<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">So for auth_policy_server_api_header. is the value of our_password come from the hashed response or the plain-text password? What else am I doing wrong?</div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 7 09:20:53 olddsm wforce[17763]: WforceWebserver: HTTP Request "/" from 127.0.0.1:56416: Web Authentication failed</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">curl -X POST -H "Content-Type: application/json" --data '{"login”:”ouruser”, "remote": "127.0.0.1", "pwhash”:”hashed-password”}’ <a href="http://127.0.0.1:8084/?command=allow" class="">http://127.0.0.1:8084/?command=allow</a> -u wforce:super</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">{"status":"failure", "reason":"Unauthorized"}</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;" class=""><br class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth-worker(18933): Debug: Loading modules from directory: /usr/lib64/dovecot/auth</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth-worker(18933): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): lookup service=dovecot</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth-worker(18933): Debug: pam(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): #1/1 style=1 msg=Password: </span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request <a href="http://localhost:8084/?command=allow" class="">http://localhost:8084/?command=allow</a></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: queue <a href="http://localhost:8084:" class="">http://localhost:8084:</a> Set request timeout to 2019-03-07 09:32:17.520 (now: 2019-03-07 09:32:15.520)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: queue <a href="http://localhost:8084:" class="">http://localhost:8084:</a> Using existing connection to 127.0.0.1:8084 (1 requests pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow]:" class="">http://localhost:8084/?command=allow]:</a> Submitted (requests left=1)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: Using 1 idle connections to handle 1 requests (1 total connections ready)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: queue <a href="http://localhost:8084:" class="">http://localhost:8084:</a> Connection to peer 127.0.0.1:8084 claimed request [Req2: POST <a href="http://localhost:8084/?command=allow" class="">http://localhost:8084/?command=allow</a>] </span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Claimed request [Req2: POST <a href="http://localhost:8084/?command=allow" class="">http://localhost:8084/?command=allow</a>]</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow]:" class="">http://localhost:8084/?command=allow]:</a> Sent header</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow]:" class="">http://localhost:8084/?command=allow]:</a> Send more (sent 100, buffered=357)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: request [Req2: POST <a href="http://localhost:8084/?command=allow]:" class="">http://localhost:8084/?command=allow]:</a> Finished sending payload</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST <a href="http://localhost:8084/?command=allow" class="">http://localhost:8084/?command=allow</a>] (took 0 ms + 0 ms in queue)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Error: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server HTTP error: 401 Unauthorized</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy request <a href="http://localhost:8084/?command=report" class="">http://localhost:8084/?command=report</a></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Mar 07 09:32:15 auth: Debug: policy(ouruser,127.0.0.1,<uuEF+YGDaNl/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","success":true,"policy_reject":false,"tls":false}</span></div></div><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Mar 7, 2019, at 2:42 AM, Aki Tuomi <<a href="mailto:aki.tuomi@open-xchange.com" class="">aki.tuomi@open-xchange.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""><p class="">wforce is the username always.</p><p class="">auth_policy_hash_nonce should be set to a pseudorandom value that
is shared by your server(s). Weakforced does not need it for
anything.</p><p class="">auth_policy_server_api_header should be set to Authorization:
Basic <echo -n wforce:our_password | base64></p><p class="">without the < >.<br class="">
</p><p class="">Aki<br class="">
</p>
<div class="moz-cite-prefix">On 6.3.2019 20.42, Robert Kudyba via
dovecot wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:CAFHi+KQ1BUyR5706SFYuCCm9Bk0Tb2iLR7XEGCcKn=nQoBNH4w@mail.gmail.com" class="">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div class="">I took suggestions from <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__forge.puppet.com_fraenki_wforce&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=Rq6_tR1KlLqaWH_eAqsBAvKJjmP4WbVNwqmRvIjpCJo&e=" moz-do-not-send="true" class="">https://forge.puppet.com/fraenki/wforce</a>
to set these in /etc/dovecot/conf.d/95-auth.conf</div>
<div class=""><br class="">
</div>
<div class="">auth_policy_server_url = <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8084_&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=YEAX-1mfN9XUpDzQodxttfHSxnGmta5U9z28_89oxV8&e=" moz-do-not-send="true" class="">http://localhost:8084/</a></div>
<div class="">auth_policy_hash_nonce = our_password</div>
<div class="">auth_policy_server_api_header = "Authorization:
Basic hash_from_running_echo-n_base64"</div>
<div class="">auth_policy_server_timeout_msecs = 2000</div>
<div class="">auth_policy_hash_mech = sha256</div>
<div class="">auth_policy_request_attributes =
login=%{requested_username}
pwhash=%{hashed_password} remote=%{rip}
device_id=%{client_id} protocol=%s</div>
<div class="">auth_policy_reject_on_fail = no</div>
<div class="">auth_policy_hash_truncate = 8</div>
<div class="">auth_policy_check_before_auth = yes</div>
<div class="">auth_policy_check_after_auth = yes</div>
<div class="">auth_policy_report_after_auth = yes</div>
<div class=""><br class="">
</div>
<div class="">And auth_debug=yes</div>
<div class=""><br class="">
</div>
<div class="">in /usr/local/etc/wforce.conf</div>
<div class="">webserver("<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=UCfB6Qzm3TPh9rrI6HRXhIZZL1kB1G1GyyylfnD5T-Y&e=" moz-do-not-send="true" class="">0.0.0.0:8084</a>",
"our_password")<br class="">
</div>
<div class="">So when I run:</div>
<div class="">curl -X POST -H "Content-Type: application/json"
--data '{"login":"ouruser", "remote": "127.0.0.1",
"pwhash":"our_password"}' <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dallow&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=l7txLUp9a5R5ztYDSWbuNkofCzuANF3hfy5K6R0H7lc&e=" moz-do-not-send="true" class="">http://127.0.0.1:8084/?command=allow</a>
-u wforce:our_passwordi</div>
<div class="">{"msg": "", "r_attrs": {"defaultReturn": "1"},
"status": 0}<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">What's the value of wforce and super represent?
-u for user? and super is the password for the user?</div>
<div class="">
<pre style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:13.6px;margin-bottom:16px;margin-top:0px;background-color:rgb(246,248,250);border-radius:3px;line-height:1.45;overflow:auto;padding:16px;color:rgb(36,41,46)" class=""><code style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;background:transparent;border-radius:3px;margin:0px;padding:0px;border:0px;word-break:normal;display:inline;line-height:inherit;overflow:visible" class="">curl -X GET <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084_-3Fcommand-3Dping&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=tENFr-tRB3UaM9tcPfjvMB0ORvHJkDnoN4e1if-IlRY&e=" moz-do-not-send="true" class="">http://127.0.0.1:8084/?command=ping</a> -u wforce:super</code></pre>
</div>
<div class="">I always get: </div>
<div class="">{"status":"failure", "reason":"Unauthorized"}<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Using Squirrelmail and logging in brings up the
mails but I see these Policy server HTTP error: 401
Unauthorized errors over and over:</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">Mar 06 13:32:16 auth: Debug: http-client: peer
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=" moz-do-not-send="true" class="">127.0.0.1:8084</a>:
Successfully connected (1 connections exist, 0
pending)</div>
<div class="">Mar 06 13:32:16 auth: Debug: http-client[1]:
peer <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8084&d=DwMDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=OdVERjXdNFh0nr4Sn_EL0pio02hSWKYsRcpA5NmR8nU&s=mRfHSnG6OpwC1qnGrVpFiadowQTN5TD2r_bddewneIU&e=" moz-do-not-send="true" class="">127.0.0.1:8084</a>: Using
1 idle connections to handle 1 requests (1 <br class="">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div></blockquote></div><br class=""></body></html>