<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 28.3.2019 22.34, Robert Kudyba via
      dovecot wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:145607CC-E8EA-4FDB-B232-260DD6425343@fordham.edu">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <div>
        <blockquote type="cite" class="">
          <div class="">
            <div class="">
              <blockquote type="cite" class="">
                <blockquote type="cite" class="">
                  <div class="">
                    <blockquote type="cite" class="">
                      <div class="">
                        <div class="">Set </div>
                        <div class=""> <br class="">
                        </div>
                        <div class="">
                          ssl_client_ca_file=/path/to/cacert.pem to
                          validate the certificate  </div>
                      </div>
                    </blockquote>
                    <div class=""> <br class="">
                    </div>
                    <div class=""> Can this be the Lets Encrypt cert
                      that we already have? In other words we have: </div>
                    <div class="">
                      <div style="margin: 0px; font-stretch: normal;
                        font-size: 11px; line-height: normal;
                        font-family: Menlo;" class=""> <span
                          style="font-variant-ligatures:
                          no-common-ligatures;" class="">ssl_cert =
                          </etc/pki/dovecot/certs/dovecot.pem</span>
                      </div>
                      <div style="margin: 0px; font-stretch: normal;
                        font-size: 11px; line-height: normal;
                        font-family: Menlo;" class=""> <span
                          style="font-variant-ligatures:
                          no-common-ligatures;" class="">ssl_key =
                          </etc/pki/dovecot/private/dovecot.pem</span>
                      </div>
                    </div>
                    <div class=""> <br class="">
                    </div>
                    <div class=""> Can those be used? </div>
                  </div>
                </blockquote>
                <div class=""> <br class="">
                </div>
                <div class=""> Set it to *CA* cert. You can also use </div>
                <div class=""> <br class="">
                </div>
                <div class=""> ssl_client_ca_file=/etc/pki/tls/ca-bundle
                  crt (on centos)  </div>
              </blockquote>
            </div>
          </div>
        </blockquote>
        <div><br class="">
        </div>
        OK did that.</div>
      <div><br class="">
      </div>
      <div>
        <blockquote type="cite" class="">
          <div class="">
            <blockquote type="cite" class="">
              <div class=""> ssl_client_ca_dir=/etc/ssl/certs (on debian
                based) </div>
              <blockquote type="cite" class="">
                <div class="">
                  <blockquote type="cite" class="">
                    <div class="">
                      <div class=""> Are you using haproxy or something
                        in front of dovecot? </div>
                    </div>
                  </blockquote>
                  <br class="">
                </div>
                <div class=""> No. Just Squirrelmail webmail with
                  sendmail. </div>
                <br class="">
              </blockquote>
              <div class=""> Maybe squirrelmail supports forwarding
                original client ip with ID command. Otherwise dovecot
                cannot know it. Or you could configure squirrelmail to
                use weakforced ?</div>
            </blockquote>
          </div>
        </blockquote>
        <div><br class="">
        </div>
        I see some options in <a
          href="http://squirrelmail.org/docs/admin/admin-5.html#ss5.3"
          class="" moz-do-not-send="true">http://squirrelmail.org/docs/admin/admin-5.html#ss5.3</a>.
        Would it be a plugin?<br class="">
        <br class="">
        <blockquote type="cite" class="">
          <div class="">
            <blockquote type="cite" class=""> </blockquote>
            <div class=""> Also check that
              auth_policy_request_attributes use %{rip} and not
              %{real_rip}. You can see this with  </div>
            <div class=""> <br class="">
            </div>
            <div class=""> `doveconf auth_policy_request_attributes`</div>
          </div>
        </blockquote>
        <br class="">
      </div>
      <div>Yes I’ve confirmed it matches. Still getting the URL or IP of
        the webmail address as well as errors like <span
          style="font-family: Menlo; font-size: 11px;" class="">SSL
          handshake to ex.ter.na.lip:8084 failed: Connection closed</span></div>
      <div><br class="">
      </div>
      <div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth: Debug: http-client[1]: queue <a
              href="https://ourdomain:8084:" class=""
              moz-do-not-send="true">https://ourdomain:8084:</a> Timeout
            (now: 2019-03-28 16:13:36.300)</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth: Debug: http-client[1]: queue <a
              href="https://ourdomain:8084:" class=""
              moz-do-not-send="true">https://ourdomain:8084:</a>
            Absolute timeout expired for request [Req10: POST <a
              href="https://ourdomain:8084/?command=allow" class=""
              moz-do-not-send="true">https://ourdomain:8084/?command=allow</a>]
            (Request queued 2.002 secs ago, not yet sent, 0.000 in other
            ioloops)</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth: Debug: http-client[1]: request [Req10:
            POST <a href="https://ourdomain:8084/?command=allow]:"
              class="" moz-do-not-send="true">https://ourdomain:8084/?command=allow]:</a>
            Error: 9008 Absolute request timeout expired (Request queued
            2.002 secs ago, not yet sent, 0.000 in other ioloops)</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth: Debug: http-client[1]: queue <a
              href="https://ourdomain:8084:" class=""
              moz-do-not-send="true">https://ourdomain:8084:</a>
            Dropping request [Req10: POST <a
              href="https://ourdomain:8084/?command=allow" class=""
              moz-do-not-send="true">https://ourdomain:8084/?command=allow</a>]</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth: Error:
            policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy
            server HTTP error: Absolute request timeout expired (Request
            queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth: Debug: http-client[1]: request [Req10:
            POST <a href="https://ourdomain:8084/?command=allow]:"
              class="" moz-do-not-send="true">https://ourdomain:8084/?command=allow]:</a>
            Destroy (requests left=1)</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth: Debug: http-client[1]: request [Req10:
            POST <a href="https://ourdomain:8084/?command=allow]:"
              class="" moz-do-not-send="true">https://ourdomain:8084/?command=allow]:</a>
            Free (requests left=0)</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth-worker(32249): Debug:
            pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): lookup
            service=dovecot</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:36 auth-worker(32249): Debug:
            pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): #1/1 style=1
            msg=Password: </span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:38 auth-worker(32249): Info:
            pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): unknown user</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:38 auth: Debug:
            policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy
            request <a href="https://ourdomain:8084/?command=report"
              class="" moz-do-not-send="true">https://ourdomain:8084/?command=report</a></span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class="">Mar
            28 16:13:38 auth: Debug:
            policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy
            server request JSON:
{"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}</span></div>
        <div style="margin: 0px; font-stretch: normal; font-size: 11px;
          line-height: normal; font-family: Menlo;" class=""><span
            style="font-variant-ligatures: no-common-ligatures" class=""></span><br
            class="">
        </div>
      </div>
    </blockquote>
    <p><br>
    </p>
    <p>Well, as I said, it's up to squirrelmail to actually provide the
      real client IP. Otherwise dovecot cannot know it. You can try
      turning on imap rawlogs (see
      <a class="moz-txt-link-freetext" href="https://wiki.dovecot.org/Debugging/Rawlog">https://wiki.dovecot.org/Debugging/Rawlog</a>) and check if
      squirrelmail is forwarding client ip or not.</p>
    <p>Aki<br>
    </p>
    <p><br>
    </p>
    <p>Aki<br>
    </p>
  </body>
</html>