How to perform acl check with mosquitto-auth-plugin - acl

I've setup the plugin to use the HTTP backend. When connecting with username and password the http_getuser_uri is used like it should. But I would like to use the ACL check with http_aclcheck_uri.
My server configuration:
log_type all
connection_message true
listener 1883 localhost
listener 8883
certfile /etc/mosquitto/certs/cert.pem
cafile /etc/mosquitto/certs/chain.pem
keyfile /etc/mosquitto/certs/privkey.pem
auth_plugin /home/ubuntu/mqtt/mosquitto/auth-plug.so
auth_opt_backends http
auth_opt_http_ip 127.0.0.1
auth_opt_http_port 80
auth_opt_http_getuser_uri /auth
auth_opt_http_superuser_uri /superuser
auth_opt_http_aclcheck_uri /acl
There are two publish events but it seems that mosquitto performs the acl check instead of the plugin.
log:
1519727880: New connection from xxx.xxx.xxx.xxx on port 8883.
1519727881: mosquitto_auth_unpwd_check(UserName)
1519727881: ** checking backend http
1519727881: url=http://127.0.0.1:80/auth
1519727881: data=username=UserName&password=PassWord&topic=&acc=-1&clientid=
1519727881: getuser(UserName) AUTHENTICATED=1 by http
1519727881: New client connected from xxx.xxx.xxx.xxx as 110299159666937 (c1, k60, u'UserName').
1519727881: Sending CONNACK to 110299159666937 (0, 0)
1519727881: Received SUBSCRIBE from 110299159666937
1519727881: alarm (QoS 0)
1519727881: 110299159666937 0 alarm
1519727881: Sending SUBACK to 110299159666937
1519727881: Received SUBSCRIBE from 110299159666937
1519727881: alarm (QoS 0)
1519727881: 110299159666937 0 alarm
1519727881: Sending SUBACK to 110299159666937
1519727881: mosquitto_auth_acl_check(..., 110299159666937, UserName, alarm, MOSQ_ACL_WRITE)
1519727881: aclcheck(UserName, alarm, 2) CACHEDAUTH: 0
1519727881: Received PUBLISH from 110299159666937 (d0, q0, r0, m0, 'alarm', ... (31 bytes))
1519727881: mosquitto_auth_acl_check(..., 110299159666937, UserName, alarm, MOSQ_ACL_READ)
1519727881: aclcheck(UserName, alarm, 1) CACHEDAUTH: 0
1519727881: Sending PUBLISH to 110299159666937 (d0, q0, r0, m0, 'alarm', ... (31 bytes))
Do I have to configure something extra in mosquitto.conf for passing the acl check to the backend?
Kind regards,
Bart

Disabling the cache (auth_opt_acl_cacheseconds 0) and setting the correct HTTP-response (4**) in the /superuser solved the issue.
The superuser is called before the acl (so configuring the superuser is obliged).

Related

535 5.7.8 Error: authentication failed: authentication failure

Having a problem setting up authentication with smtp on my mail server using postfix. I have set up a test user inside of sasl_passwd file with info test:testpass. The same result is obtain when running AUTH LOGIN also.
220 rossiscloud.co.uk ESMTP Postfix
ehlo rossiscloud.co.uk
250-rossiscloud.co.uk
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
535 5.7.8 Error: authentication failed: authentication failure
Logs:
Feb 3 22:45:31 rossiscloud postfix/smtpd[8189]: warning: SASL authentication failure: Password verification failed
Feb 3 22:45:31 rossiscloud postfix/smtpd[8189]: warning: rossiscloud.co.uk[192.168.0.200]: SASL PLAIN authentication failed: authentication failure
Feb 3 22:45:36 rossiscloud postfix/smtpd[8189]: disconnect from rossiscloud.co.uk[192.168.0.200]
main.cf
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file=/etc/letsencrypt/live/rossiscloud.co.uk/cert.pem
smtpd_tls_key_file=/etc/letsencrypt/live/rossiscloud.co.uk/privkey.pem
smtpd_use_tls=yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains

mosquitto 1.4 - once running with ACL enabled, gets "Socket error on client <unknown>, disconnecting"

following instructions from Jeremy Gooch, see http://goochgooch.co.uk/2014/08/01/building-mosquitto-1-4/, i installed mosquitto over websockets on RPi. i can sub/pub messages to test site http://test.mosquitto.org/ws.html
from that point, i enabled user and topic access control in mosquitto.conf for more tests, but the strange point is that when i start mosquitto again, i see socket errors per second...
sudo /usr/local/sbin/mosquitto -v -c /etc/mosquitto/mosquitto.conf
1429857948: mosquitto version 1.4 (build date 2015-04-20 22:04:51+0800) starting
1429857948: Config loaded from /etc/mosquitto/mosquitto.conf.
1429857948: Opening ipv4 listen socket on port 1883.
1429857948: Opening ipv6 listen socket on port 1883.
1429857948: Warning: Address family not supported by protocol
1429857949: New connection from 127.0.0.1 on port 1883.
1429857949: Sending CONNACK to 127.0.0.1 (0, 5)
1429857949: Socket error on client <unknown>, disconnecting.
1429857950: New connection from 127.0.0.1 on port 1883.
1429857950: Sending CONNACK to 127.0.0.1 (0, 5)
...
i modify the config file to enable ACL only, comment out all others, the socket errors are still there. config file looks now:
sudo nano /etc/mosquitto/mosquitto.conf
autosave_interval 1800
persistence true
persistence_file m2.db
persistence_location /var/tmp/
connection_messages true
log_timestamp true
log_dest stderr
log_type error
log_type warning
log_type debug
allow_anonymous false
password_file /etc/mosquitto/mqtt.pw
acl_file /etc/mosquitto/mqtt.acl
port 1883
protocol mqtt
i even test to use the sample password_file and acl_file, but same error.
searched on google, also no result, could anyone help on this? thanks.
1429857949: Sending CONNACK to 127.0.0.1 (0, 5)
CONNACK return code of 5 means the connection was not authorised. If it
works with allow_anonymous=true, then it sounds like your client isn't
sending a username / or isn't sending a correct username&password.
It looks like you have a Paho Python client running.
I had the same problem my solution was that I wasn't closing the connection. Once I added client.Disconnect() it solved my problem.
Code:
public IEnumerator ooverhere()
{
MqttClient client;
client = new MqttClient(urlPath, port, false, MqttSslProtocols.None, null, null);
client.ProtocolVersion = MqttProtocolVersion.Version_3_1;
byte code = client.Connect(Guid.NewGuid().ToString(), user, pass);
if (code == 0)
{
Debug.Log("successful connection ...");
//client.MqttMsgPublishReceived += client_recievedMessage;
Debug.Log("your client id is: " + client.ClientId);
client.Subscribe(new string[] { "example" }, new byte[] { 0 });
client.Publish("Helpme", Encoding.UTF8.GetBytes("#" + 0));
yield return client;
client.Disconnect();
}
}

Mule smpt transport on EC2

A Mule flow I have deployed to EC2 cannot send emails to a nodejs "simplesmtp" server running on another EC2 instance. Here are the authentication details for the SMPT server
user: joseph
pass: josephk
port: 2525 (open in security group)
I can send emails to this SMTP server using various clients on other hosts, here's the auth part of a nodejs client:
var smtpTransport = nodemailer.createTransport("SMTP",{
host: 'ec2-54-211-220-210.compute-1.amazonaws.com',
secureConnection: false,
port: 2525,
auth: {
user: "joseph",
pass: "joseph12"
}
});
My Mule smpt endpoint looks like this
<smtp:outbound-endpoint
host="ec2-54-211-220-210.compute-1.amazonaws.com"
port="2525"
user="joseph"
password="joseph12"
to="cleardot#aol.com"
from="joseph#ec2-54-211-220-210.compute-1.amazonaws.com"
subject="Email from Mule ESB"
doc:name="send notification"
/>
My log error is (I hate dumping log files on here but in this case have to)
INFO 2014-11-02 12:03:08,734 [[q2].connector.smtp.mule.default.dispatcher.01] org.mule.lifecycle.AbstractLifecycleManager: Starting: 'connector.smtp.mule.default.dispatcher.1535039248'. Object is: SmtpMessageDispatcher
ERROR 2014-11-02 12:03:08,815 [[q2].connector.smtp.mule.default.dispatcher.01] org.mule.exception.DefaultMessagingExceptionStrategy:
********************************************************************************
Message : Failed to route event via endpoint: DefaultOutboundEndpoint{endpointUri=smtp://joseph:<password>#ec2-54-211-220-210.compute- 1.amazonaws.com, connector=SmtpConnector
{
name=connector.smtp.mule.default
lifecycle=start
this=54d8fd1a
numberOfConcurrentTransactedReceivers=4
createMultipleTransactedReceivers=true
connected=true
supportedProtocols=[smtp]
serviceOverrides=<none>
, name='endpoint.smtp.joseph.compute.1.amazonaws.com.2525', mep=ONE_WAY, properties={toAddresses=cleardot#aol.com, subject=Email from Mule ESB, fromAddress=joseph#ec2-54-211-220-210.compute-1.amazonaws.com}, transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: MimeMessage
Code : MULE_ERROR--2
--------------------------------------------------------------------------------
Exception stack is:
1. 530 5.5.1 Authentication Required
(com.sun.mail.smtp.SMTPSendFailedException)
com.sun.mail.smtp.SMTPTransport:1829 (null)
2. Failed to route event via endpoint: DefaultOutboundEndpoint{endpointUri=smtp://joseph:<password>#ec2-54-211-220-210.compute-1.amazonaws.com, connector=SmtpConnector
{
name=connector.smtp.mule.default
lifecycle=start
this=54d8fd1a
numberOfConcurrentTransactedReceivers=4
createMultipleTransactedReceivers=true
connected=true
supportedProtocols=[smtp]
serviceOverrides=<none>
}
, name='endpoint.smtp.joseph.compute.1.amazonaws.com.2525', mep=ONE_WAY, properties={toAddresses=cleardot#aol.com, subject=Email from Mule ESB, fromAddress=joseph#ec2-54-211-220-210.compute-1.amazonaws.com}, transactionConfig=Transaction{factory=null, action=INDIFFERENT, timeout=0}, deleteUnacceptedMessages=false, initialState=started, responseTimeout=10000, endpointEncoding=UTF-8, disableTransportTransformer=false}. Message payload is of type: MimeMessage (org.mule.api.transport.DispatchException)
org.mule.transport.AbstractMessageDispatcher:117 (http://www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/transport/DispatchException.html)
--------------------------------------------------------------------------------
Root Exception stack trace:
com.sun.mail.smtp.SMTPSendFailedException: 530 5.5.1 Authentication Required
at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:1829)
at com.sun.mail.smtp.SMTPTransport.mailFrom(SMTPTransport.java:1368)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:886)
+ 3 more (set debug level logging or '-Dmule.verbose.exceptions=true' for everything)
********************************************************************************
INFO 2014-11-02 12:03:09,697 [[q2].processArcMessage.stage1.02] org.mule.api.processor.LoggerMessageProcessor: send alert [B#3c32fb80
ERROR 2014-11-02 12:03:09,706 [[q2].connector.smtp.mule.default.dispatcher.01] org.mule.exception.DefaultMessagingExceptionStrategy:
Other comments:
I tried using joseph#ec2-54-211-220-210.compute-1.amazonaws.com as the user param with no luck.
Am wondering if Mule smpt requires that I use a standard port, or if I must use smpts not smpt.
My SMPT server logs attempts at authentication but sees nothing coming from Mule
Any help appreciated on this and the general issue of sending email from Mule on EC2
Clearly Mule can connect to your server because its response is visible in the logs:
530 5.5.1 Authentication Required
While your server was open to the web (see my comment above), I've noticed that it issued a 250 STARTTLS so I'm thinking that you should probably use the SMTPS transport for Mule, instead of the SMTP one in order to have proper support for TLS.

Can't receive mail others than my own

I am currently trying to configure my first Postfix - Dovecot - PostgreSQL installation.
When I connect from Thunderbird, I can receive and send mail on my 3 domains with virtual and real mail accounts. Emails are instantaneously sent.
It works too when I use mail (mailutils). But emails need like 1 minute to be sent.
telnet 25 from the server and outside the server send mail correctly too. Emails are instantaneously sent.
However, when I try to send mail from my Gmail or Yahoo mail accounts to this domain, I receive this kind of error :
Gmail
Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at http://support.google.com/mail/bin/answer.py?answer=7720
[(10) mail.domain-1.com. [MY_IP]:25: Connection timed out]
And I don't get any message in /var/log when sending a mail from external domains
Software versions :
LinuxMint : 16 Petra (Debian Wheezy)
Postfix : 2.10.2
Dovecot : 2.1.7
PostgreSQL : 9.1.13
Here is my main.cf :
debug_peer_list = domain-1.com
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
transport_maps = pgsql:/etc/postfix/sql/transport.cf
virtual_uid_maps = pgsql:/etc/postfix/sql/uids.cf
virtual_gid_maps = pgsql:/etc/postfix/sql/gids.cf
virtual_alias_maps = pgsql:/etc/postfix/sql/virtual.cf
virtual_mailbox_maps = pgsql:/etc/postfix/sql/mailboxes.cf
virtual_mailbox_base = /var/spool/virtual_mailboxes/
virtual_mailbox_limit = 51200000
mydestination = domain-1.fr domain-2.com domain-3.org localhost.$mydomain localhost
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
queue_directory = /var/spool/postfix
Here is my master.cf :
smtp inet n - y - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
There is currently no security like SSL or anti-spam. I just put an SHA512-CRYPT password.
As for my DNS configuration (it must come from here, ... but I don't see anything) :
domain-1.com. 10800 IN MX 10 mail.domain-1.com.
mail.domain-1.com. 10800 IN CNAME www.domain-1.com.
www.domain-1.com. 300 IN A SERVER_IP
I had just put a firewall only allowing mails from me.
Allowing anywhere on port 25 and 143 just made it...
...

FreeSWITCH replies 404 to PUBLISH

I'm connecting to FreeSWITCH with QuteCom SIP client. After a clien is successfully registered, I publish my presence by changing the status to BUSY. But FreeSWITCH replies "404 Not Found".
------------------------------------------------------------------------
recv 932 bytes from udp/[192.168.1.39]:5060 at 07:05:17.940940:
------------------------------------------------------------------------
PUBLISH sip:1200#192.168.1.249 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.39:5060;rport;branch=z9hG4bK131644078
From: <sip:1200#192.168.1.249>;tag=1098221491
To: <sip:1200#192.168.1.249>
Call-ID: 1650132002#192.168.1.39
CSeq: 20 PUBLISH
Contact: <sip:1200#192.168.1.39:5060>
Max-Forwards: 70
User-Agent: qutecom/rev-g-trunk
Event: presence
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, MESSAGE
Content-Type: application/pidf+xml
Content-Length: 452
<?xml version='1.0' encoding='UTF-8'?>
<presence xmlns='urn:ietf:params:xml:ns:pidf'
xmlns:dm='urn:ietf:params:xml:ns:pidf:data-model'
xmlns:rpid='urn:ietf:params:xml:ns:pidf:rpid'
xmlns:c='urn:ietf:params:xml:ns:pidf:cipid'
entity='sip:1200#192.168.1.249'>
<tuple id='t2267e46e'>
<status>
<basic>closed</basic>
</status>
</tuple>
<dm:person id='pdc5ba422'>
<rpid:activities>
<rpid:busy/>
</rpid:activities>
<dm:note></dm:note>
</dm:person></presence>
------------------------------------------------------------------------
send 642 bytes to udp/[192.168.1.39]:5060 at 07:05:17.943156:
------------------------------------------------------------------------
SIP/2.0 404 Not Found
Via: SIP/2.0/UDP 192.168.1.39:5060;rport=5060;branch=z9hG4bK131644078
From: <sip:1200#192.168.1.249>;tag=1098221491
To: <sip:1200#192.168.1.249>;tag=H5BZvmUQ37jjB
Call-ID: 1650132002#192.168.1.39
CSeq: 20 PUBLISH
User-Agent: FreeSWITCH-mod_sofia/1.0.head-git-765908f 2011-05-22 19-10-52 -0500
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, UPDATE, INFO, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
Supported: timer, precondition, path, replaces
Allow-Events: talk, hold, presence, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer
Content-Length: 0
The presence info in publish is completely RFC4480 conformant.
What should I configure to make PUBLISH work?
The solution was to first subscribe to "presence.winfo" event.