Dovecot pigeonhole sieve proxy with ldap - proxy

for an upcoming IMAP migration, I need to proxy my users.
I plan to use Nginx for proxying IMAP and POPS traffic and directing them according to a LDAP attribute (mailHost)
But Nginx can't proxy SIEVE.
Dovecot PigeonHole seems to be able to proxy SIEVE protocol.
I try to configure it to avoid LDAP authentication because there's already an authentication on IMAP stores.
That doesn't work for now.
Here's my conf following this doc:
Pasword DB extra fields
Dovecot proxies
/etc/dovecot/dovecot.conf:
protocols sieve
!include conf.d/*.conf
/etc/dovecot/conf.d/90-sieve.conf
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
!include auth-ldap.conf.ext
/etc/dovecot/conf.d/auth-ldap.conf
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
/etc/dovecot/dovecot-ldap.conf.ext
hosts = xxx.xxx.xxx.xxx
ldap_version = 3
base = ou=myOU, dc=domain, dc=example
pass_attrs = \
=user=%{ldap:user}, \
=password=, \
=proxy=y, \
=host=%{ldap:mailHost}
And here's the error in the log when I try to modify a sieve script using Horde Webmail:
dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, session=
I surely missed a setting somewhere.
For now, I haven't found yet.
Any help will be greatly appreciated
Thanks

OK, I've found the problem
To proxy password to IMAP backends:
/etc/dovecot/dovecot-ldap.conf.ext:
hosts = xxx.xxx.xxx.xxx
ldap_version = 3
base = ou=myOU, dc=domain, dc=example
pass_attrs = \
=user=%{ldap:user}, \
=password=, \
=proxy=y, \
=nopassword=y, \
=host=%{ldap:mailHost}
=port=2000
The doc says:
If you don’t want proxy itself to do authentication, you can configure it to succeed with any given password. You can do this by returning an empty password and nopassword field.
And port 2000 is needed because the IMAP backend still in production is running an old version of timsieved (cyrus sieve implementation)
Then, the backends are waiting for PLAIN authentication.
That's disabled by default in Dovecot, so activate it with:
/etc/dovecot/conf.d/10-auth.conf:
disable_plaintext_auth = no
auth_mechanisms = plain login
!include auth-ldap.conf.ext
This degrades the security, so I will limit access to port 2000 to the dovecot pigeon-hole proxy.

Related

How to enable Proxy Auto Configuration file on windows 10?

I have tried to Proxy Auto Configuration that like follows on Windows10.
But it does not seems like be enabled.
I would like to decrypt HTTPS from specific IP address with mitmproxy but it does not pass through the proxy.
Why?
This Proxy Auto Configuration (PAC) file hosted by a HTTP server on LAN.
As a probability, some of applications does not follow this configuration if the applications adopt there own HTTPS library instead of windows builtin one?
My pac file:
function FindProxyForURL(url, host) {
if (host.indexOf("125.29.56.129") >= 0 || url.indexOf("125.29.56.129")) {
return "HTTPS 192.168.1.16:11161; DIRECT";
} else {
return "DIRECT";
}
}

Fitnesse set proxy for Chrome browser

I need to set proxy for Chrome browser in Fitnesse , so that the browser can open certain websites.
Is it possible to add it while initialising the selenium grid in Fitnesse ?
And also is it possible to add username and password to it ?
Adding Fitnesse code below : I am using a selenium hub
|Import |
|nl.hsac.fitnesse.fixture.slim.web|
!define GRID_HUB {http://remote-selenium.local:4444/wd/hub}
|script |selenium driver setup |
|connect to driver at |${GRID_HUB} |with capabilities|!{browserName:chrome} |
I need to pass the proxy object to this. How can I do that ?
A similar code in Java would be :
String nodeUrl = "http://remote-selenium.local:4444/wd/hub";
Proxy proxy = new Proxy();
proxy.setHttpProxy("proxy:8080");
proxy.setSslProxy("proxy:8080");
ChromeOptions options = new ChromeOptions();
options.setCapability("proxy",proxy);
RemoteWebDriver driver = new RemoteWebDriver(new URL(nodeUrl),options);
How can I achieve this in Fitnesse ?
I have to admit I never had to work with proxies, but some googling suggests that you should also be able to configure the proxy using the generic chrome.switches capability which passes them as command line options. Those options are described at: https://www.chromium.org/developers/design-documents/network-settings
So that would give you something like:
|script |map fixture |
|set value |chrome |for|browserName |
|set value |--proxy-server="http=http://proxy:8080/;https=http://proxy:8080/"|for|chrome.switches[0]|
|$chromeCapabilities=|copy map |
!define GRID_HUB {http://remote-selenium.local:4444/wd/hub}
|script |selenium driver setup |
|connect to driver at|${GRID_HUB}|with capabilities|$chromeCapabilities|
You could add more elements by adding lines setting values for chrome.switches[1], chrome.switches[2], etc.
So for instance:
|set value |--proxy-bypass-list="*.google.com;127.0.0.1:8080"|for|chrome.switches[1]|
To not proxy requests to any google.com subdomain or requests to 127.0.0.1 port 8080.
When not using a remote chrome (e.g. starting chrome using |start driver for|chrome|) you can pass command line arguments as profile. This should also allow for proxy settings. See for instance hsac-fitnesse-fixture's BrowserTest.SuiteSetUp that passes command line options to make Chrome run in headless mode.

WSO2 APIM 3.0 Configuration proxy problem

I need help for configuration WSO2APIM with proxy for backend.
My configuration In deployment.toml
[transport.passthru_https.sender.parameters]
http.proxyHost = "myadresseproxy"
http.proxyPort = "3128"
non-blocking = "true"
bind-address = ["localhost","myadresse"]
[transport.passthru_http.sender.parameters]
http.proxyHost = "myadresseproxy"
http.proxyPort = "3128"
non-blocking = "true"
bind-address = ["localhost","myadresse"]
This configuration doesn't work :
With API need proxy i have "Error connecting to the back end"
It's ok with API didn't need pass by proxy
with this configuration the file axis2.xml is correct
What can i do ? idea ?
Thank
There seems to be an issue with these configurations and it has fixed in https://github.com/wso2/product-apim/pull/7115/files. You can make these changes in wso2am-3.0.0/repository/resources/conf/default.json and get this done.

Caddy - Setting HTTPS on local domain

I would like to add HTTPS to my local domain, however we can't do this on localhost.
My website goes fine when I run with this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
But I would like to name this website or at least enable HTTPS on it. According to Caddy, you can't do this on localhost, but what if I have a domain name ?
I have tried using my own local address with this Caddyfile
192.168.100.26 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
All works fine but I still don't have HTTPS...
And when I try to add a random domain name for example
www.mycaddytest.com {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
I got the following error
Activating privacy features...2016/08/18 11:53:26 [www.mycaddytest.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up A for www.mycaddytest.com
Error Detail:
Validation for www.mycaddytest.com:80
Resolved to:
Used:
I know this error is dues to an unexisting domain name, but is there a way to deal with ?
Just getting HTTPS on localhost or ip address will be enough
Since Caddy 0.9 we can use the tls self_signed attribute.
Use this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / 192.168.100.82:9000
tls self_signed
}
And try https://localhost:2020
For caddy version 2.4.5, the accepted answer did not work me. What worked is shown below:
localhost:443 {
reverse_proxy 127.0.0.1:8080
tls internal
}
I know that answer is already accepted. But I had the same problem with Caddy v0.10.14 and it's a solution that helped me (but with real SSL certificate instead of self_signed):
Firstly, certificate & key pair must be in this directories: /etc/pki/tls/certs/ for certificate and /etc/pki/tls/private/ for key. So go to one of this directory with cd command
Then, create our own, self-signed certificate for HTTP2.0 testing with a single command, however. Just execute on your commandline to generate a SSL certificate + key pair:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout cert.key -out cert.crt
After that, move files to correct directories (see the first point)
Next, use this Caddyfile and try https://localhost:2020:
localhost:2020 {
bind {$ADDRESS}
root /var/www
gzip
tls your.address#example.com
tls /etc/pki/tls/certs/cert.crt /etc/pki/tls/private/cert.key
}
Also if you are running caddy in a docker container, you may need to import and trust the Root certificate.
docker ps
docker cp container_id:/config/caddy/pki/authorities/local/root.crt ~/Desktop
then the caddyfile, for laravel sail for example, could look something like this:
yourlocaldomain.dev{
tls internal
reverse_proxy laravel.test
}
more may be here https://gilbitron.me/blog/enabling-https-ssl-for-laravel-sail-using-caddy/

Problem requesting a HTTPS with TCL

I'm trying to do the following request using TCL (OpenACS)
http::register https 443 tls::socket
set url "https://encrypted.google.com"
set token [http::geturl $url -timeout 30000]
set status [http::status $token]
set answer [http::data $token]
http::cleanup $token
http::unregister https
The problem is that when I read the $status variable I get "eof" and the $answer variable becomes empty. I tried enabling tls V.1
http::register https 443 [list tls::socket -tls1 1]
and it works only for the site https://www.galileo.edu, but not for https://encrypted.google.com.
The site what I'm trying to connect is https://graph.facebook.com/me/feed?access_token=...
but it doesn't work.
I used curl to retrieve the contents of the pages in HTTPS and it works, I have installed OpenSSL, so I can't see the problem, there is another way to do HTTPS connections with TCL?.
I can't see if this is a problem of coding (maybe I'm registered wrong the https protocol) or maybe It is a bad configuration of my server. Hope somebody helps!! Thanks!
Hmm, I can't reproduce that. Which patchlevel of Tcl are you using, and which version of the tls package?
I did this:
package require http
package require tls
# This is your code, cut-n-pasted with blank lines removed
http::register https 443 tls::socket
set url "https://encrypted.google.com"
set token [http::geturl $url -timeout 30000]
set status [http::status $token]
set answer [http::data $token]
http::cleanup $token
http::unregister https
puts $status
And it produces “ok” as output, with $status's contents looking likely too (but too long to paste here). This is with Tcl 8.5.2 (I know I need to upgrade), http 2.7 and tls 1.6.

Resources