div><div>Using Squirrelmail and logging in brings up the mails but I see these Policy server HTTP error: 401 Unauthorized errors over and over:</div><div><div><br></div><div>Mar 06 13:32:16 auth: Debug: http-client: peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a>: Successfully connected (1 connections exist, 0 pending)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a>: Using 1 idle connections to handle 1 requests (1 total connections ready)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: queue <a href="http://localhost:8084">http://localhost:8084</a>: Connection to peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> claimed request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: conn <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> [0]: Claimed request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Sent header</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Send more (sent 100, buffered=357)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Finished sending payload</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a>: No more requests to service for this peer (1 connections exist, 0 pending)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: conn <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> [0]: Got 401 response for request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>] (took 1 ms + 3 ms in queue)</div><div>Mar 06 13:32:16 auth: Error: policy(our_user,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy server HTTP error: 401 Unauthorized</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: conn <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> [0]: Response payload stream destroyed (0 ms after initial response)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Finished</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: queue <a href="http://localhost:8084">http://localhost:8084</a>: Dropping request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req1: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Free (requests left=1)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a>: No requests to service for this peer (1 connections exist, 0 pending)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: conn <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> [0]: No more requests queued; going idle (timeout = 10000 msecs)</div><div>Mar 06 13:32:16 auth-worker(18997): Debug: Loading modules from directory: /usr/lib64/dovecot/auth</div><div>Mar 06 13:32:16 auth-worker(18997): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so</div><div>Mar 06 13:32:16 auth-worker(18997): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so</div><div>Mar 06 13:32:16 auth-worker(18997): Debug: pam(
our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): lookup service=dovecot</div><div>Mar 06 13:32:16 auth-worker(18997): Debug: pam(
our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): #1/1 style=1 msg=Password:</div><div>Mar 06 13:32:16 auth: Debug: policy(
our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy request <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a></div><div>Mar 06 13:32:16 auth: Debug: policy(
our_user ,127.0.0.1,<7CmLNXGDisV/AAAB>): Policy server request JSON: {"device_id":"","login":"our_user","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: queue <a href="http://localhost:8084">http://localhost:8084</a>: Set request timeout to 2019-03-06 13:32:18.444 (now: 2019-03-06 13:32:16.444)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: queue <a href="http://localhost:8084">http://localhost:8084</a>: Using existing connection to <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> (1 requests pending)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Submitted (requests left=1)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a>: Using 1 idle connections to handle 1 requests (1 total connections ready)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: queue <a href="http://localhost:8084">http://localhost:8084</a>: Connection to peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> claimed request [Req2: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: conn <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> [0]: Claimed request [Req2: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Sent header</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Send more (sent 100, buffered=357)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>]: Finished sending payload</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: peer <a href="http://127.0.0.1:8084">127.0.0.1:8084</a>: No more requests to service for this peer (1 connections exist, 0 pending)</div><div>Mar 06 13:32:16 auth: Debug: http-client[1]: conn <a href="http://127.0.0.1:8084">127.0.0.1:8084</a> [0]: Got 401 response for request [Req2: POST <a href="http://localhost:8084/?command=allow">http://localhost:8084/?command=allow</a>] (took 0 ms + 0 ms in queue)</div><div> </div></div><div><br></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 11:54 AM Aki Tuomi <<a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 6 March 2019 18:25 Robert Kudyba via dovecot <<a href="mailto:dovecot@dovecot.org" target="_blank">dovecot@dovecot.org</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=ad_d6ykCRpPOr4ehYd6VB7xXoluB7mfL-zP1nLP1zYM&e=" target="_blank">https://github.com/PowerDNS/weakforced</a>.
<br>
</div>
<div dir="ltr">
<br>
</div>
<div>
I see instructions at the Authentication policy support page,
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki2.dovecot.org_Authentication_Policy&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=oUIaxcC0ZNouGhsggz0iRH5_TgJnMThAWf0hdo61_DE&e=" target="_blank">https://wiki2.dovecot.org/Authentication/Policy</a>
</div>
<div>
<br>
</div>
<div>
<div>
I see the Required Minimum Configuration:
</div>
<div>
auth_policy_server_url =
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com-3A4001_&d=DwMCaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=Gm8x93n3VUWar0O5bjRyc4UXRrVNleWCMK81g5isbuU&s=lj8gokzfoeFyaB5N_6VhObmjQ3VNkyPEyQLhuMxK_fk&e=" target="_blank">http://example.com:4001/</a>
</div>
<div>
auth_policy_hash_nonce = localized_random_string
</div>
</div>
<div>
<br>
</div>
<div>
But when I search for these directives, they're not found:
</div>
<div>
grep auth_policy_server_url /etc/dovecot/conf.d/*
<br>
</div>
<div>
<br>
</div>
<div>
Are these to be added to the /etc/dovecot/conf.d/10-auth.conf file? Does anyone know if a good tutorial?
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<br>
</div>
<div>
You can add them there if you want, dovecot combines all the files into one in the end.
</div>
<div class="gmail-m_4149581619392172137io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</div>
</blockquote></div>