how to enable PowerDNS/Weakforced with Fedora and sendmail

2019-03-06 Thread Robert Kudyba via dovecot
We have dovecot-1:2.3.3-1.fc29.x86_64 running on Fedora 29. I'd like to test wforce, from https://github.com/PowerDNS/weakforced. I see instructions at the Authentication policy support page, https://wiki2.dovecot.org/Authentication/Policy I see the Required Minimum Configuration: auth_policy_ser

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

2019-03-06 Thread Robert Kudyba via dovecot
:8084/?command=allow]: Finished sending payload Mar 06 13:32:16 auth: Debug: http-client[1]: peer 127.0.0.1:8084: No more requests to service for this peer (1 connections exist, 0 pending) Mar 06 13:32:16 auth: Debug: http-client[1]: conn 127.0.0.1:8084 [0]: Got 401 response for request [Req2: POST

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

2019-03-07 Thread Robert Kudyba via dovecot
ot;:"127.0.0.1","success":true,"policy_reject":false,"tls":false} > On Mar 7, 2019, at 2:42 AM, Aki Tuomi wrote: > > wforce is the username always. > > auth_policy_hash_nonce should be set to a pseudorandom value that is shared > by your server

Re: how to enable PowerDNS/Weakforced with Fedora and sendmail

2019-03-07 Thread Robert Kudyba via dovecot
;ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status":"ok"}{"status"

lua policy for Weakforce and web mail failed login attempts

2019-03-15 Thread Robert Kudyba via dovecot
The good news is I believe I got Weakforce running 1) curl -X GET http://127.0.0.1:8084/?command=ping -u wforce:ourpassword {"status":"ok"}[ 2) after running the sample for loop: for a in {1..101}; do curl -X POST -H "Content-Type: application/json" --data '{"login":"ahu", "remote": "127.0.0

configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

2019-03-28 Thread Robert Kudyba via dovecot
dovecot-2.3.3-1.fc29.x86_64 Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 (http_client_request_unref): assertion failed: (req->refcount > 0) Mar 28 10:04:47 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xe34fb) [0x7fe76e0834fb] -> /usr/lib64/dovecot/libdov

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

2019-03-28 Thread Robert Kudyba via dovecot
> On Mar 28, 2019, at 10:29 AM, Aki Tuomi via dovecot > wrote: > >> On 28 March 2019 16:08 Robert Kudyba via dovecot wrote: >> >> >> dovecot-2.3.3-1.fc29.x86_64 >> >> Mar 28 10:04:47 auth: Panic: file http-client-request.c: line 283 >>

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

2019-03-28 Thread Robert Kudyba via dovecot
> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificate Can this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = Are you using haproxy or something in front of dovecot? No. Just Squirrelmail webmail with sendmail.

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

2019-03-28 Thread Robert Kudyba via dovecot
Set ssl_client_ca_file=/path/to/cacert.pem to validate the certificate >>> >>> Can this be the Lets Encrypt cert that we already have? In other words we >>> have: >>> ssl_cert = >> ssl_key = >> >>> Can those be used? >> >> Set it to *CA* cert. You can also use >> >> ssl_client

Re: configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed

2019-03-29 Thread Robert Kudyba via dovecot
> > Well, as I said, it's up to squirrelmail to actually provide the real > client IP. Otherwise dovecot cannot know it. You can try turning on imap > rawlogs (see https://wiki.dovecot.org/Debugging/Rawlog >

Re: Editing fail2ban page?

2019-04-09 Thread Robert Kudyba via dovecot
> On Apr 9, 2019, at 9:03 AM, Mauricio Tavares via dovecot > wrote: > > In > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.dovecot.org_HowTo_Fail2Ban&d=DwIBaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=pvPczF9hPXSNtmAKNFK4BCXvgxua

Re: Mail account brute force / harassment

2019-04-12 Thread Robert Kudyba via dovecot
> > Probably there's an existing solution for both problems (subsequent > attempts and dnsbl): > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_weakforced&d=DwID-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X1Im4Y-eX

Re: Mail account brute force / harassment

2019-04-12 Thread Robert Kudyba via dovecot
> > You are running some kind of proxy in front of it. No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > If you want it to show real client IP, you need to enable forwarding of > said data. With dovecot it's done by setting > > login_trusted_networks = your-upstrea

Re: Mail account brute force / harassment

2019-04-12 Thread Robert Kudyba via dovecot
> > > On 12 April 2019 21:45 Robert Kudyba via dovecot > wrote: > > > > > > > You are running some kind of proxy in front of it. > > > > No proxy. Just sendmail with users using emacs/Rmail or > Webmail/Squirrelmail. > > > > > If yo