how to show FreeIPA/Kerberos Password expired on webmail login

Using dovecot-2.3.14-1.fc33.x86_64 with FreeIPA & Kerberos if a user's password is expired in a web mail login, e.g., with Squirrelmail, the user sees: "Unknown user or password incorrect." The dovecot logs show: auth: Debug: client passdb out: FAIL1 user=ouru...@ourdomain.edu code=p

Dovecot integration w/ FreeIPA expired password as well as if over quota login notice; local user can't login

As I continue to test freeipa-server-4.9.3-1, on Fedora 33 with dovecot-2.3.14-1 I've run into the following issues with web mail and Dovecot integration. 1. I followed https://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On but I couldn't get web mail to login un

Re: Mail account brute force / harassment

> > > On 12 April 2019 21:45 Robert Kudyba via dovecot > wrote: > > > > > > > You are running some kind of proxy in front of it. > > > > No proxy. Just sendmail with users using emacs/Rmail or > Webmail/Squirrelmail. > > > > > If yo

Re: Mail account brute force / harassment

> > You are running some kind of proxy in front of it. No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > If you want it to show real client IP, you need to enable forwarding of > said data. With dovecot it's done by setting > > login_trusted_networks = your-upstrea

Re: Mail account brute force / harassment

> > Probably there's an existing solution for both problems (subsequent > attempts and dnsbl): > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX

Re: Editing fail2ban page?

> On Apr 9, 2019, at 9:03 AM, Mauricio Tavares via dovecot > wrote: > > In > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.dovecot.org_HowTo_Fail2Ban&d=DwIBaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=pvPczF9hPXSNtmAKNFK4BCXvgxua

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

> > Well, as I said, it's up to squirrelmail to actually provide the real > client IP. Otherwise dovecot cannot know it. You can try turning on imap > rawlogs (see https://wiki.dovecot.org/Debugging/Rawlog >

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

Set ssl_client_ca_file=/path/to/cacert.pem to validate the certificate >>> >>> Can this be the Lets Encrypt cert that we already have? In other words we >>> have: >>> ssl_cert = >> ssl_key = >> >>> Can those be used? >> >> Set it to *CA* cert. You can also use >> >> ssl_client

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificate Can this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = Are you using haproxy or something in front of dovecot? No. Just Squirrelmail webmail with sendmail.

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

> On Mar 28, 2019, at 10:29 AM, Aki Tuomi via dovecot > wrote: > >> On 28 March 2019 16:08 Robert Kudyba via dovecot wrote: >> >> >> dovecot-2.3.3-1.fc29.x86_64 >> >> Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 >>

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

dovecot-2.3.3-1.fc29.x86_64 Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 (http_client_request_unref): assertion failed: (req->refcount > 0) Mar 28 10:04:47 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] -> /usr/lib64/dovecot/libdov

lua policy for Weakforce and web mail failed login attempts

The good news is I believe I got Weakforce running 1) curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:ourpassword {"status":"ok"}[ 2) after running the sample for loop: for a in {1..101}; do curl -X POST -H "Content-Type: application/json" --data '{"login":"ahu", "remote": "127.0.0

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

;ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status"

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

ot;:"127.0.0.1","success":true,"policy_reject":false,"tls":false} > On Mar 7, 2019, at 2:42 AM, Aki Tuomi wrote: > > wforce is the username always. > > auth_policy_hash_nonce should be set to a pseudorandom value that is shared > by your server

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

:8084/?command=allow]: Finished sending payload Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST

how to enable PowerDNS/Weakforced with Fedora and sendmail

We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_ser

after reboot listen(*, 995) failed: Address already in use/listen(*, 993) failed: Address already in use

This is still happening after a reboot, Fedora 28. Restarting dovecot fixes the problem. Does anyone know if it could be related to this bug report? *https://bugzilla.redhat.com/show_bug.cgi?id=103401#c130 * and suggested work around to add

imap Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0 on Fedora 24

Seems to be related to https://bugzilla.redhat.com/show_bug.cgi?id=1189198 . Separate note the link to Overview of all dovecot.org mailing lists http://dovecot.org/mailman/listinfo