Re: imapc and masteruser

[Computerisms Corporation]

Hi Sami


I followed this before, and it seemed the solution was to set

imapc_password = %w

However, dovecot will not start with this configuration.

In Sven's email, he places the imapc_password = %w as a default_field in the 
userdb on the primary instance.  If I remove the default field, I get the 
invalid credentials reported as above.  However, I still think this is correct 
way to pass %w, because if I remove 'imapc_user = authapps' from the global 
config *and*  'imapc_password = %w' from the default_fields in the userdb, the 
logs on the shared instance show that the user password is not being passed in 
the imapc login:


2017-09-28 12:57:10.409884500 Sep 28 12:57:10 auth: Debug: 
static(bob.test,192.168.120.70,): lookup
2017-09-28 12:57:10.409903500 Sep 28 12:57:10 auth: Debug: 
static(bob.test,192.168.120.70,): username changed bob.test 
-> authapps
2017-09-28 12:57:10.409905500 Sep 28 12:57:10 auth: Info: 
static(authapps,192.168.120.70,): No password returned (and 
no nopassword)
2017-09-28 12:57:12.412437500 Sep 28 12:57:12 auth: Debug: client passdb out: 
FAIL  11  user=authapps   original_user=bob.test


Now this starts to be a bit complex. Not sure if you can get this working by 
returning imapc_password = %w from the first passdb. Atleast if it works it 
will only work with PLAIN auth scheme.
What I would do here is to just trust that the user is already authenticated 
with the first ldap passdb in the primary server and then switch the imapc 
connection to both master user and master password.

So just put imapc_password=masterpassword in dovecot.conf of the primary server 
and on secondary server modify ldap config not to fetch the user password but 
always return password=masterpassword.


It took me a while to wrap my head around what you are saying here, but 
once I got it I find it a simple, elegant and absolutely brilliant solution.


In thinking about it, it occurred to me I could maybe do the same 
without even doing an ldap look up, so I changed the userdb/passdb 
stanzas on the shared instance like so:


userdb {
  args = uid=vmail gid=vmail home=/CTFN/SharedMailboxes/CTFN/
  driver = static
}
passdb {
  args = user=%u password=XXX
  driver = static
  master = yes
}
passdb {
  driver = static
}


Where the password is the value set for imapc_password on the primary 
instance.


The logs now show on the shared server that the user is authapps, and it 
has the correct effective uid/gid/home values, and the master user and 
the acl username is that of the user logging into the primary instance.


So looks like this will work!

Thank you, Sami, a bottle of Canada's finest is at your disposal...





and maybe protect the authentication scheme with allow_nets=127.0.0.1 from 
external abuse

Sami

Re: 2.2.32 'doveadm replicator replicate -f' segfault

[Aki Tuomi]

Hi!

Thanks for your report.

Aki

> On September 29, 2017 at 6:25 PM Robert Giles  wrote:
> 
> 
> Very minor bug;  not specifying the user mask with 'doveadm replicator 
> replicate -f' causes a segfault:
> 
> server:~# doveadm replicator replicate -f
> Segmentation fault
> 
> server:~# doveadm replicator replicate -f '*'
> 123 users updated
> 
> server:~# gdb /usr/bin/doveadm core.2418
> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7
> This GDB was configured as "x86_64-redhat-linux-gnu".
> Reading symbols from /usr/bin/doveadm...Reading symbols from 
> /usr/lib/debug/usr/bin/doveadm.debug...done.
> done.
> [New LWP 2418]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> Core was generated by `doveadm replicator replicate -f'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x7fd2c059f921 in __strlen_sse2_pminub () from /lib64/libc.so.6
> Missing separate debuginfos, use: debuginfo-install 
> bzip2-libs-1.0.6-13.el7.x86_64 glibc-2.17-196.el7.x86_64 
> nss-softokn-freebl-3.28.3-8.el7_4.x86_64 xz-libs-5.2.2-1.el7.x86_64 
> zlib-1.2.7-17.el7.x86_64
> (gdb) bt full
> #0  0x7fd2c059f921 in __strlen_sse2_pminub () from /lib64/libc.so.6
> No symbol table info available.
> #1  0x7fd2c08c68f4 in str_append_tabescaped 
> (dest=dest@entry=0x5578cd69f668, src=0x0) at strescape.c:136
> No locals.
> #2  0x5578cb5a2731 in cmd_replicator_replicate (argc=1, 
> argv=0x5578cd6a75f8) at doveadm-replicator.c:245
>  ctx = 0x5578cd69f608
>  str = 0x5578cd69f668
>  line = 
> #3  0x5578cb5999d8 in doveadm_try_run (argv=0x5578cd6a75f0, argc=2, 
> cmd_name=0x5578cd6a7610 "replicator") at doveadm.c:223
>  cmd = 
> #4  main (argc=3, argv=0x5578cd6a75e8) at doveadm.c:383
>  cctx = {cmd = 0x0, argc = 0, argv = 0x0, username = 
> 0x5578cd6a77cf "root", cli = true, tcp_server = false, local_ip = {
>  family = 0, u = {ip6 = {__in6_u = {__u6_addr8 = '\000' 
> , __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0},
>__u6_addr32 = {0, 0, 0, 0}}}, ip4 = {s_addr = 0}}}, 
> remote_ip = {family = 0, u = {ip6 = {__in6_u = {
>__u6_addr8 = '\000' , __u6_addr16 = 
> {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}},
>ip4 = {s_addr = 0}}}, local_port = 0, remote_port = 0, 
> conn = 0x0}
>  cmd_name = 0x5578cd6a7610 "replicator"
>  quick_init = false
>  c = 
> (gdb) frame 4
> #4  main (argc=3, argv=0x5578cd6a75e8) at doveadm.c:383
> 383   !doveadm_try_run(cmd_name, argc, (const char **)argv) &&
> 
> 
> dovecot -n:
> -
> # 2.2.32 (dfbe293d4): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.20 (7cd71ba)
> # OS: Linux 3.10.0-693.2.2.el7.x86_64 x86_64 Red Hat Enterprise Linux 
> Server release 7.4 (Maipo)
> auth_master_user_separator = *
> auth_username_format = %Ln
> auth_verbose = yes
> disable_plaintext_auth = no
> doveadm_password =  # hidden, use -P to show it
> first_valid_uid = 3
> imapc_features = rfc822.size fetch-headers
> imapc_host = some-imap-server
> imapc_user = %u
> last_valid_uid = 3
> mail_location = mdbox:~/mdbox
> mail_plugins = " zlib acl notify replication"
> mail_prefetch_count = 20
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext spamtest spamtestplus vnd.dovecot.duplicate
> mbox_write_locks = fcntl
> namespace inbox {
>inbox = yes
>location =
>mailbox Drafts {
>  special_use = \Drafts
>}
>mailbox Junk {
>  special_use = \Junk
>}
>mailbox Sent {
>  special_use = \Sent
>}
>mailbox "Sent Messages" {
>  special_use = \Sent
>}
>mailbox Trash {
>  special_use = \Trash
>}
>prefix =
> }
> passdb {
>args = /master-file
>driver = passwd-file
>master = yes
> }
> passdb {
>args = /etc/dovecot/conf.d/dovecot-ldap.conf.ext
>driver = ldap
> }
> plugin {
>mail_replica = tcp:server2:1109
>sieve = ~/.dovecot.sieve
>sieve_before = /some-path/global.sieve
>sieve_dir = ~/sieve
>sieve_extensions = +spamtest +spamtestplus +vnd.dovecot.duplicate
>sieve_spamtest_max_value = 100
>sieve_spamtest_status_header = X-PerlMx-Spam: Gauge=[[:alnum:]]+, 
> Probability=(-?[[:digit:]]+)%.*
>sieve_spamtest_status_type = score
>zlib_save = gz
>zlib_save_level = 6
> }
> protocols = imap lmtp sieve
> replication_max_conns = 30
> service aggregator {
>fifo_listener replication-notify-fifo {
>  user = vmail
>}
>unix_listener replication-notify {
>  user = vmail
>}
> }
> service doveadm {
>inet_listener {
>  port = 1109
>}
> }
> service imap-login {
>

2.2.32 'doveadm replicator replicate -f' segfault

[Robert Giles]

Very minor bug;  not specifying the user mask with 'doveadm replicator 
replicate -f' causes a segfault:


server:~# doveadm replicator replicate -f
Segmentation fault

server:~# doveadm replicator replicate -f '*'
123 users updated

server:~# gdb /usr/bin/doveadm core.2418
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7
This GDB was configured as "x86_64-redhat-linux-gnu".
Reading symbols from /usr/bin/doveadm...Reading symbols from 
/usr/lib/debug/usr/bin/doveadm.debug...done.

done.
[New LWP 2418]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `doveadm replicator replicate -f'.
Program terminated with signal 11, Segmentation fault.
#0  0x7fd2c059f921 in __strlen_sse2_pminub () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install 
bzip2-libs-1.0.6-13.el7.x86_64 glibc-2.17-196.el7.x86_64 
nss-softokn-freebl-3.28.3-8.el7_4.x86_64 xz-libs-5.2.2-1.el7.x86_64 
zlib-1.2.7-17.el7.x86_64

(gdb) bt full
#0  0x7fd2c059f921 in __strlen_sse2_pminub () from /lib64/libc.so.6
No symbol table info available.
#1  0x7fd2c08c68f4 in str_append_tabescaped 
(dest=dest@entry=0x5578cd69f668, src=0x0) at strescape.c:136

No locals.
#2  0x5578cb5a2731 in cmd_replicator_replicate (argc=1, 
argv=0x5578cd6a75f8) at doveadm-replicator.c:245

ctx = 0x5578cd69f608
str = 0x5578cd69f668
line = 
#3  0x5578cb5999d8 in doveadm_try_run (argv=0x5578cd6a75f0, argc=2, 
cmd_name=0x5578cd6a7610 "replicator") at doveadm.c:223

cmd = 
#4  main (argc=3, argv=0x5578cd6a75e8) at doveadm.c:383
cctx = {cmd = 0x0, argc = 0, argv = 0x0, username = 
0x5578cd6a77cf "root", cli = true, tcp_server = false, local_ip = {
family = 0, u = {ip6 = {__in6_u = {__u6_addr8 = '\000' 
, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0},
  __u6_addr32 = {0, 0, 0, 0}}}, ip4 = {s_addr = 0}}}, 
remote_ip = {family = 0, u = {ip6 = {__in6_u = {
  __u6_addr8 = '\000' , __u6_addr16 = 
{0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}},
  ip4 = {s_addr = 0}}}, local_port = 0, remote_port = 0, 
conn = 0x0}

cmd_name = 0x5578cd6a7610 "replicator"
quick_init = false
c = 
(gdb) frame 4
#4  main (argc=3, argv=0x5578cd6a75e8) at doveadm.c:383
383 !doveadm_try_run(cmd_name, argc, (const char **)argv) &&


dovecot -n:
-
# 2.2.32 (dfbe293d4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.20 (7cd71ba)
# OS: Linux 3.10.0-693.2.2.el7.x86_64 x86_64 Red Hat Enterprise Linux 
Server release 7.4 (Maipo)

auth_master_user_separator = *
auth_username_format = %Ln
auth_verbose = yes
disable_plaintext_auth = no
doveadm_password =  # hidden, use -P to show it
first_valid_uid = 3
imapc_features = rfc822.size fetch-headers
imapc_host = some-imap-server
imapc_user = %u
last_valid_uid = 3
mail_location = mdbox:~/mdbox
mail_plugins = " zlib acl notify replication"
mail_prefetch_count = 20
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext spamtest spamtestplus vnd.dovecot.duplicate

mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /master-file
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/conf.d/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  mail_replica = tcp:server2:1109
  sieve = ~/.dovecot.sieve
  sieve_before = /some-path/global.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +spamtest +spamtestplus +vnd.dovecot.duplicate
  sieve_spamtest_max_value = 100
  sieve_spamtest_status_header = X-PerlMx-Spam: Gauge=[[:alnum:]]+, 
Probability=(-?[[:digit:]]+)%.*

  sieve_spamtest_status_type = score
  zlib_save = gz
  zlib_save_level = 6
}
protocols = imap lmtp sieve
replication_max_conns = 30
service aggregator {
  fifo_listener replication-notify-fifo {
user = vmail
  }
  unix_listener replication-notify {
user = vmail
  }
}
service doveadm {
  inet_listener {
port = 1109
  }
}
service imap-login {
  inet_listener imap {
port = 143
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service lmtp {
  inet_listener lmtp {
port = 24
  }
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
group = vmail
mode = 0660
user = vmail
  }
}
userdb {
  args = /etc/dovecot/conf.d/dovecot-ldap.conf.ext
  driver = ldap
}
protocol lmtp {
  mail_plugins = " zlib acl notify replication sieve"
}

Re: Securing postfix to dovecot (SASL) auth

[Aki Tuomi]

On 27.09.2017 14:57, Peter wrote:
> On 28/09/17 00:11, Aki Tuomi wrote:
>>> ssl=yes is not documented to work for the auth service and it's highly
>>> likely that it is simply ignored.
>> It is documented for inet_listener's in general and is not ignored. Any
>> dovecot inet_listener can be given this flag.
>>
>> You could use stunnel on the other end.
> Does it turn the auth socket into a direct TLS connection, or is there a
> STARTTLS implementation for it?
>
>
> Peter

It will listen for direct TLS.

Aki

Re: Securing postfix to dovecot (SASL) auth

[Patrick Ben Koetter]

* Aki Tuomi :
> 
> 
> On 27.09.2017 13:21, Peter wrote:
> > On 27/09/17 20:35, Thomas Bauer wrote:
> >> service auth {
> >>   inet_listener{
> >> address=192.0.0.1
> >> port=10001
> >> ssl=yes
> >> }
> >> }
> > ssl=yes is not documented to work for the auth service and it's highly
> > likely that it is simply ignored.
> 
> It is documented for inet_listener's in general and is not ignored. Any
> dovecot inet_listener can be given this flag.

However AFAIK Postfix does not honor an SSL encrypted layer for SASL auth.

> You could use stunnel on the other end.

That's what we usually do.

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 

Re: Conditionally disabling auth policy

[Aki Tuomi]

On 28.09.2017 22:32, Mark Moseley wrote:
> On Thu, Sep 28, 2017 at 9:34 AM, Aki Tuomi  > wrote:
>
>
> > On September 28, 2017 at 7:20 PM Mark Moseley
> > wrote:
> >
> >
> > On Wed, Sep 27, 2017 at 10:06 PM, Aki Tuomi
> > wrote:
> >
> > >
> > >
> > > On 27.09.2017 20 :14, Mark Moseley wrote:
> > > > On Wed, Sep 27, 2017 at 10:03 AM, Marcus Rueckert
> >
> > > wrote:
> > > >
> > > >> On 2017-09-27 16:57:44 +, Mark Moseley wrote:
> > > >>> I've been digging into the auth policy stuff with
> weakforced lately.
> > > >> There
> > > >>> are cases (IP ranges, so could be wrapped up in remote {}
> blocks) where
> > > >>> it'd be nice to skip the auth policy (internal hosts that
> I can trust,
> > > >> but
> > > >>> that are hitting the same servers as the outside world).
> > > >>>
> > > >>> Is there any way to disable auth policy, possibly inside a
> remote{}?
> > > >>>
> > > >>> auth_policy_server_url complains that it can't be used
> inside a remote
> > > >>> block, so no dice there. Anything I'm missing?
> > > >> From my config:
> > > >> ```
> > > >>   allowed_subnets=newNetmaskGroup()
> > > >>   allowed_subnets:addMask('fe80::/64')
> > > >>   allowed_subnets:addMask('127.0.0.0/8 ')
> > > >> [snip]
> > > >>   if (not(allowed_subnets.match(lt.remote)))
> > > >>   -- do GeoIP check
> > > >>   end
> > > >> ```
> > > >>
> > > >> of course could just skip all checks in that case if really
> wanted. but
> > > >> you probably want to be careful not to skip too many checks
> otherwise
> > > >> the attack moves from your imap port e.g. to your webmailer.
> > > >>
> > > >>
> > > >>
> > > > Hi. Yup, I've got my own whitelisting going on, on the
> wforce side of
> > > > things. I'm just looking to forgo the 3 HTTP reqs completely
> to wforce,
> > > > from the dovecot side, if possible. I've got some internal
> services that
> > > > can generate a significant amount of dovecot logins, but
> it's kind of
> > > silly
> > > > to keep doing auth policy lookups for those internal servers.
> > > >
> > > > To continue the Lua thread, I was thinking I could also drop
> a local
> > > > openresty to do some conditional lookups. I.e. if remote IP
> is known
> > > good,
> > > > a localhost nginx just sends back the response; if not a
> known good IP,
> > > > then proxy the req over to the wforce cluster. That might be
> a bit
> > > overkill
> > > > though :)
> > > Hi!
> > >
> > > Currently it's not possible to disable auth_policy conditionally,
> > > although it does sound like a good idea.
> > >
> > > You should probably see also if your webmail supports passing the
> > > original IP to dovecot using
> > >
> > > a01 ID ("X-Original-IP" "1.2.3.4")
> > >
> > > before login, which would let you use weakforced in more
> meaningful way.
> > > There are few other fields too that can be used
> > >
> > > Aki
> > >
> >
> > Yup, I've got that set up. I've got no problems with
> short-circuiting the
> > request on the weakforce side quickly, in case of known good
> ips. Just
> > hoping to avoid some unnecessary auth policy lookups.
> >
> > Out of curiosity (and I've googled this before), what other
> fields can be
> > used there?
>
> * x-originating-ip - client IP
> * x-originating-port - client port
> * x-connected-ip - server IP (like, on proxy)
> * x-connected-port - server port
> * x-proxy-ttl - non-negative integer, decremented on each hop,
> used for loop detection.
> * x-session-id - session ID, if you want to provide one
> * x-session-ext-id - session prefix
> * x-forward- - field to import into passdb during
> authentication, comes prefixed with forward_. e.g if you set
> x-forward-username, it comes as forward_username, and can be used like
>
> username=%{forward_username}
>
>
>
> The 'forward' stuff is gold. I found that I had to access it like
> this: %{passwd:forward_}
>
> Is that the right way to use it?
>
> Also (unrelated), I noticed this in the wiki but it's not in the
> release notes for 2.2.32 (and it sounds super useful): 
>
> "Since v2.2.32 it's possible to use conditionals in variable expansion"

Depends where you use it. In passdb expansion, you can use
%{forward_name}. You should use userdb_something=%{forward_something} to
move it properly into userdb, you can drop the forward, too. We use this
to forward stuff from proxy=>backend.

Conditionals were