<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<div class="moz-cite-prefix">On 28.3.2019 22.34, Robert Kudyba via
dovecot wrote:<br>
</div>
<blockquote type="cite"
cite="mid:145607CC-E8EA-4FDB-B232-260DD6425343@fordham.edu">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div>
<blockquote type="cite" class="">
<div class="">
<div class="">
<blockquote type="cite" class="">
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" class="">
<div class="">
<div class="">Set </div>
<div class=""> <br class="">
</div>
<div class="">
ssl_client_ca_file=/path/to/cacert.pem to
validate the certificate </div>
</div>
</blockquote>
<div class=""> <br class="">
</div>
<div class=""> Can this be the Lets Encrypt cert
that we already have? In other words we have: </div>
<div class="">
<div style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal;
font-family: Menlo;" class=""> <span
style="font-variant-ligatures:
no-common-ligatures;" class="">ssl_cert =
</etc/pki/dovecot/certs/dovecot.pem</span>
</div>
<div style="margin: 0px; font-stretch: normal;
font-size: 11px; line-height: normal;
font-family: Menlo;" class=""> <span
style="font-variant-ligatures:
no-common-ligatures;" class="">ssl_key =
</etc/pki/dovecot/private/dovecot.pem</span>
</div>
</div>
<div class=""> <br class="">
</div>
<div class=""> Can those be used? </div>
</div>
</blockquote>
<div class=""> <br class="">
</div>
<div class=""> Set it to *CA* cert. You can also use </div>
<div class=""> <br class="">
</div>
<div class=""> ssl_client_ca_file=/etc/pki/tls/ca-bundle
crt (on centos) </div>
</blockquote>
</div>
</div>
</blockquote>
<div><br class="">
</div>
OK did that.</div>
<div><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" class="">
<div class=""> ssl_client_ca_dir=/etc/ssl/certs (on debian
based) </div>
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" class="">
<div class="">
<div class=""> Are you using haproxy or something
in front of dovecot? </div>
</div>
</blockquote>
<br class="">
</div>
<div class=""> No. Just Squirrelmail webmail with
sendmail. </div>
<br class="">
</blockquote>
<div class=""> Maybe squirrelmail supports forwarding
original client ip with ID command. Otherwise dovecot
cannot know it. Or you could configure squirrelmail to
use weakforced ?</div>
</blockquote>
</div>
</blockquote>
<div><br class="">
</div>
I see some options in <a
href="http://squirrelmail.org/docs/admin/admin-5.html#ss5.3"
class="" moz-do-not-send="true">http://squirrelmail.org/docs/admin/admin-5.html#ss5.3</a>.
Would it be a plugin?<br class="">
<br class="">
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" class=""> </blockquote>
<div class=""> Also check that
auth_policy_request_attributes use %{rip} and not
%{real_rip}. You can see this with </div>
<div class=""> <br class="">
</div>
<div class=""> `doveconf auth_policy_request_attributes`</div>
</div>
</blockquote>
<br class="">
</div>
<div>Yes I’ve confirmed it matches. Still getting the URL or IP of
the webmail address as well as errors like <span
style="font-family: Menlo; font-size: 11px;" class="">SSL
handshake to ex.ter.na.lip:8084 failed: Connection closed</span></div>
<div><br class="">
</div>
<div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth: Debug: http-client[1]: queue <a
href="https://ourdomain:8084:" class=""
moz-do-not-send="true">https://ourdomain:8084:</a> Timeout
(now: 2019-03-28 16:13:36.300)</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth: Debug: http-client[1]: queue <a
href="https://ourdomain:8084:" class=""
moz-do-not-send="true">https://ourdomain:8084:</a>
Absolute timeout expired for request [Req10: POST <a
href="https://ourdomain:8084/?command=allow" class=""
moz-do-not-send="true">https://ourdomain:8084/?command=allow</a>]
(Request queued 2.002 secs ago, not yet sent, 0.000 in other
ioloops)</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth: Debug: http-client[1]: request [Req10:
POST <a href="https://ourdomain:8084/?command=allow]:"
class="" moz-do-not-send="true">https://ourdomain:8084/?command=allow]:</a>
Error: 9008 Absolute request timeout expired (Request queued
2.002 secs ago, not yet sent, 0.000 in other ioloops)</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth: Debug: http-client[1]: queue <a
href="https://ourdomain:8084:" class=""
moz-do-not-send="true">https://ourdomain:8084:</a>
Dropping request [Req10: POST <a
href="https://ourdomain:8084/?command=allow" class=""
moz-do-not-send="true">https://ourdomain:8084/?command=allow</a>]</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth: Error:
policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy
server HTTP error: Absolute request timeout expired (Request
queued 2.002 secs ago, not yet sent, 0.000 in other ioloops)</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth: Debug: http-client[1]: request [Req10:
POST <a href="https://ourdomain:8084/?command=allow]:"
class="" moz-do-not-send="true">https://ourdomain:8084/?command=allow]:</a>
Destroy (requests left=1)</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth: Debug: http-client[1]: request [Req10:
POST <a href="https://ourdomain:8084/?command=allow]:"
class="" moz-do-not-send="true">https://ourdomain:8084/?command=allow]:</a>
Free (requests left=0)</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth-worker(32249): Debug:
pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): lookup
service=dovecot</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:36 auth-worker(32249): Debug:
pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): #1/1 style=1
msg=Password: </span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:38 auth-worker(32249): Info:
pam(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): unknown user</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:38 auth: Debug:
policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy
request <a href="https://ourdomain:8084/?command=report"
class="" moz-do-not-send="true">https://ourdomain:8084/?command=report</a></span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class="">Mar
28 16:13:38 auth: Debug:
policy(abc,127.0.0.1,<5aBSMC2FROF/AAAB>): Policy
server request JSON:
{"device_id":"","login":"abc","protocol":"imap","pwhash":"00","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}</span></div>
<div style="margin: 0px; font-stretch: normal; font-size: 11px;
line-height: normal; font-family: Menlo;" class=""><span
style="font-variant-ligatures: no-common-ligatures" class=""></span><br
class="">
</div>
</div>
</blockquote>
<p><br>
</p>
<p>Well, as I said, it's up to squirrelmail to actually provide the
real client IP. Otherwise dovecot cannot know it. You can try
turning on imap rawlogs (see
<a class="moz-txt-link-freetext" href="https://wiki.dovecot.org/Debugging/Rawlog">https://wiki.dovecot.org/Debugging/Rawlog</a>) and check if
squirrelmail is forwarding client ip or not.</p>
<p>Aki<br>
</p>
<p><br>
</p>
<p>Aki<br>
</p>
</body>
</html>