Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'
You can probably use auth_default_realm for this, see https://doc.dovecot.org/settings/core/?highlight=realm#core_setting-auth_default_realm Aki > On 24/01/2022 20:05 da...@kosmosisland.com wrote: > > > Hello Aki, > > Thank you, that works. But it doesn't solve my main problem. Newer > versions of Outlook started to parse the "@domain" out of the > "user@domain" which yielded only "user". I found that by prepending a '\' > (backslash) it would yield "user@domain" correctly. But with GSSAPI, the > backslash fails and removing it allows for correct authentication of the > whole user name including "@domain". The problem now is having to > configure all the many clients in the field that have the backslash > prepended to the user name. Is here a way around this with version 2.3? > > Regards, > David Koski > da...@kosmosisland.com > dko...@sutinen.com > > > > > > > On 23 January 2022 1.29.43 UTC, David Koski > > wrote: > >>Is NTLM now dead? The Readme says: > >> > >>2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek > >> (48d6f7282) > >> > >>    auth: Remove ntlm mechanism & the LANMAN and NTLM password > >> schemes > >> > >>> > >>> Regards, > >>> David Koski > >>> > >> > > > > You should use GSSAPI instead. > > > > Aki > >
Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'
Hello Aki, Thank you, that works. But it doesn't solve my main problem. Newer versions of Outlook started to parse the "@domain" out of the "user@domain" which yielded only "user". I found that by prepending a '\' (backslash) it would yield "user@domain" correctly. But with GSSAPI, the backslash fails and removing it allows for correct authentication of the whole user name including "@domain". The problem now is having to configure all the many clients in the field that have the backslash prepended to the user name. Is here a way around this with version 2.3? Regards, David Koski da...@kosmosisland.com dko...@sutinen.com > > > On 23 January 2022 1.29.43 UTC, David Koski > wrote: >>Is NTLM now dead? The Readme says: >> >>2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek >> (48d6f7282) >> >>    auth: Remove ntlm mechanism & the LANMAN and NTLM password >> schemes >> >>> >>> Regards, >>> David Koski >>> >> > > You should use GSSAPI instead. > > Aki >
Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'
On 23 January 2022 1.29.43 UTC, David Koski wrote: >Is NTLM now dead? The Readme says: > >2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek > (48d6f7282) > > auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes > >> >> Regards, >> David Koski >> > You should use GSSAPI instead. Aki
Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'
Is NTLM now dead? The Readme says: 2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek (48d6f7282) auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes M COPYING M configure.ac M src/Makefile.am M src/auth/Makefile.am D src/auth/mech-ntlm.c M src/auth/mech.c M src/auth/password-scheme.c M src/auth/test-libpassword.c M src/auth/test-mech.c M src/doveadm/Makefile.am D src/lib-ntlm/Makefile.am D src/lib-ntlm/ntlm-des.c D src/lib-ntlm/ntlm-des.h D src/lib-ntlm/ntlm-encrypt.c D src/lib-ntlm/ntlm-encrypt.h D src/lib-ntlm/ntlm-flags.h D src/lib-ntlm/ntlm-message.c D src/lib-ntlm/ntlm-message.h D src/lib-ntlm/ntlm-types.h D src/lib-ntlm/ntlm.h David On 1/22/22 4:22 PM, David Koski wrote: After upgrading Debian to 11 I found Dovecot at version 2.3.13 (89f716dc2). Now auth method NTLM fails and is not even listed: # doveadm pw -l SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5 /var/log/dovecot.log Jan 22 16:20:32 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:32 master: Error: service(auth): command startup failed, throttling for 2.000 secs Jan 22 16:20:34 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:34 master: Error: service(auth): command startup failed, throttling for 4.000 secs Jan 22 16:20:38 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:38 master: Error: service(auth): command startup failed, throttling for 8.000 secs Jan 22 16:20:46 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:46 master: Error: service(auth): command startup failed, throttling for 16.000 secs # doveconf -n # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2 # Hostname: imail.khmfdbyekekelj1rmytwnfh1bc.dx.internal.cloudapp.net auth_mechanisms = plain login ntlm debug_log_path = /var/log/dovecot-debug.log info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace compat { alias_for = hidden = yes inbox = no list = no location = prefix = INBOX. separator = . } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_plugins = " quota trash sieve" sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-client { mode = 0660 } } service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } ssl_cert =
NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'
After upgrading Debian to 11 I found Dovecot at version 2.3.13 (89f716dc2). Now auth method NTLM fails and is not even listed: # doveadm pw -l SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5 /var/log/dovecot.log Jan 22 16:20:32 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:32 master: Error: service(auth): command startup failed, throttling for 2.000 secs Jan 22 16:20:34 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:34 master: Error: service(auth): command startup failed, throttling for 4.000 secs Jan 22 16:20:38 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:38 master: Error: service(auth): command startup failed, throttling for 8.000 secs Jan 22 16:20:46 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:46 master: Error: service(auth): command startup failed, throttling for 16.000 secs # doveconf -n # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2 # Hostname: imail.khmfdbyekekelj1rmytwnfh1bc.dx.internal.cloudapp.net auth_mechanisms = plain login ntlm debug_log_path = /var/log/dovecot-debug.log info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace compat { alias_for = hidden = yes inbox = no list = no location = prefix = INBOX. separator = . } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_plugins = " quota trash sieve" sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-client { mode = 0660 } } service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } ssl_cert =
RE: Unable to authenticate on Dovecot - auth-userdb issue?
uth-userdb { group = mode = 0666 user = $default_internal_user } user = dovecot } service imap-login { inet_listener imap { port = 143 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } service stats { unix_listener stats-reader { group = mail mode = 0666 } unix_listener stats-writer { group = mail mode = 0666 } } ssl = required ssl_cert = mailto:ad+li...@uni-x.org> Sent: Friday, January 10, 2020 11:34 AM To: Mark ADAMS<mailto:mada...@msn.com> Subject: Re: Unable to authenticate on Dovecot - auth-userdb issue? Mark, first of all: please take care to whom you reply. Do not communicate directly with my list mail address. Please keep the discussion on the dovecot list. Thanks. Am 09.01.2020 um 18:29 schrieb Mark ADAMS: > At this point, passdb does not support lookups according to the log. Is there > something else I should be looking at? > > I’ve worked on this and seem to be making little progress. A sample > transaction log looks like this: > > > Jan 09 10:22:32 shuttle dovecot[26851]: master: Warning: SIGHUP received - > reloading configuration > Jan 09 10:23:04 shuttle postfix/smtpd[5448]: connect from pvr[192.168.1.103] > Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: Loading modules from > directory: /usr/lib64/dovecot/modules/auth > Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: Module loaded: > /usr/lib64/dovecot/modules/auth/lib20_auth_var_expand_crypt.so > Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: Read auth token secret > from /run/dovecot/auth-token-secret.dat > Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: auth client connected > (pid=0) > Jan 09 10:23:20 shuttle postfix/smtpd[5448]: 0C6BF4A6302: > client=pvr[192.168.1.103] > Jan 09 10:23:30 shuttle postfix/cleanup[5459]: 0C6BF4A6302: message-id=<> > Jan 09 10:23:30 shuttle postfix/qmgr[1385]: 0C6BF4A6302: from=, > size=180, nrcpt=1 (queue active) > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: master in: USER1 > root@shuttleservice=lda > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: static(root): Performing > userdb lookup > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: pam(root): Performing > passdb lookup > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: pam(root): passdb doesn't > support credential lookups > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: pam(root): Finished > passdb lookup > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Error: static(root): passdb > doesn't support lookups, can't verify user's existence > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: static(root): Finished > userdb lookup > Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: userdb out: FAIL1 > Jan 09 10:23:30 shuttle dovecot[5466]: lda(root@shuttle)<5466><>: Error: > auth-master: userdb lookup(root@shuttle): Auth USER lookup failed > Jan 09 10:23:30 shuttle dovecot[5466]: lda: Fatal: Internal error occurred. > Refer to server log for more information. > Jan 09 10:23:30 shuttle postfix/pipe[5465]: 0C6BF4A6302: to=, > relay=dovecot, delay=17, delays=17/0.01/0/0.06, dsn=4.3.0, status=deferred > (tempora> > Jan 09 10:23:31 shuttle sshd[5468]: Connection closed by 192.168.1.100 port > 48324 [preauth] > Jan 09 10:23:31 shuttle postfix/smtpd[5448]: disconnect from > pvr[192.168.1.103] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 > > > My current dovecot configuration looks like this: > > # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf > # OS: Linux 5.4.6-desktop-2.mga7 x86_64 Mageia 7 > # Hostname: shuttle > auth_debug_passwords = yes > auth_username_format = %Ln > disable_plaintext_auth = no > first_valid_uid = 0 > last_valid_uid = 10001 > mail_gid = 10001 > mail_location = mbox:~/mail:INBOX=/var/mail/%u > mail_privileged_group = mail > mail_uid = 10001 > namespace inbox { >inbox = yes >location = >mailbox Drafts { > special_use = \Drafts >} >mailbox Junk { > special_use = \Junk >} >mailbox Sent { > special_use = \Sent >} >mailbox "Sent Messages" { > special_use = \Sent >} >mailbox Trash { > special_use = \Trash >} >prefix = > } > passdb { >args = %s >driver = pam > } > plugin { >sieve = file:~/sieve;active=~/.dovecot.sieve > } > service anvil { >unix_listener anvil { > group = mail > mode = 0666 >} > } > service auth-worker { >user = vmail > } > service auth { >unix_listener /var/
Re: Unable to authenticate on Dovecot - auth-userdb issue?
Am 03.01.2020 um 03:27 schrieb Mark ADAMS: Jan 02 18:47:37 shuttle dovecot[6744]: lda(root@shuttle)<6744><>: Error: auth-master: userdb lookup(root@shuttle): connect(/run/dovecot/auth-userdb) failed: Permission denied (euid=8(mail) egid=12(mail) missing +r perm: /run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) Run "namei -lv /run/dovecot/auth-userdb" to check the permissions of the complete path. The auth-userdb socket actually is owned mail:mail according to your error logging. Is dovecot member of the mail group? Actually it does not match the config details you have pasted: unix_listener auth-userdb { group = dovecot mode = 0600 user = vmail } On my side it looks like this and I have not custom configured that part. The defaults are: unix_listener auth-userdb { group = mode = 0666 user = $default_internal_user } So on my system the permissions look like this: # namei -lv /var/run/dovecot/auth-userdb f: /var/run/dovecot/auth-userdb dr-xr-xr-x rootroot/ drwxr-xr-x rootrootvar drwxr-xr-x rootrootrun drwxr-xr-x rootdovecot dovecot srw-rw-rw- dovecot rootauth-userdb Jan 02 18:47:37 shuttle dovecot[6744]: lda: Fatal: Internal error occurred. Refer to server log for more information. Jan 02 18:47:37 shuttle postfix/pipe[6743]: 6345D4A4A97: to=, relay=dovecot, delay=1.1, delays=1.1/0.01/0/0.06, dsn=4.3.0, status=deferred (temporary failure. Command output: lda(root@shuttle): Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied ) ^C Note: this error references "/run/dovecot/auth-userdb". That isn't even supposed to be the location of that file. I have no idea why that location shows up. The correct location should be "/etc/dovecot/auth-userdb". The file does exist at that location. Mark, I have no idea why you expect the dovecot sockets to be located inside /etc/dovecot/. /etc is the FHS location for configurations. /run or /var/run (typically a symlink on modern linux distributions) is the right location for runtime files like service sockets. You say /etc/dovecot/auth-userdb exists. Am I correct to guess that you have created that manually with whatever content? Alexander
Unable to authenticate on Dovecot - auth-userdb issue?
Some general information: Mageia Linux 5.4.6-desktop-2.mga7 2.3.7.2 (3c910f64b) postfix + dovecot + mysql 192.168.1.105 (shuttle) the email server machine 192.168.1.103 (pvr) the mail client machine I am unable to authenticate to send email. I've looked at postfix but I can't get past dovecot's authentication. Here is what I'm seeing in logs: Jan 02 18:46:47 shuttle sshd[6660]: Connection closed by 192.168.1.100 port 48506 [preauth] Jan 02 18:47:05 shuttle postfix/smtpd[6352]: connect from pvr[192.168.1.103] Jan 02 18:47:16 shuttle postfix/smtpd[6352]: lost connection after CONNECT from pvr[192.168.1.103] Jan 02 18:47:16 shuttle postfix/smtpd[6352]: disconnect from pvr[192.168.1.103] commands=0/0 Jan 02 18:47:36 shuttle postfix/smtpd[6352]: connect from pvr[192.168.1.103] Jan 02 18:47:36 shuttle postfix/smtpd[6352]: 6345D4A4A97: client=pvr[192.168.1.103] Jan 02 18:47:37 shuttle postfix/cleanup[6500]: 6345D4A4A97: message-id=<> Jan 02 18:47:37 shuttle postfix/qmgr[1385]: 6345D4A4A97: from=, size=485, nrcpt=1 (queue active) Jan 02 18:47:37 shuttle postfix/smtpd[6352]: disconnect from pvr[192.168.1.103] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Jan 02 18:47:37 shuttle dovecot[6744]: lda(root@shuttle)<6744><>: Error: auth-master: userdb lookup(root@shuttle): connect(/run/dovecot/auth-userdb) failed: Permission denied (euid=8(mail) egid=12(mail) missing +r perm: /run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) Jan 02 18:47:37 shuttle dovecot[6744]: lda: Fatal: Internal error occurred. Refer to server log for more information. Jan 02 18:47:37 shuttle postfix/pipe[6743]: 6345D4A4A97: to=, relay=dovecot, delay=1.1, delays=1.1/0.01/0/0.06, dsn=4.3.0, status=deferred (temporary failure. Command output: lda(root@shuttle): Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied ) ^C Note: this error references "/run/dovecot/auth-userdb". That isn't even supposed to be the location of that file. I have no idea why that location shows up. The correct location should be "/etc/dovecot/auth-userdb". The file does exist at that location. There is no "base_dir" configured in /etc/dovecot/dovecot.conf. When I do try an point the configuration at the correct base_dir, I get this when I try to restart dovecot: -- The unit dovecot.service has entered the 'failed' state with result 'exit-code'. Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(aggregator): unlink(/etc/dovecot/replication-notify-fifo) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(pop3): unlink(/etc/dovecot/login/pop3) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(old-stats): unlink(/etc/dovecot/old-stats) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(old-stats): unlink(/etc/dovecot/old-stats-mail) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(old-stats): unlink(/etc/dovecot/old-stats-user) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(log): unlink(/etc/dovecot/log-errors) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(lmtp): unlink(/etc/dovecot/lmtp) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(ipc): unlink(/etc/dovecot/ipc) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(ipc): unlink(/etc/dovecot/login/ipc-proxy) failed: Read-only file system Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(indexer-worker): unlink(/etc/dovecot/indexer-worker) failed: Read-only file system And there are about 30 lines of "read-only file system" errors. I haven't been able to track down the cause of that. Once the line "base_dir = /etc/dovecot" is commented out in /etc/dovecot/dovecot.conf, I can start dovecot: # systemctl status dovecot ● dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-01-02 18:54:15 MST; 5s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/ Main PID: 7550 (dovecot) Memory: 3.8M CGroup: /system.slice/dovecot.service ├─7550 /usr/sbin/dovecot -F ├─7554 dovecot/anvil ├─7555 dovecot/log └─7556 dovecot/config Jan 02 18:54:15 shuttle systemd[1]: Started Dovecot IMAP/POP3 email server. Jan 02 18:54:15 shuttle dovecot[7550]: master: Dovecot v2.3.7.2 (3c910f64b) starting up for imap, pop3, lmtp Jan 02 18:54:15 shuttle dovecot[7550]: master: Error: t_readlink(/etc/dovecot/dovecot.conf) failed: readlink() failed: Invalid argument I have no idea what's up with the t_readlink error. Might be related to the errors above. I can't really fin
Dovecot auth crashing??
Dovecot-2.3.9 I am seeing a lot of the following on my logs: Dec 13 09:16:25 auth: Warning: Timeout leak: 0x105fb00 (auth-request-handler.c:584) Dec 13 09:16:25 auth: Warning: Timeout leak: 0x105fb00 (auth-request-handler.c:584) Dec 13 09:16:25 auth: Warning: Timeout leak: 0x105fb00 (auth-request-handler.c:584) Dec 13 09:16:25 auth: Warning: Event 0x827d6e20 leaked (parent=0x827d4220): auth-request.c:878 Dec 13 09:16:25 auth: Warning: Event 0x827d6420 leaked (parent=0x827d4820): auth-request.c:878 Dec 13 09:16:25 auth: Warning: Event 0x82780c20 leaked (parent=0x827d6220): auth-request.c:878 Dec 13 09:16:25 auth: Warning: Event 0x827d6c20 leaked (parent=0x827d4220): auth-request.c:115 Dec 13 09:16:25 auth: Warning: Event 0x827d4220 leaked (parent=0x827d6a20): auth-request.c:114 Dec 13 09:16:25 auth: Warning: Event 0x827d6a20 leaked (parent=0x0): auth-client-connection.c:338 Dec 13 09:16:25 auth: Warning: Event 0x827d4c20 leaked (parent=0x827d4820): auth-request.c:115 Dec 13 09:16:25 auth: Warning: Event 0x827d4820 leaked (parent=0x827fe620): auth-request.c:114 Dec 13 09:16:25 auth: Warning: Event 0x827fe620 leaked (parent=0x0): auth-client-connection.c:338 Dec 13 09:16:25 auth: Warning: Event 0x827ff420 leaked (parent=0x827d6220): auth-request.c:115 Dec 13 09:16:25 auth: Warning: Event 0x827d6220 leaked (parent=0x82780e20): auth-request.c:114 Dec 13 09:16:25 auth: Warning: Event 0x82780e20 leaked (parent=0x0): auth-client-connection.c:338 Dec 13 11:27:29 master: Warning: Killed with signal 15 (by pid=9326 uid=0 code=kill) Dec 13 11:27:37 master: Warning: Killed with signal 15 (by pid=16518 uid=0 code=kill) Dec 13 11:27:38 auth: Error: net_connect_unix(auth-worker) failed: No such file or directory Dec 13 11:27:39 auth: Error: net_connect_unix(auth-worker) failed: No such file or directory Dec 13 11:27:59 auth: Error: net_connect_unix(/var/run/dovecot//stats-writer) failed: No such file or directory Dec 13 11:27:59 auth: Warning: Timeout leak: 0x105fb00 (auth-request-handler.c:584) Dec 13 11:27:59 auth: Warning: Timeout leak: 0x105fb00 (auth-request-handler.c:584) Dec 13 11:27:59 auth: Warning: Event 0x82781a20 leaked (parent=0x827d4620): auth-request.c:878 Dec 13 11:27:59 auth: Warning: Event 0x827d4220 leaked (parent=0x827d4820): auth-request.c:878 Dec 13 11:27:59 auth: Warning: Event 0x82780e20 leaked (parent=0x827d4620): auth-request.c:115 Dec 13 11:27:59 auth: Warning: Event 0x827d4620 leaked (parent=0x827d0820): auth-request.c:114 Dec 13 11:27:59 auth: Warning: Event 0x827d0820 leaked (parent=0x0): auth-client-connection.c:338 Dec 13 11:27:59 auth: Warning: Event 0x82781220 leaked (parent=0x827d4820): auth-request.c:115 Dec 13 11:27:59 auth: Warning: Event 0x827d4820 leaked (parent=0x827d0c20): auth-request.c:114 Dec 13 11:27:59 auth: Warning: Event 0x827d0c20 leaked (parent=0x0): auth-client-connection.c:338 Dec 13 11:28:07 auth: Warning: Timeout leak: 0x105fb00 (auth-request-handler.c:584) Dec 13 11:28:07 auth: Warning: Event 0x82780c20 leaked (parent=0x82781c20): auth-request.c:878 Dec 13 11:28:07 auth: Warning: Event 0x82781e20 leaked (parent=0x82781c20): auth-request.c:115 Dec 13 11:28:07 auth: Warning: Event 0x82781c20 leaked (parent=0x82781a20): auth-request.c:114 Dec 13 11:28:07 auth: Warning: Event 0x82781a20 leaked (parent=0x0): auth-client-connection.c:338 -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
RE: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve
Marc> I am sure resolving works fine. I tested this in a running mesos Marc> container, but also in docker run[1]. I need to have the search Marc> local option in resolve.conf. Marc> It was actually working, until I started adding the proxy for Marc> managesieve, but when I reverted, it still does not work. I Marc> think the building from cache mislead me. Can you post more of the logs by any chance, especially from the startup? And are you sure you reverted all the config completely? Marc> I suspect this is a different problem, that at some point is Marc> giving this error. Maybe I need some specific config for the Marc> dns-client socket. Maybe, I really don't know docker at all, or how to work with it. Haven't had a need. Marc> PS. This is just a proxy I need temporary. But I am thinking of Marc> creating a container that directly connects to ceph storage so Marc> you do not need any local storage. That might do the trick, but I'd first just get the base install working again, and maybe post your config from before and after so people can get a better idea of what you're trying to do here. Marc> [1] Marc> docker run --dns-search='local' -v /dev/log:/dev/log -it dovecot-proxy Marc> bash Marc> [2] Marc> passdb { Marc> driver = ldap Marc> args = /etc/dovecot/dovecot-ldap.conf.ext Marc> default_fields = proxy=y host=svr1 Marc> } Marc> -Original Message- Marc> From: John Stoffel [mailto:j...@stoffel.org] Marc> Sent: zaterdag 30 november 2019 20:51 Marc> To: Marc Roos Marc> Cc: dovecot Marc> Subject: Re: dovecot: auth: Error: DNS lookup for xxx failed: Name does Marc> not resolve Marc> I had a working container with dovecot configured as proxy. And Marc> all of a sudden I am getting these messages 'dovecot: auth: Marc> Error: DNS lookup for roosit03 failed: Name does not resolve' Marc> Pinging/nslookup these hostnames is ok Marc> Does nslookup work inside the container? Sounds to me like the setup Marc> isn't working properly, but it's hard to know unless you give us more Marc> details. Can you spin up another container with the same config but not Marc> running dovecot to do a check on DNS resolution? Marc> Does the container's logs give you more details? How often do you Marc> stop/restart the container? I would think that Dovecot in a container Marc> isn't really ideal since you need to access the mailstores, and somehow Marc> you get email delivered to the mailstore by postfix/sendmail/exim or Marc> some other tool. Marc> John
RE: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve
I am sure resolving works fine. I tested this in a running mesos container, but also in docker run[1]. I need to have the search local option in resolve.conf. It was actually working, until I started adding the proxy for managesieve, but when I reverted, it still does not work. I think the building from cache mislead me. I suspect this is a different problem, that at some point is giving this error. Maybe I need some specific config for the dns-client socket. PS. This is just a proxy I need temporary. But I am thinking of creating a container that directly connects to ceph storage so you do not need any local storage. [1] docker run --dns-search='local' -v /dev/log:/dev/log -it dovecot-proxy bash [2] passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext default_fields = proxy=y host=svr1 } -Original Message- From: John Stoffel [mailto:j...@stoffel.org] Sent: zaterdag 30 november 2019 20:51 To: Marc Roos Cc: dovecot Subject: Re: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve Marc> I had a working container with dovecot configured as proxy. And Marc> all of a sudden I am getting these messages 'dovecot: auth: Marc> Error: DNS lookup for roosit03 failed: Name does not resolve' Marc> Pinging/nslookup these hostnames is ok Does nslookup work inside the container? Sounds to me like the setup isn't working properly, but it's hard to know unless you give us more details. Can you spin up another container with the same config but not running dovecot to do a check on DNS resolution? Does the container's logs give you more details? How often do you stop/restart the container? I would think that Dovecot in a container isn't really ideal since you need to access the mailstores, and somehow you get email delivered to the mailstore by postfix/sendmail/exim or some other tool. John
Re: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve
Marc> I had a working container with dovecot configured as proxy. And Marc> all of a sudden I am getting these messages 'dovecot: auth: Marc> Error: DNS lookup for roosit03 failed: Name does not resolve' Marc> Pinging/nslookup these hostnames is ok Does nslookup work inside the container? Sounds to me like the setup isn't working properly, but it's hard to know unless you give us more details. Can you spin up another container with the same config but not running dovecot to do a check on DNS resolution? Does the container's logs give you more details? How often do you stop/restart the container? I would think that Dovecot in a container isn't really ideal since you need to access the mailstores, and somehow you get email delivered to the mailstore by postfix/sendmail/exim or some other tool. John
dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve
I had a working container with dovecot configured as proxy. And all of a sudden I am getting these messages 'dovecot: auth: Error: DNS lookup for roosit03 failed: Name does not resolve' Pinging/nslookup these hostnames is ok
Re: Dovecot auth
On 26.11.2019 17.39, j.emerlik via dovecot wrote: > Hi, > is possible to configure post-login script for Service auth ? > I would like to run post script after successful login to postfix (smtp). > Regards, > Jack > With recent dovecot you can write Lua script to be ran as part of authentication that might be able to do this. Aki
Dovecot auth
Hi, is possible to configure post-login script for Service auth ? I would like to run post script after successful login to postfix (smtp). Regards, Jack
Re: dovecot auth error: Illegal seek
Thanks Aki for the answer. I did some tests and found a solution. I write down my experience It could be useful to someone. First I putted "passwd-file" passdb (only) before "pam" passdb, as Aki suggested, but "illegal seek error" persisted. Then I putted both "passwd-file" passdb and "static" userdb before "pam" passdb and "passwd" userdb (used for local user), but that generated a strange behavior because "static" driver overrides info also for local user. Finally I putted both "passwd-file" passdb and "passwd-file" userdb before "pam" and "passwd" and that works without errors. My working dovecot config: host-prompt# dovecot -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-5-686-pae i686 Debian 7.11 auth_mechanisms = plain login auth_username_format = %Ln listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " login_greeting = Server ready. mail_full_filesystem_access = yes mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u mail_privileged_group = mail passdb { args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users driver = passwd-file } passdb { driver = pam } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = root } service imap-login { inet_listener imap { port = 0 } } ssl_cert = to avoid writing uid,gid,home for each user, but in the end, with passwd-file and override_fields i got the desired scenario. Regards, Claudio Il 30/03/18 14:27, Aki Tuomi ha scritto: On 30 March 2018 at 15:11 panetta <pane...@mat.unical.it> wrote: Hi, I recently configured dovecot to manage auth for both local and virtual user. When i login as a virtual user (claudio.panetta) I get the following message: dovecot: auth: Error: passwd(claudio.panetta,160.97.62.1,): getpwnam() failed: Illegal seek but login is ok and sending/receiving email is ok, how can, if possible, I suppress this error message? In the following my dovecot config: host-prompt# dovecot -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-5-686-pae i686 Debian 7.11 auth_mechanisms = plain login auth_username_format = %Ln listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " login_greeting = Server ready. mail_full_filesystem_access = yes mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u mail_privileged_group = mail passdb { driver = pam } passdb { args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users driver = passwd-file } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = root } service imap-login { inet_listener imap { port = 0 } } ssl_cert = Hi! Put the file based passdb before the pam one. Also not sure what you are trying to do with the static userdb. It looks like you wanted to use passwd-file? Aki
Re: dovecot auth error: Illegal seek
> On 30 March 2018 at 15:11 panetta <pane...@mat.unical.it> wrote: > > > Hi, > > I recently configured dovecot to manage auth > for both local and virtual user. > When i login as a virtual user (claudio.panetta) I get the following > message: > > dovecot: auth: Error: > passwd(claudio.panetta,160.97.62.1,): getpwnam() > failed: Illegal seek > > but login is ok and sending/receiving email is ok, > how can, if possible, I suppress this error message? > > In the following my dovecot config: > > host-prompt# dovecot -n > # 2.1.7: /etc/dovecot/dovecot.conf > # OS: Linux 3.2.0-5-686-pae i686 Debian 7.11 > auth_mechanisms = plain login > auth_username_format = %Ln > listen = * > log_timestamp = "%Y-%m-%d %H:%M:%S " > login_greeting = Server ready. > mail_full_filesystem_access = yes > mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u > mail_privileged_group = mail > passdb { > driver = pam > } > passdb { > args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users > driver = passwd-file > } > protocols = " imap" > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > user = root > } > service imap-login { > inet_listener imap { > port = 0 > } > } > ssl_cert = ssl_key = userdb { > driver = passwd > } > userdb { > args = username_format=%n /etc/dovecot/users uid=vmail gid=vmail > home=/var/vmail/%d/%n mail=maildir:/var/vmail/%d/%n/Maildir > driver = static > } > verbose_proctitle = yes > > host-prompt# cat /etc/dovecot/users > claudio.panetta:{MD5-CRYPT}$1$abcdefghijklmnopqrst > ciccio.pasticcio:{MD5-CRYPT}$1$abcdefghijklmnopqrst > > Regards, > Claudio > > Hi! Put the file based passdb before the pam one. Also not sure what you are trying to do with the static userdb. It looks like you wanted to use passwd-file? Aki
dovecot auth error: Illegal seek
Hi, I recently configured dovecot to manage auth for both local and virtual user. When i login as a virtual user (claudio.panetta) I get the following message: dovecot: auth: Error: passwd(claudio.panetta,160.97.62.1,): getpwnam() failed: Illegal seek but login is ok and sending/receiving email is ok, how can, if possible, I suppress this error message? In the following my dovecot config: host-prompt# dovecot -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-5-686-pae i686 Debian 7.11 auth_mechanisms = plain login auth_username_format = %Ln listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " login_greeting = Server ready. mail_full_filesystem_access = yes mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u mail_privileged_group = mail passdb { driver = pam } passdb { args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users driver = passwd-file } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = root } service imap-login { inet_listener imap { port = 0 } } ssl_cert = args = username_format=%n /etc/dovecot/users uid=vmail gid=vmail home=/var/vmail/%d/%n mail=maildir:/var/vmail/%d/%n/Maildir driver = static } verbose_proctitle = yes host-prompt# cat /etc/dovecot/users claudio.panetta:{MD5-CRYPT}$1$abcdefghijklmnopqrst ciccio.pasticcio:{MD5-CRYPT}$1$abcdefghijklmnopqrst Regards, Claudio
Re: dovecot auth and horde webmail
This sounds awfully like problem in horde. Aki > On 24 February 2018 at 01:21 David Mehlerwrote: > > > Hello, > > I'm not sure if this is a Dovecot-specific question, or Postfix or > Horde webmail. As Dovecot is used for authenticating both Postfix as > well as horde I thought i'd start here. > > I've got a new horde webmail install going on a FreeBSD 11.1 jail. > I've got Dovecot set up so that it appends a domain name if one is not > given, so that user and u...@example.com can both log in. > > When I logged in with horde webmail I used for the first attempt > username with no @example.com suffix. I logged in ok, but couldn't > send an email, gave me a weird error no address associated with host. > I logged out, logged back in using u...@example.com the full address, > and this time the message sending went through. > > Any ideas or if this is not a Dovecot question let me know, as that > means I'll have two other places to try. > > Thanks. > Dave. > > doveconf -n > # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.21 (92477967) > # OS: FreeBSD 11.1-RELEASE-p4 amd64 > auth_cache_size = 16 k > auth_default_realm = example.com > auth_mechanisms = plain login > auth_realms = example.com example2.com > dict { > acl = mysql:/usr/local/etc/dovecot/shared-folders.conf > sqlquota = mysql:/usr/local/etc/dovecot/quota.conf > } > first_valid_gid = 999 > first_valid_uid = 999 > hostname = mail.example.com > imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags > last_valid_gid = 999 > last_valid_uid = 999 > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > listen = 127.0.0.1 xxx.xxx.xxx.xxx > lmtp_rcpt_check_quota = yes > mail_access_groups = vmail > mail_fsync = never > mail_gid = vmail > mail_home = /home/vmail/%d/%n > mail_location = maildir:~/mail/:LAYOUT=fs:INDEX=~/mail/ > mail_plugins = acl mail_log notify quota quota_clone trash virtual welcome > zlib > mail_server_admin = mailto:postmas...@example.com > mail_uid = vmail > mailbox_list_index = yes > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext imapflags notify imapsieve vnd.dovecot.imapsieve > namespace { > hidden = no > list = yes > location = > maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public > mailbox TestFolder { > auto = subscribe > comment = Public Folder for message sharing > } > prefix = public/ > separator = / > subscriptions = yes > type = public > } > namespace { > list = yes > location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln > prefix = shared/%%u/ > separator = / > subscriptions = yes > type = shared > } > namespace { > location = virtual:/usr/local/etc/dovecot/virtual > mailbox All { > auto = subscribe > comment = All my messages > special_use = \All > } > prefix = virtual/ > separator = / > } > namespace inbox { > inbox = yes > location = > mailbox Archive { > auto = no > special_use = \Archive > } > mailbox Archives { > auto = subscribe > special_use = \Archive > } > mailbox "Deleted Messages" { > auto = no > autoexpunge = 30 days > special_use = \Trash > } > mailbox Drafts { > auto = subscribe > special_use = \Drafts > } > mailbox Junk { > auto = no > autoexpunge = 30 days > special_use = \Junk > } > mailbox "Junk E-mail" { > auto = no > autoexpunge = 30 days > special_use = \Junk > } > mailbox Sent { > auto = subscribe > special_use = \Sent > } > mailbox "Sent Items" { > auto = no > special_use = \Sent > } > mailbox "Sent Messages" { > auto = no > special_use = \Sent > } > mailbox Spam { > auto = subscribe > autoexpunge = 30 days > special_use = \Junk > } > mailbox Trash { > auto = subscribe > autoexpunge = 30 days > special_use = \Trash > } > prefix = > separator = / > type = private > } > passdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > plugin { > acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 > acl_anyone = allow > acl_globals_only = yes > acl_shared_dict = proxy::acl > imapsieve_mailbox1_before = > file:/usr/local/lib/dovecot/sieve/report-spam.sieve > imapsieve_mailbox1_causes = COPY > imapsieve_mailbox1_name = Spam > imapsieve_mailbox2_before = > file:/usr/local/lib/dovecot/sieve/report-ham.sieve > imapsieve_mailbox2_causes = COPY > imapsieve_mailbox2_from = Spam > imapsieve_mailbox2_name = * > mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename > mail_log_fields = uid box msgid
dovecot auth and horde webmail
Hello, I'm not sure if this is a Dovecot-specific question, or Postfix or Horde webmail. As Dovecot is used for authenticating both Postfix as well as horde I thought i'd start here. I've got a new horde webmail install going on a FreeBSD 11.1 jail. I've got Dovecot set up so that it appends a domain name if one is not given, so that user and u...@example.com can both log in. When I logged in with horde webmail I used for the first attempt username with no @example.com suffix. I logged in ok, but couldn't send an email, gave me a weird error no address associated with host. I logged out, logged back in using u...@example.com the full address, and this time the message sending went through. Any ideas or if this is not a Dovecot question let me know, as that means I'll have two other places to try. Thanks. Dave. doveconf -n # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: FreeBSD 11.1-RELEASE-p4 amd64 auth_cache_size = 16 k auth_default_realm = example.com auth_mechanisms = plain login auth_realms = example.com example2.com dict { acl = mysql:/usr/local/etc/dovecot/shared-folders.conf sqlquota = mysql:/usr/local/etc/dovecot/quota.conf } first_valid_gid = 999 first_valid_uid = 999 hostname = mail.example.com imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags last_valid_gid = 999 last_valid_uid = 999 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1 xxx.xxx.xxx.xxx lmtp_rcpt_check_quota = yes mail_access_groups = vmail mail_fsync = never mail_gid = vmail mail_home = /home/vmail/%d/%n mail_location = maildir:~/mail/:LAYOUT=fs:INDEX=~/mail/ mail_plugins = acl mail_log notify quota quota_clone trash virtual welcome zlib mail_server_admin = mailto:postmas...@example.com mail_uid = vmail mailbox_list_index = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify imapsieve vnd.dovecot.imapsieve namespace { hidden = no list = yes location = maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public mailbox TestFolder { auto = subscribe comment = Public Folder for message sharing } prefix = public/ separator = / subscriptions = yes type = public } namespace { list = yes location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace { location = virtual:/usr/local/etc/dovecot/virtual mailbox All { auto = subscribe comment = All my messages special_use = \All } prefix = virtual/ separator = / } namespace inbox { inbox = yes location = mailbox Archive { auto = no special_use = \Archive } mailbox Archives { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { auto = no autoexpunge = 30 days special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = no autoexpunge = 30 days special_use = \Junk } mailbox "Junk E-mail" { auto = no autoexpunge = 30 days special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Items" { auto = no special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } mailbox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = separator = / type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 acl_anyone = allow acl_globals_only = yes acl_shared_dict = proxy::acl imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = count:User quota quota_clone_dict = proxy::sqlquota quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. quota_grace = 10%% quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = true quota_warning = storage=100%% quota-exceeded 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%%
Re: Dovecot auth SASL for exim and plain auth issue without initial response
Op 1/3/2018 om 11:28 AM schreef Stephan Bosch: > Op 1/3/2018 om 10:58 AM schreef Stephan Bosch: >> Op 1/3/2018 om 8:31 AM schreef Daniel Kenzelmann: >>> 3. Januar 2018 00:49, "Stephan Bosch" <step...@rename-it.nl> schrieb: >>> >>>> Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann: >>>> >>>>> Hi, >>>>> >>>>> I'm not entirely sure whether this issue is with exim or with dovecot. >>>>> >>>>> First some background: >>>>> I'm using exim with dovecot-auth which in turn is using LDAP for >>>>> authentication. >>>>> >>>>> When using AUTH PLAIN with the optional initial response argument, >>>>> everything is fine. >>>>> >>>>> However when using AUTH PLAIN without the optional response argument, >>>>> instead of getting an empty challenge ("334 ") as per RFC i am getting >>>>> a "535 Incorrect authentication data". >>>>> >>>>> Example: >>>>> Working: >>>>> 220 ESMTP 2018-01-02 22:32:33+0100 >>>>> EHLO test >>>>> 250- Hello X [x.x.x.x] >>>>> 250-SIZE 52428800 >>>>> 250-8BITMIME >>>>> 250-PIPELINING >>>>> 250-AUTH PLAIN LOGIN >>>>> 250-CHUNKING >>>>> 250 HELP >>>>> AUTH PLAIN == >>>>> 235 Authentication succeeded >>>>> >>>>> NOT-WORKING: >>>>> 220 ESMTP 2018-01-02 22:34:37+0100 >>>>> EHLO test >>>>> 250- Hello X [x.x.x.x] >>>>> 250-SIZE 52428800 >>>>> 250-8BITMIME >>>>> 250-PIPELINING >>>>> 250-AUTH PLAIN LOGIN >>>>> 250-CHUNKING >>>>> 250 HELP >>>>> AUTH PLAIN >>>>> 535 Incorrect authentication data >>>>> >>>>> Here the SASL mechanism should return an empty challenge as per RFC >>>>> (i.e. "334 " in SMTP): >>>> This is a an error produced by Exim. I find the Exim error handling in >>>> Exim's implementation of the AUTH command rather peculiar. Still, I >>>> managed to decipher at least part of it. >>>> >>>> That error is produced when FAIL status is returned from the driver: >>>> >>>> https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665 >>>> >>>> This FAIL status can be returned by the driver itself, but -- in this >>>> case more likely -- the Dovecot driver in Exim also returns FAIL status >>>> when Dovecot auth service returns "FAIL": >>>> >>>> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472 >>>> >>>> So, this may very well be an issue triggered by Dovecot. What version of >>>> Dovecot is this? Some things were modified in initial response handling >>>> recently (v2.3) and I may have messed up something. >>>> >>>> Does Dovecot log anything interesting with auth_verbose and auth_debug >>>> enabled? >>>> >>>> Regards, >>>> >>>> Stephan. >>> Hi, >>> >>> System is gentoo, >>> dovecot version is 2.3.0 >>> exim version is 4.90 >>> >>> Debug log does only show the following: >>> auth: Debug: auth client connected (pid=0) >>> auth: Debug: client in: AUTH 1 PLAIN service=smtpsecured >>> rip=XX.XX.XX.XX lip=XX.XX.XX.XX nologin resp= >>> auth: plain(?,XX.XX.XX.XX): invalid input >>> auth: Debug: client passdb out: FAIL 1 >>> >>> I'm not 100% sure but i think it worked earlier, so this might be connected >>> to the 2.3 update. (if REALLY needed i can try to confirm by downgrading >>> dovecot) >> Ok. I know what is going on already. This commit triggers the problem: >> >> https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc6fa >> >> That fix was added to handle the EXTERNAL SASL mechanism properly when >> used in ManageSieve, and somehow I didn't realize that the original >> comment means that Exim would also send an empty resp field for an >> absent initial response: >> >> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L403 >> >> This is now handled as an empty initial response instead (as it should >> be), which -- in this case -- makes the PLAIN mechanism complain about >> invalid data. >> >> So, the fundamental blame lies with Exim for violating the protocol. >> However, I don't think it is a good idea to break compatibility like >> that, especially when we want to back-port this fix to Dovecot v2.2. >> >> To solve this now, we can recognize an empty initial response for >> service=smtp differently (EXTERNAL is not used there much I think) and >> perhaps make that configurable with some setting. > Right, I can also just base behavior on the client protocol version. Fix pending (2 commits against master): https://github.com/stephanbosch/dovecot-core/commits/fix-auth-exim Regards, Stephan.
Re: Dovecot auth SASL for exim and plain auth issue without initial response
Op 1/3/2018 om 10:58 AM schreef Stephan Bosch: > Op 1/3/2018 om 8:31 AM schreef Daniel Kenzelmann: >> 3. Januar 2018 00:49, "Stephan Bosch" <step...@rename-it.nl> schrieb: >> >>> Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann: >>> >>>> Hi, >>>> >>>> I'm not entirely sure whether this issue is with exim or with dovecot. >>>> >>>> First some background: >>>> I'm using exim with dovecot-auth which in turn is using LDAP for >>>> authentication. >>>> >>>> When using AUTH PLAIN with the optional initial response argument, >>>> everything is fine. >>>> >>>> However when using AUTH PLAIN without the optional response argument, >>>> instead of getting an empty challenge ("334 ") as per RFC i am getting >>>> a "535 Incorrect authentication data". >>>> >>>> Example: >>>> Working: >>>> 220 ESMTP 2018-01-02 22:32:33+0100 >>>> EHLO test >>>> 250- Hello X [x.x.x.x] >>>> 250-SIZE 52428800 >>>> 250-8BITMIME >>>> 250-PIPELINING >>>> 250-AUTH PLAIN LOGIN >>>> 250-CHUNKING >>>> 250 HELP >>>> AUTH PLAIN == >>>> 235 Authentication succeeded >>>> >>>> NOT-WORKING: >>>> 220 ESMTP 2018-01-02 22:34:37+0100 >>>> EHLO test >>>> 250- Hello X [x.x.x.x] >>>> 250-SIZE 52428800 >>>> 250-8BITMIME >>>> 250-PIPELINING >>>> 250-AUTH PLAIN LOGIN >>>> 250-CHUNKING >>>> 250 HELP >>>> AUTH PLAIN >>>> 535 Incorrect authentication data >>>> >>>> Here the SASL mechanism should return an empty challenge as per RFC >>>> (i.e. "334 " in SMTP): >>> This is a an error produced by Exim. I find the Exim error handling in >>> Exim's implementation of the AUTH command rather peculiar. Still, I >>> managed to decipher at least part of it. >>> >>> That error is produced when FAIL status is returned from the driver: >>> >>> https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665 >>> >>> This FAIL status can be returned by the driver itself, but -- in this >>> case more likely -- the Dovecot driver in Exim also returns FAIL status >>> when Dovecot auth service returns "FAIL": >>> >>> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472 >>> >>> So, this may very well be an issue triggered by Dovecot. What version of >>> Dovecot is this? Some things were modified in initial response handling >>> recently (v2.3) and I may have messed up something. >>> >>> Does Dovecot log anything interesting with auth_verbose and auth_debug >>> enabled? >>> >>> Regards, >>> >>> Stephan. >> Hi, >> >> System is gentoo, >> dovecot version is 2.3.0 >> exim version is 4.90 >> >> Debug log does only show the following: >> auth: Debug: auth client connected (pid=0) >> auth: Debug: client in: AUTH 1 PLAIN service=smtpsecured >> rip=XX.XX.XX.XX lip=XX.XX.XX.XX nologin resp= >> auth: plain(?,XX.XX.XX.XX): invalid input >> auth: Debug: client passdb out: FAIL 1 >> >> I'm not 100% sure but i think it worked earlier, so this might be connected >> to the 2.3 update. (if REALLY needed i can try to confirm by downgrading >> dovecot) > Ok. I know what is going on already. This commit triggers the problem: > > https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc6fa > > That fix was added to handle the EXTERNAL SASL mechanism properly when > used in ManageSieve, and somehow I didn't realize that the original > comment means that Exim would also send an empty resp field for an > absent initial response: > > https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L403 > > This is now handled as an empty initial response instead (as it should > be), which -- in this case -- makes the PLAIN mechanism complain about > invalid data. > > So, the fundamental blame lies with Exim for violating the protocol. > However, I don't think it is a good idea to break compatibility like > that, especially when we want to back-port this fix to Dovecot v2.2. > > To solve this now, we can recognize an empty initial response for > service=smtp differently (EXTERNAL is not used there much I think) and > perhaps make that configurable with some setting. Right, I can also just base behavior on the client protocol version. Regards, Stephan.
Re: Dovecot auth SASL for exim and plain auth issue without initial response
3. Januar 2018 00:49, "Stephan Bosch" <step...@rename-it.nl> schrieb: > Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann: > >> Hi, >> >> I'm not entirely sure whether this issue is with exim or with dovecot. >> >> First some background: >> I'm using exim with dovecot-auth which in turn is using LDAP for >> authentication. >> >> When using AUTH PLAIN with the optional initial response argument, >> everything is fine. >> >> However when using AUTH PLAIN without the optional response argument, >> instead of getting an empty challenge ("334 ") as per RFC i am getting >> a "535 Incorrect authentication data". >> >> Example: >> Working: >> 220 ESMTP 2018-01-02 22:32:33+0100 >> EHLO test >> 250- Hello X [x.x.x.x] >> 250-SIZE 52428800 >> 250-8BITMIME >> 250-PIPELINING >> 250-AUTH PLAIN LOGIN >> 250-CHUNKING >> 250 HELP >> AUTH PLAIN == >> 235 Authentication succeeded >> >> NOT-WORKING: >> 220 ESMTP 2018-01-02 22:34:37+0100 >> EHLO test >> 250- Hello X [x.x.x.x] >> 250-SIZE 52428800 >> 250-8BITMIME >> 250-PIPELINING >> 250-AUTH PLAIN LOGIN >> 250-CHUNKING >> 250 HELP >> AUTH PLAIN >> 535 Incorrect authentication data >> >> Here the SASL mechanism should return an empty challenge as per RFC >> (i.e. "334 " in SMTP): > > This is a an error produced by Exim. I find the Exim error handling in > Exim's implementation of the AUTH command rather peculiar. Still, I > managed to decipher at least part of it. > > That error is produced when FAIL status is returned from the driver: > > https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665 > > This FAIL status can be returned by the driver itself, but -- in this > case more likely -- the Dovecot driver in Exim also returns FAIL status > when Dovecot auth service returns "FAIL": > > https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472 > > So, this may very well be an issue triggered by Dovecot. What version of > Dovecot is this? Some things were modified in initial response handling > recently (v2.3) and I may have messed up something. > > Does Dovecot log anything interesting with auth_verbose and auth_debug > enabled? > > Regards, > > Stephan. Hi, System is gentoo, dovecot version is 2.3.0 exim version is 4.90 Debug log does only show the following: auth: Debug: auth client connected (pid=0) auth: Debug: client in: AUTH 1 PLAIN service=smtpsecured rip=XX.XX.XX.XX lip=XX.XX.XX.XX nologin resp= auth: plain(?,XX.XX.XX.XX): invalid input auth: Debug: client passdb out: FAIL 1 I'm not 100% sure but i think it worked earlier, so this might be connected to the 2.3 update. (if REALLY needed i can try to confirm by downgrading dovecot) Thanks, Daniel
Re: Dovecot auth SASL for exim and plain auth issue without initial response
Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann: > Hi, > > I'm not entirely sure whether this issue is with exim or with dovecot. > > First some background: > I'm using exim with dovecot-auth which in turn is using LDAP for > authentication. > > When using AUTH PLAIN with the optional initial response argument, > everything is fine. > > However when using AUTH PLAIN without the optional response argument, > instead of getting an empty challenge ("334 ") as per RFC i am getting > a "535 Incorrect authentication data". > > Example: > Working: > 220 ESMTP 2018-01-02 22:32:33+0100 > EHLO test > 250- Hello X [x.x.x.x] > 250-SIZE 52428800 > 250-8BITMIME > 250-PIPELINING > 250-AUTH PLAIN LOGIN > 250-CHUNKING > 250 HELP > AUTH PLAIN == > 235 Authentication succeeded > > NOT-WORKING: > 220 ESMTP 2018-01-02 22:34:37+0100 > EHLO test > 250- Hello X [x.x.x.x] > 250-SIZE 52428800 > 250-8BITMIME > 250-PIPELINING > 250-AUTH PLAIN LOGIN > 250-CHUNKING > 250 HELP > AUTH PLAIN > 535 Incorrect authentication data > > > Here the SASL mechanism should return an empty challenge as per RFC > (i.e. "334 " in SMTP): This is a an error produced by Exim. I find the Exim error handling in Exim's implementation of the AUTH command rather peculiar. Still, I managed to decipher at least part of it. That error is produced when FAIL status is returned from the driver: https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665 This FAIL status can be returned by the driver itself, but -- in this case more likely -- the Dovecot driver in Exim also returns FAIL status when Dovecot auth service returns "FAIL": https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472 So, this may very well be an issue triggered by Dovecot. What version of Dovecot is this? Some things were modified in initial response handling recently (v2.3) and I may have messed up something. Does Dovecot log anything interesting with auth_verbose and auth_debug enabled? Regards, Stephan.
Dovecot auth SASL for exim and plain auth issue without initial response
Hi, I'm not entirely sure whether this issue is with exim or with dovecot. First some background: I'm using exim with dovecot-auth which in turn is using LDAP for authentication. When using AUTH PLAIN with the optional initial response argument, everything is fine. However when using AUTH PLAIN without the optional response argument, instead of getting an empty challenge ("334 ") as per RFC i am getting a "535 Incorrect authentication data". Example: Working: 220 ESMTP 2018-01-02 22:32:33+0100 EHLO test 250- Hello X [x.x.x.x] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250 HELP AUTH PLAIN == 235 Authentication succeeded NOT-WORKING: 220 ESMTP 2018-01-02 22:34:37+0100 EHLO test 250- Hello X [x.x.x.x] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250 HELP AUTH PLAIN 535 Incorrect authentication data Here the SASL mechanism should return an empty challenge as per RFC (i.e. "334 " in SMTP): RFC 4954 - SMTP Service Extension for Authentication 4. The AUTH Command [..] The optional initial response argument to the AUTH command is used to save a round-trip when using authentication mechanisms that support an initial client response. >If the initial >response argument is omitted and the chosen mechanism requires >an initial client response, the server MUST proceed as defined >in Section 5.1 of [SASL]. In SMTP, a server challenge that >contains no data is defined as a 334 reply with no text part. >Note that there is still a space following the reply code, so >the complete response line is "334 ". [..] RFC 4422 - Simple Authentication and Security Layer (SASL) 5. Mechanism Requirements SASL mechanism specifications MUST supply the following information: 1) The name of the mechanism (see Section 3.1). This name MUST be registered as discussed in Section 7.1. 2) A definition of the server-challenges and client-responses of the authentication exchange, as well as the following: a) An indication of whether the mechanism is client-first, variable, or server-first. ===>If a SASL mechanism is defined as ===>client-first and the client does not send an initial response ===>in the authentication request, then the first server challenge ===>MUST be empty (the EXTERNAL mechanism is an example of this case). If a SASL mechanism is defined as variable, then the specification needs to state how the server behaves when the initial client response in the authentication request is omitted (the DIGEST-MD5 mechanism [DIGEST-MD5] is an example of this case). If a SASL mechanism is defined as server-first, then the client MUST NOT send an initial client response in the authentication request (the CRAM-MD5 mechanism [CRAM-MD5] is an example of this case). Thanks, Daniel
Re: Dovecot auth error
It was ! Thank you a lot. It's always small mistake like that which give me headache... Le mar. 7 nov. 2017 à 10:20, David Zambonini <dovecot-...@deemzed.uk> a écrit : > On 07/11/2017 14:18, Mathieu R. wrote: > > Maybe i got no answer because there is an error which seem obvious in my > > logs : > > > > Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in > > configuration file /etc/dovecot/dovecot-sql.conf.ext > > This might sound silly, but in your doveconf you have: > > passdb { > args = /etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > > Yet from this: > > >> grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf > > It sounds like the config file you're working with is > /etc/dovecot/dovecot-sql.conf, not /etc/dovecot/dovecot-sql.conf.ext. > It's not as simple as a filename problem, is it? > > -- > David Zambonini > -- Mathieu R.
Re: Dovecot auth error
On 07/11/2017 14:18, Mathieu R. wrote: > Maybe i got no answer because there is an error which seem obvious in my > logs : > > Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in > configuration file /etc/dovecot/dovecot-sql.conf.ext This might sound silly, but in your doveconf you have: passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } Yet from this: >> grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf It sounds like the config file you're working with is /etc/dovecot/dovecot-sql.conf, not /etc/dovecot/dovecot-sql.conf.ext. It's not as simple as a filename problem, is it? -- David Zambonini
Re: Dovecot auth error
apparently my reply got lost.. have you installed dovecot-mysql package? ---Aki TuomiDovecot oy Original message From: "Mathieu R." <math...@400iso.net> Date: 07/11/2017 16:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Dovecot auth error Maybe i got no answer because there is an error which seem obvious in my logs : Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in configuration file /etc/dovecot/dovecot-sql.conf.ext I've obviously seen that, and tried to configure driver in that file, but it had no positive outcome, sous i reversed my config to the previous state. Considering what i've read, dovecot's MySQL configuration should be OK, but i still have that fatal error Le sam. 4 nov. 2017 à 21:02, Mathieu R. <math...@400iso.net> a écrit : > I just tried to configure a new dovecot/postfix server, and i end up with > a dovecot auth error at startup. > I can't find a solution by myself. > Below are details, thanks in advance for your precious help, and excuse my > poor english : > > dovecot --version > 2.2.27 (c0f36b0) (Debian) > > Dovecot -n : > https://400iso.net/public/dov.txt > > > grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf > driver = mysql > connect = host=127.0.0.1 dbname=postfix user=postfix password=password > default_pass_scheme = MD5-CRYPT > user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid, > CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE > username = '%u' AND active='1' > password_query = SELECT password FROM mailbox WHERE username = '%u' > > > Here is part of the server's log : > > Nov 4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from > [209.85.215.51]:47485 to [149.56.x.x]:25 > Nov 4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed > by domain dnsbl.sorbs.net as 127.0.0.6 > Nov 4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD > [209.85.215.51]:47485 > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: connect from > mail-lf0-f51.google.com[209.85.215.51] > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection > established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with > cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in > configuration file /etc/dovecot/dovecot-sql.conf.ext > Nov 4 20:57:55 vps81550 dovecot: master: Error: service(auth): command > startup failed, throttling for 2 secs > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL > authentication mechanisms > Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: process > /usr/lib/postfix/sbin/smtpd pid 21585 exit status 1 > Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: > /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling > -- > > Mathieu R. > -- Mathieu R.
Re: Dovecot auth error
Maybe i got no answer because there is an error which seem obvious in my logs : Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in configuration file /etc/dovecot/dovecot-sql.conf.ext I've obviously seen that, and tried to configure driver in that file, but it had no positive outcome, sous i reversed my config to the previous state. Considering what i've read, dovecot's MySQL configuration should be OK, but i still have that fatal error Le sam. 4 nov. 2017 à 21:02, Mathieu R. <math...@400iso.net> a écrit : > I just tried to configure a new dovecot/postfix server, and i end up with > a dovecot auth error at startup. > I can't find a solution by myself. > Below are details, thanks in advance for your precious help, and excuse my > poor english : > > dovecot --version > 2.2.27 (c0f36b0) (Debian) > > Dovecot -n : > https://400iso.net/public/dov.txt > > > grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf > driver = mysql > connect = host=127.0.0.1 dbname=postfix user=postfix password=password > default_pass_scheme = MD5-CRYPT > user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid, > CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE > username = '%u' AND active='1' > password_query = SELECT password FROM mailbox WHERE username = '%u' > > > Here is part of the server's log : > > Nov 4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from > [209.85.215.51]:47485 to [149.56.x.x]:25 > Nov 4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed > by domain dnsbl.sorbs.net as 127.0.0.6 > Nov 4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD > [209.85.215.51]:47485 > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: connect from > mail-lf0-f51.google.com[209.85.215.51] > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection > established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with > cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in > configuration file /etc/dovecot/dovecot-sql.conf.ext > Nov 4 20:57:55 vps81550 dovecot: master: Error: service(auth): command > startup failed, throttling for 2 secs > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL > authentication mechanisms > Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: process > /usr/lib/postfix/sbin/smtpd pid 21585 exit status 1 > Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: > /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling > -- > > Mathieu R. > -- Mathieu R.
Re: Dovecot auth error
On 05.11.2017 03:02, Mathieu R. wrote: > I just tried to configure a new dovecot/postfix server, and i end up with a > dovecot auth error at startup. > I can't find a solution by myself. > Below are details, thanks in advance for your precious help, and excuse my > poor english : > > dovecot --version > 2.2.27 (c0f36b0) (Debian) > > Dovecot -n : > https://400iso.net/public/dov.txt > > > grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf > driver = mysql > connect = host=127.0.0.1 dbname=postfix user=postfix password=password > default_pass_scheme = MD5-CRYPT > user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid, > CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE > username = '%u' AND active='1' > password_query = SELECT password FROM mailbox WHERE username = '%u' > > > Here is part of the server's log : > > Nov 4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from > [209.85.215.51]:47485 to [149.56.x.x]:25 > Nov 4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed > by domain dnsbl.sorbs.net as 127.0.0.6 > Nov 4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD > [209.85.215.51]:47485 > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: connect from > mail-lf0-f51.google.com[209.85.215.51] > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection > established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with cipher > ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in > configuration file /etc/dovecot/dovecot-sql.conf.ext > Nov 4 20:57:55 vps81550 dovecot: master: Error: service(auth): command > startup failed, throttling for 2 secs > Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL > authentication mechanisms > Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: process > /usr/lib/postfix/sbin/smtpd pid 21585 exit status 1 > Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: > /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling This usually means that you have not installed mysql support for dovecot. In dovecot, it's usually a separate package, called dovecot-mysql. Aki
Dovecot auth error
I just tried to configure a new dovecot/postfix server, and i end up with a dovecot auth error at startup. I can't find a solution by myself. Below are details, thanks in advance for your precious help, and excuse my poor english : dovecot --version 2.2.27 (c0f36b0) (Debian) Dovecot -n : https://400iso.net/public/dov.txt grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf driver = mysql connect = host=127.0.0.1 dbname=postfix user=postfix password=password default_pass_scheme = MD5-CRYPT user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid, CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE username = '%u' AND active='1' password_query = SELECT password FROM mailbox WHERE username = '%u' Here is part of the server's log : Nov 4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from [209.85.215.51]:47485 to [149.56.x.x]:25 Nov 4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed by domain dnsbl.sorbs.net as 127.0.0.6 Nov 4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD [209.85.215.51]:47485 Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: connect from mail-lf0-f51.google.com[209.85.215.51] Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Nov 4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in configuration file /etc/dovecot/dovecot-sql.conf.ext Nov 4 20:57:55 vps81550 dovecot: master: Error: service(auth): command startup failed, throttling for 2 secs Nov 4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL authentication mechanisms Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: process /usr/lib/postfix/sbin/smtpd pid 21585 exit status 1 Nov 4 20:57:56 vps81550 postfix/master[21528]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling -- Mathieu R.
Re: dovecot auth errors for a new user
On Sun, Jul 30, 2017 at 10:04:38PM +0200, Alexander Dalloz wrote: > Am 30.07.2017 um 21:49 schrieb Ruben Safir: > >2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error: > >user facebook: Initialization failed: Namespace '': Mail storage > >autodetection failed with home=/home/facebook > >2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error: > >Invalid user settings. Refer to server log for more information. > > Define mail_location; see https://wiki.dovecot.org/MailLocation > > > # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586) > > And do you think it is clever to run on an EOLed distribution release? > > Alexander got it, thanks -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Re: dovecot auth errors for a new user
On Sun, Jul 30, 2017 at 10:04:38PM +0200, Alexander Dalloz wrote: > Am 30.07.2017 um 21:49 schrieb Ruben Safir: > >2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error: > >user facebook: Initialization failed: Namespace '': Mail storage > >autodetection failed with home=/home/facebook > >2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error: > >Invalid user settings. Refer to server log for more information. > > Define mail_location; see https://wiki.dovecot.org/MailLocation > > > # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586) > > And do you think it is clever to run on an EOLed distribution release? the mail sits in /var/spool/mail/user > > Alexander -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Re: dovecot auth errors for a new user
Am 30.07.2017 um 21:49 schrieb Ruben Safir: 2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error: user facebook: Initialization failed: Namespace '': Mail storage autodetection failed with home=/home/facebook 2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error: Invalid user settings. Refer to server log for more information. Define mail_location; see https://wiki.dovecot.org/MailLocation > # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586) And do you think it is clever to run on an EOLed distribution release? Alexander
Re: dovecot auth errors for a new user
2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error: user facebook: Initialization failed: Namespace '': Mail storage autodetection failed with home=/home/facebook 2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error: Invalid user settings. Refer to server log for more information. On 07/30/2017 03:42 PM, Ruben Safir wrote: > I've been running dovecott without trouble for quite a why and now when > I added a new user, it is not accepting the user and I can not track the > problem. It says find more information in the server log, but it is not > in /var/log/messages or /var/log/mail.err and nothing with lsof > dovecot|grep log show anything to tail > > www:~ # dovecot -n > # 2.2.13: /etc/dovecot/dovecot.conf > # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586) > base_dir = /var/run/dovecot/ > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date ihave > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > driver = pam > } > plugin { > sieve = ~/.dovecot.sieve > sieve_dir = ~/sieve > } > protocols = pop3 > ssl_cert = ssl_key = userdb { > driver = passwd > } > > > www:/etc/dovecot # dovecot --version > 2.2.13 > > > Sending of password for user facebook did not succeed. Mail server > mrbrklyn.com responded: Internal error occurred. Refer to server log for > more information. > > 2017-07-30T15:41:58.803006-04:00 www dovecot: pop3-login: Login: > user=, method=PLAIN, rip=10.0.0.62, lip=96.57.23.82, > mpid=25269, TLS, session= > 2017-07-30T15:41:58.812827-04:00 www dovecot: pop3(facebook): Error: > user facebook: Initialization failed: Namespace '': Mail storage > autodetection failed with home=/home/facebook > 2017-07-30T15:41:58.816903-04:00 www dovecot: pop3(facebook): Error: > Invalid user settings. Refer to server log for more information. > -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
dovecot auth errors for a new user
I've been running dovecott without trouble for quite a why and now when I added a new user, it is not accepting the user and I can not track the problem. It says find more information in the server log, but it is not in /var/log/messages or /var/log/mail.err and nothing with lsof dovecot|grep log show anything to tail www:~ # dovecot -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586) base_dir = /var/run/dovecot/ managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = pop3 ssl_cert = , method=PLAIN, rip=10.0.0.62, lip=96.57.23.82, mpid=25269, TLS, session= 2017-07-30T15:41:58.812827-04:00 www dovecot: pop3(facebook): Error: user facebook: Initialization failed: Namespace '': Mail storage autodetection failed with home=/home/facebook 2017-07-30T15:41:58.816903-04:00 www dovecot: pop3(facebook): Error: Invalid user settings. Refer to server log for more information. -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Re: dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11
> On May 26, 2017 at 3:26 PM dove...@jeffandjessi.com wrote: > > > > > Still Trying to track down a dovecot issue > > The error message is: > > dovecot: auth-worker: Fatal: master: service(auth-worker): child X > killed with signal 11 (core not dumped - set service auth-worker { > drop_priv_before_exec=yes }) > > The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very > basic config. > > both authentications work ... the symptom is that after a connection is > made the auth worker loads and emails are downloaded and everything "is > fine". However, about 30 second to a minute after the connection is done > the process dies with the error message. Then the process starts all > over with on the next checking of email ,but again everything "works" > just seeing this error and the process dieing each time? > > enabled all extra verbose logging ,but nothing gives any clues > > Tried to enable core dumps ,but couldnt get core dumps to work ? > > The only thing is that a recently pkgsrc (netbsd) update create 2 > packages, one for dovecot and one for mysql plugin , sense then now this > error appears. > > ,but it appears the .so lib files are installed and linked correctly. > > Double checked all file permissions and user permissions as well as > chroot , etc, etc, ,etc > > cant seem to narrow this one down > > any ideas on trouble shooting would be great > > even tried running a trace with gdb -p on the process ,but it just dies > with a signal 11 > > anybody have any ideas how to trouble shoot this or is this a bug in the > software > > help !! > Hi! As mentioned before, your issue unfortunately cannot be solved without core dump. Please try https://www.dovecot.org/bugreport.html if doing all this allows you to get a core dump. Unfortunately there is no other solution at the moment, or some other way to debug this further. Aki
dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11
Still Trying to track down a dovecot issue The error message is: dovecot: auth-worker: Fatal: master: service(auth-worker): child X killed with signal 11 (core not dumped - set service auth-worker { drop_priv_before_exec=yes }) The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very basic config. both authentications work ... the symptom is that after a connection is made the auth worker loads and emails are downloaded and everything "is fine". However, about 30 second to a minute after the connection is done the process dies with the error message. Then the process starts all over with on the next checking of email ,but again everything "works" just seeing this error and the process dieing each time? enabled all extra verbose logging ,but nothing gives any clues Tried to enable core dumps ,but couldnt get core dumps to work ? The only thing is that a recently pkgsrc (netbsd) update create 2 packages, one for dovecot and one for mysql plugin , sense then now this error appears. ,but it appears the .so lib files are installed and linked correctly. Double checked all file permissions and user permissions as well as chroot , etc, etc, ,etc cant seem to narrow this one down any ideas on trouble shooting would be great even tried running a trace with gdb -p on the process ,but it just dies with a signal 11 anybody have any ideas how to trouble shoot this or is this a bug in the software help !!
dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11
Trying to track down a dovecot issue The error message is: dovecot: auth-worker: Fatal: master: service(auth-worker): child X killed with signal 11 (core not dumped - set service auth-worker { drop_priv_before_exec=yes }) The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very basic config. both authentications work ... the symptom is that after a connection is made the auth worker loads and emails are downloaded and everything "is fine". However, about 30 second to a minute after the connection is done the process dies with the error message. Then the process starts all over with on the next checking of email ,but again everything "works" just seeing this error and the process dieing each time? enabled all extra verbose logging ,but nothing gives any clues Tried to enable core dumps ,but couldnt get core dumps to work ? The only thing is that a recently pkgsrc (netbsd) update create 2 packages, one for dovecot and one for mysql plugin , sense then now this error appears. ,but it appears the .so lib files are installed and linked correctly. Double checked all file permissions and user permissions as well as chroot , etc, etc, ,etc cant seem to narrow this one down any ideas on trouble shooting would be great even tried running a trace with gdb -p on the process ,but it just dies with a signal 11
Re: dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11
On 22.05.2017 21:53, dove...@jeffandjessi.com wrote: > Tried to enable core dumps ,but couldnt get core dumps to work ? > > The only thing is that a recently pkgsrc (netbsd) update create 2 > packages, one for dovecot and one for mysql plugin , sense then now this > error appears. > > ,but it appears the .so lib files are installed and linked correctly. > > Double checked all file permissions and user permissions as well as > chroot , etc, etc, ,etc > > cant seem to narrow this one down > > any ideas on trouble shooting would be great > > even tried running a trace with gdb -p on the process ,but it just dies > with a signal 11 > > Getting a core dump these days can be bit troublesome: 1. mkdir /var/core && chmod 1777 /var/core 2. sysctl kernel.core_pattern=/var/core/core.%p 3. sysctl fs.suid_dumpable = 2 4a. systemd: create /etc/systemd/system/dovecot.service.d/env.conf [Service] LimitCORE=infinity 4b. ulimit -c unlimited 5. set in dovecot.conf service auth-worker { chroot = } 6. try again
dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11
Trying to track down a dovecot issue The error message is: dovecot: auth-worker: Fatal: master: service(auth-worker): child X killed with signal 11 (core not dumped - set service auth-worker { drop_priv_before_exec=yes }) The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very basic config. both authentications work ... the symptom is that after a connection is made the auth worker loads and emails are downloaded and everything "is fine". However, about 30 second to a minute after the connection is done the process dies with the error message. Then the process starts all over with on the next checking of email ,but again everything "works" just seeing this error and the process dieing each time? enabled all extra verbose logging ,but nothing gives any clues Tried to enable core dumps ,but couldnt get core dumps to work ? The only thing is that a recently pkgsrc (netbsd) update create 2 packages, one for dovecot and one for mysql plugin , sense then now this error appears. ,but it appears the .so lib files are installed and linked correctly. Double checked all file permissions and user permissions as well as chroot , etc, etc, ,etc cant seem to narrow this one down any ideas on trouble shooting would be great even tried running a trace with gdb -p on the process ,but it just dies with a signal 11
Re: dovecot/auth CPU spikes
And output from strace, nothing i can make sense of really... 10:38:46.859514 epoll_wait(16, [{EPOLLIN, {u32=1696469520, u64=15038376972816}}], 17, -1) = 1 10:38:47.768364 accept(7, {sa_family=AF_LOCAL, NULL}, [2]) = 23 10:38:47.768687 getsockname(23, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/login/log255r"}, [31]) = 0 10:38:47.768945 fcntl(23, F_GETFL) = 0x2 (flags O_RDWR) 10:38:47.769132 fcntl(23, F_SETFL, O_RDWR|O_NONBLOCK) = 0 10:38:47.769316 write(5, "372f53453", 12) = 12 10:38:47.769529 read(4, "nBW211316333t371341203251206317b367220", 16) = 16 10:38:47.769747 fstat(23, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 10:38:47.769979 lseek(23, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) 10:38:47.770129 getsockname(23, {sa_family=AF_LOCAL, sun_path="/var/run/dovecot/login/log"e"}, [31]) = 0 10:38:47.770320 epoll_ctl(16, EPOLL_CTL_ADD, 23, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=1696840896, u64=15038377344192}}) = 0 10:38:47.770533 write(23, "VERSIONt1t1nMECHtPLAINtplaintext"..., 118) = 118 10:38:47.770735 epoll_wait(16, [{EPOLLIN, {u32=1696840896, u64=15038377344192}}], 17, -1) = 1 10:38:47.770927 read(23, "VERSIONt1t1nCPIDt10995n", 8192) = 23 10:38:47.771109 epoll_wait(16, [{EPOLLIN, {u32=1696840896, u64=15038377344192}}], 17, -1) = 1 10:38:47.916004 read(23, "AUTHt1tPLAINtservice=imaptsecure"..., 8169) = 145 10:38:47.916428 writev(15, [{"PENALTY-GETt2001:41d0:a::", 25}, {"n", 1}], 2) = 26 10:38:47.916851 epoll_wait(16, [{EPOLLIN, {u32=1696458048, u64=15038376961344}}], 17, 5000) = 1 10:38:47.917177 read(15, "0 0n", 332) = 4 10:38:47.917478 writev(23, [{"CONTt1t", 7}, {"n", 1}], 2) = 8 10:38:47.917835 read(15, 0xdad65237f68, 328) = -1 EAGAIN (Resource temporarily unavailable) 10:38:47.918218 epoll_wait(16, [{EPOLLIN, {u32=1696840896, u64=15038377344192}}], 17, 149998) = 1 10:38:47.919198 read(23, "CONTt1tAG5pY29sYXNAYW5kcmlsbG9uL"..., 8024) = 52 10:38:49.558718 writev(23, [{"OKt1tuser=addr...@domain.nett", 32}, {"n", 1}], 2) = 33 10:38:49.558978 epoll_wait(16, [{EPOLLIN, {u32=1696470560, u64=15038376973856}}], 17, 15) = 1
Re: dovecot/auth CPU spikes
Full dovecot -n output = # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 3.14.32--grs-ipv6-64 x86_64 Ubuntu 16.04.1 LTS ext4 auth_cache_size = 10 M auth_mechanisms = plain login default_internal_user = vmail first_valid_uid = 0 mail_location = maildir:/home/data/vmail/%d/%n mail_plugins = " fts fts_solr" mail_privileged_group = vmail maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = Archive } mailbox Drafts { auto = subscribe special_use = Drafts } mailbox Junk { auto = subscribe special_use = Junk } mailbox Sent { auto = subscribe special_use = Sent } mailbox "Sent Messages" { special_use = Sent } mailbox Trash { auto = subscribe special_use = Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { antispam_backend = pipe antispam_mail_notspam = learn_ham antispam_mail_sendmail = /usr/bin/rspamc antispam_mail_sendmail_args = -h;localhost:11334;-P;q1 antispam_mail_spam = learn_spam antispam_spam = Junk antispam_trash = Trash fts = solr fts_solr = break-imap-search url=http://localhost:8080/solr/ sieve = file:~/sieve;active=~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve.d/ } postmaster_address = postmas...@domain.net protocols = imap lmtp sieve pop3 service auth-worker { unix_listener auth-worker { user = vmail } user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } user = vmail } service imap-login { inet_listener imap { port = 0 } service_count = 1 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0666 user = postfix } user = vmail } service pop3-login { inet_listener pop3 { port = 0 } } ssl = required ssl_cert =
dovecot/auth CPU spikes
Hi All, I have recently moved by webmail server from a VPS to a hosted dedicated server running Ubuntu 16.04. Everything is fine except that login is particularly and consistently long (around 4-5 seconds). I have noticed that the process dovecot/auth seems to eat all of the resources of one of the cores available on the host during login. The authentication backend is a postgres database which is running absolutely fine. I have been scavenging on the dovecot mailing list for some time but I have not been able to find a solution to my problem so decided to send this bottle to the sea. Here is my config: $ sudo dovecot -n # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 3.14.32--grs-ipv6-64 x86_64 Ubuntu 16.04.1 LTS ext4 auth_cache_size = 10 M auth_mechanisms = plain login default_internal_user = vmail first_valid_uid = 0 mail_location = maildir:/home/data/vmail/%d/%n mail_plugins = " fts fts_solr" mail_privileged_group = vmail maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = Archive } mailbox Drafts { auto = subscribe special_use = Drafts } mailbox Junk { auto = subscribe special_use = Junk } mailbox Sent { auto = subscribe special_use = Sent } mailbox "Sent Messages" { special_use = Sent } mailbox Trash { auto = subscribe special_use = Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { antispam_backend = pipe antispam_mail_notspam = learn_ham antispam_mail_sendmail = /usr/bin/rspamc antispam_mail_sendmail_args = -h;localhost:11334;-P;q1 antispam_mail_spam = learn_spam antispam_spam = Junk antispam_trash = Trash fts = solr fts_solr = break-imap-search url=http://localhost:8080/solr/ sieve = file:~/sieve;active=~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve.d/ } postmaster_address = postmas...@domain.net protocols = imap lmtp sieve pop3 service auth-worker { unix_listener auth-worker { user = vmail } user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } user = vmail } service imap-login { inet_listener imap { port = 0 } service_count = 1 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0666 user = postfix } user = vmail } service pop3-login { inet_listener pop3 { port = 0 } } ssl = required ssl_cert =
Re: Dovecot auth-worker error after cram-md5 auth
unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 512 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_dh_parameters_length = 2048 ssl_key = : On 01.02.2017 08:18, Poliman - Serwis wrote: This is debug log files in syslog: Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL m5ldD4= Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( do_not_re...@example.com,12.173.211.32): query: SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, but we have only CRYPT Feb 1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out: FAIL#0112#011user=do_not_re...@example.com Feb 1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning: host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l dD4= Feb 1 07:11:02 vps342401 CRON[27074]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) Feb 1 07:11:02 vps342401 CRON[27075]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: AUTH#0113#011CRAM-MD5#011service=smtp#011nologin# 011lip=173.72.31.7#011rip=12.173.211.32#011secured Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out: CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ 4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL m5ldD4= Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql( do_not_re...@example.com,12.173.211.32): query: SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): password( do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but we have only CRYPT Feb 1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out: FAIL#0113#011user=do_not_re...@example.com # I added in dovecot.conf lines in passdb block: driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd and commented out default lines #args = /etc/dovecot/dovecot-sql.conf #driver = sql When I try set again default lines I got above error Can you run doveconf -n with the configuration that causes the above error? Also it clearly does SQL lookup, so that error is happening with SQL passdb. You need to remember to restart dovecot between configuration changes. Aki 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: On 31.01.2017 09:06, Poliman - Serwis wrote: I set up cram-md5 using this tutorial https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in passdb code block: listen = *,[::] protocols = imap pop3 #aut
Re: Dovecot auth-worker error after cram-md5 auth
3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 512 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_dh_parameters_length = 2048 ssl_key = : On 01.02.2017 08:18, Poliman - Serwis wrote: This is debug log files in syslog: Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL m5ldD4= Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( do_not_re...@example.com,12.173.211.32): query: SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, but we have only CRYPT Feb 1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out: FAIL#0112#011user=do_not_re...@example.com Feb 1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning: host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l dD4= Feb 1 07:11:02 vps342401 CRON[27074]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) Feb 1 07:11:02 vps342401 CRON[27075]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: AUTH#0113#011CRAM-MD5#011service=smtp#011nologin# 011lip=173.72.31.7#011rip=12.173.211.32#011secured Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out: CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ 4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL m5ldD4= Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql( do_not_re...@example.com,12.173.211.32): query: SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): password( do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but we have only CRYPT Feb 1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out: FAIL#0113#011user=do_not_re...@example.com # I added in dovecot.conf lines in passdb block: driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd and commented out default lines #args = /etc/dovecot/dovecot-sql.conf #driver = sql When I try set again default lines I got above error Can you run doveconf -n with the configuration that causes the above error? Also it clearly does SQL lookup, so that error is happening with SQL passdb. You need to remember to restart dovecot between configuration changes. Aki 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: On 31.01.2017 09:06, Poliman - Serwis wrote: I set up cram-md5 using this tutorial https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in passdb code block: listen = *,[::] protocols = imap pop3 #aut
Re: Dovecot auth-worker error after cram-md5 auth
t;>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote: >>> >>>>>>>>> I always restart dovecot after change config. ;) Sure, I >>> commented >>> >>>> out >>> >>>>>>>>> added two lines by me, restarted dovecot and here it is: >>> >>>>>>>>> >>> >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf >>> >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS >>> >>>>>>>>> auth_mechanisms = plain login cram-md5 >>> >>>>>>>>> listen = *,[::] >>> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S " >>> >>>>>>>>> mail_max_userip_connections = 100 >>> >>>>>>>>> mail_plugins = " quota" >>> >>>>>>>>> mail_privileged_group = vmail >>> >>>>>>>>> passdb { >>> >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf >>> >>>>>>>>> driver = sql >>> >>>>>>>>> } >>> >>>>>>>>> plugin { >>> >>>>>>>>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage >>> >>>>>>>>> sieve = /var/vmail/%d/%n/.sieve >>> >>>>>>>>> sieve_max_redirects = 25 >>> >>>>>>>>> } >>> >>>>>>>>> postmaster_address = postmas...@example.com >>> >>>>>>>>> protocols = imap pop3 >>> >>>>>>>>> service auth { >>> >>>>>>>>> unix_listener /var/spool/postfix/private/auth { >>> >>>>>>>>> group = postfix >>> >>>>>>>>> mode = 0660 >>> >>>>>>>>> user = postfix >>> >>>>>>>>> } >>> >>>>>>>>> unix_listener auth-userdb { >>> >>>>>>>>> group = vmail >>> >>>>>>>>> mode = 0600 >>> >>>>>>>>> user = vmail >>> >>>>>>>>> } >>> >>>>>>>>> user = root >>> >>>>>>>>> } >>> >>>>>>>>> service imap-login { >>> >>>>>>>>> client_limit = 1000 >>> >>>>>>>>> process_limit = 512 >>> >>>>>>>>> } >>> >>>>>>>>> service lmtp { >>> >>>>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { >>> >>>>>>>>> group = postfix >>> >>>>>>>>> mode = 0600 >>> >>>>>>>>> user = postfix >>> >>>>>>>>> } >>> >>>>>>>>> } >>> >>>>>>>>> ssl = required >>> >>>>>>>>> ssl_cert = >> >>>>>>>>> ssl_cipher_list = >>> >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: >>> >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: >>> >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ >>> >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- >>> >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- >>> >>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- >>> >>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- >>> >>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: >>> >>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: >>> >>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- >>> >>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! >>> >>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! >>> >>>>>>>
Re: Dovecot auth-worker error after cram-md5 auth
ram-md5. >> >>>>>>> After restart all work perfectly. But after I added: >> >>>>>>>driver = passwd-file >> >>>>>>>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd >> >>>>>>> I can't set default lines because I got error. Please tell me >> which >> >>>> lines >> >>>>>>> should be changed to resolve this issue. Should I remove "login" >> from >> >>>>>>> auth_mechanism ("login" was default setting and I would like to >> move >> >>>> back >> >>>>>>> to default settings)? >> >>>>>>> >> >>>>>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: >> >>>>>>> >> >>>>>>>> Because cram-md5 needs the user's password for calculating >> >> responses, >> >>>> it >> >>>>>>>> cannot work with hashed passwords (one-way encrypted). The only >> >>>>>>>> supported password schemes are PLAIN and CRAM-MD5. >> >>>>>>>> >> >>>>>>>> Aki >> >>>>>>>> >> >>>>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote: >> >>>>>>>>> I always restart dovecot after change config. ;) Sure, I >> commented >> >>>> out >> >>>>>>>>> added two lines by me, restarted dovecot and here it is: >> >>>>>>>>> >> >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf >> >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS >> >>>>>>>>> auth_mechanisms = plain login cram-md5 >> >>>>>>>>> listen = *,[::] >> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S " >> >>>>>>>>> mail_max_userip_connections = 100 >> >>>>>>>>> mail_plugins = " quota" >> >>>>>>>>> mail_privileged_group = vmail >> >>>>>>>>> passdb { >> >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf >> >>>>>>>>> driver = sql >> >>>>>>>>> } >> >>>>>>>>> plugin { >> >>>>>>>>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage >> >>>>>>>>> sieve = /var/vmail/%d/%n/.sieve >> >>>>>>>>> sieve_max_redirects = 25 >> >>>>>>>>> } >> >>>>>>>>> postmaster_address = postmas...@example.com >> >>>>>>>>> protocols = imap pop3 >> >>>>>>>>> service auth { >> >>>>>>>>> unix_listener /var/spool/postfix/private/auth { >> >>>>>>>>> group = postfix >> >>>>>>>>> mode = 0660 >> >>>>>>>>> user = postfix >> >>>>>>>>> } >> >>>>>>>>> unix_listener auth-userdb { >> >>>>>>>>> group = vmail >> >>>>>>>>> mode = 0600 >> >>>>>>>>> user = vmail >> >>>>>>>>> } >> >>>>>>>>> user = root >> >>>>>>>>> } >> >>>>>>>>> service imap-login { >> >>>>>>>>> client_limit = 1000 >> >>>>>>>>> process_limit = 512 >> >>>>>>>>> } >> >>>>>>>>> service lmtp { >> >>>>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { >> >>>>>>>>> group = postfix >> >>>>>>>>> mode = 0600 >> >>>>>>>>> user = postfix >> >>>>>>>>> } >> >>>>>>>>> } >> >>>>>>>>> ssl = required >> >>>>>>>>> ssl_cert = > >>>>>>>>> ssl_cipher_list = >> >>>>>>>>> ECDHE-RSA-AES128
Re: Dovecot auth-worker error after cram-md5 auth
t;> added two lines by me, restarted dovecot and here it is: > >>>>>>>>> > >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf > >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS > >>>>>>>>> auth_mechanisms = plain login cram-md5 > >>>>>>>>> listen = *,[::] > >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S " > >>>>>>>>> mail_max_userip_connections = 100 > >>>>>>>>> mail_plugins = " quota" > >>>>>>>>> mail_privileged_group = vmail > >>>>>>>>> passdb { > >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>>>>>> driver = sql > >>>>>>>>> } > >>>>>>>>> plugin { > >>>>>>>>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage > >>>>>>>>> sieve = /var/vmail/%d/%n/.sieve > >>>>>>>>> sieve_max_redirects = 25 > >>>>>>>>> } > >>>>>>>>> postmaster_address = postmas...@example.com > >>>>>>>>> protocols = imap pop3 > >>>>>>>>> service auth { > >>>>>>>>> unix_listener /var/spool/postfix/private/auth { > >>>>>>>>> group = postfix > >>>>>>>>> mode = 0660 > >>>>>>>>> user = postfix > >>>>>>>>> } > >>>>>>>>> unix_listener auth-userdb { > >>>>>>>>> group = vmail > >>>>>>>>> mode = 0600 > >>>>>>>>> user = vmail > >>>>>>>>> } > >>>>>>>>> user = root > >>>>>>>>> } > >>>>>>>>> service imap-login { > >>>>>>>>> client_limit = 1000 > >>>>>>>>> process_limit = 512 > >>>>>>>>> } > >>>>>>>>> service lmtp { > >>>>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { > >>>>>>>>> group = postfix > >>>>>>>>> mode = 0600 > >>>>>>>>> user = postfix > >>>>>>>>> } > >>>>>>>>> } > >>>>>>>>> ssl = required > >>>>>>>>> ssl_cert = >>>>>>>>> ssl_cipher_list = > >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > >>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > >>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > >>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > >>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > >>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > >>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! > >>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! > >>>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >>>>>>>>> ssl_dh_parameters_length = 2048 > >>>>>>>>> ssl_key = >>>>>>>>> ssl_prefer_server_ciphers = yes > >>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > >>>>>>>>> userdb { > >>>>>>>>> driver = prefetch > >>>>>>>>> } > >>>>>>>>> userdb { > >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>>>>>> driver = sql > >>>>>>>>> } > &
Re: Dovecot auth-worker error after cram-md5 auth
y. But after I added: > >>>>>>>driver = passwd-file > >>>>>>>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > >>>>>>> I can't set default lines because I got error. Please tell me which > >>>> lines > >>>>>>> should be changed to resolve this issue. Should I remove "login" > from > >>>>>>> auth_mechanism ("login" was default setting and I would like to > move > >>>> back > >>>>>>> to default settings)? > >>>>>>> > >>>>>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >>>>>>> > >>>>>>>> Because cram-md5 needs the user's password for calculating > >> responses, > >>>> it > >>>>>>>> cannot work with hashed passwords (one-way encrypted). The only > >>>>>>>> supported password schemes are PLAIN and CRAM-MD5. > >>>>>>>> > >>>>>>>> Aki > >>>>>>>> > >>>>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote: > >>>>>>>>> I always restart dovecot after change config. ;) Sure, I > commented > >>>> out > >>>>>>>>> added two lines by me, restarted dovecot and here it is: > >>>>>>>>> > >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf > >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS > >>>>>>>>> auth_mechanisms = plain login cram-md5 > >>>>>>>>> listen = *,[::] > >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S " > >>>>>>>>> mail_max_userip_connections = 100 > >>>>>>>>> mail_plugins = " quota" > >>>>>>>>> mail_privileged_group = vmail > >>>>>>>>> passdb { > >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>>>>>> driver = sql > >>>>>>>>> } > >>>>>>>>> plugin { > >>>>>>>>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage > >>>>>>>>> sieve = /var/vmail/%d/%n/.sieve > >>>>>>>>> sieve_max_redirects = 25 > >>>>>>>>> } > >>>>>>>>> postmaster_address = postmas...@example.com > >>>>>>>>> protocols = imap pop3 > >>>>>>>>> service auth { > >>>>>>>>> unix_listener /var/spool/postfix/private/auth { > >>>>>>>>> group = postfix > >>>>>>>>> mode = 0660 > >>>>>>>>> user = postfix > >>>>>>>>> } > >>>>>>>>> unix_listener auth-userdb { > >>>>>>>>> group = vmail > >>>>>>>>> mode = 0600 > >>>>>>>>> user = vmail > >>>>>>>>> } > >>>>>>>>> user = root > >>>>>>>>> } > >>>>>>>>> service imap-login { > >>>>>>>>> client_limit = 1000 > >>>>>>>>> process_limit = 512 > >>>>>>>>> } > >>>>>>>>> service lmtp { > >>>>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { > >>>>>>>>> group = postfix > >>>>>>>>> mode = 0600 > >>>>>>>>> user = postfix > >>>>>>>>> } > >>>>>>>>> } > >>>>>>>>> ssl = required > >>>>>>>>> ssl_cert = >>>>>>>>> ssl_cipher_list = > >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
Re: Dovecot auth-worker error after cram-md5 auth
>>>> mail_privileged_group = vmail >>>>>>>>> passdb { >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf >>>>>>>>> driver = sql >>>>>>>>> } >>>>>>>>> plugin { >>>>>>>>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage >>>>>>>>> sieve = /var/vmail/%d/%n/.sieve >>>>>>>>> sieve_max_redirects = 25 >>>>>>>>> } >>>>>>>>> postmaster_address = postmas...@example.com >>>>>>>>> protocols = imap pop3 >>>>>>>>> service auth { >>>>>>>>> unix_listener /var/spool/postfix/private/auth { >>>>>>>>> group = postfix >>>>>>>>> mode = 0660 >>>>>>>>> user = postfix >>>>>>>>> } >>>>>>>>> unix_listener auth-userdb { >>>>>>>>> group = vmail >>>>>>>>> mode = 0600 >>>>>>>>> user = vmail >>>>>>>>> } >>>>>>>>> user = root >>>>>>>>> } >>>>>>>>> service imap-login { >>>>>>>>> client_limit = 1000 >>>>>>>>> process_limit = 512 >>>>>>>>> } >>>>>>>>> service lmtp { >>>>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { >>>>>>>>> group = postfix >>>>>>>>> mode = 0600 >>>>>>>>> user = postfix >>>>>>>>> } >>>>>>>>> } >>>>>>>>> ssl = required >>>>>>>>> ssl_cert = >>>>>>>> ssl_cipher_list = >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- >>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- >>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- >>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: >>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: >>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- >>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! >>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! >>>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA >>>>>>>>> ssl_dh_parameters_length = 2048 >>>>>>>>> ssl_key = >>>>>>>> ssl_prefer_server_ciphers = yes >>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 >>>>>>>>> userdb { >>>>>>>>> driver = prefetch >>>>>>>>> } >>>>>>>>> userdb { >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf >>>>>>>>> driver = sql >>>>>>>>> } >>>>>>>>> protocol imap { >>>>>>>>> mail_plugins = quota imap_quota >>>>>>>>> } >>>>>>>>> protocol pop3 { >>>>>>>>> mail_plugins = quota >>>>>>>>> pop3_uidl_format = %08Xu%08Xv >>>>>>>>> } >>>>>>>>> protocol lda { >>>>>>>>> mail_plugins = sieve quota >>>>>>>>> postmaster_address = webmaster@localhost >>>>>>>>> } >>>>>>>>> protocol lmtp { >>>>>>>>> mail_plugins = quota sieve >>>>>>>>> postmaster_address = webmaster@localhost >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>>
Re: Dovecot auth-worker error after cram-md5 auth
; sieve = /var/vmail/%d/%n/.sieve > >>>>>>> sieve_max_redirects = 25 > >>>>>>> } > >>>>>>> postmaster_address = postmas...@example.com > >>>>>>> protocols = imap pop3 > >>>>>>> service auth { > >>>>>>> unix_listener /var/spool/postfix/private/auth { > >>>>>>> group = postfix > >>>>>>> mode = 0660 > >>>>>>> user = postfix > >>>>>>> } > >>>>>>> unix_listener auth-userdb { > >>>>>>> group = vmail > >>>>>>> mode = 0600 > >>>>>>> user = vmail > >>>>>>> } > >>>>>>> user = root > >>>>>>> } > >>>>>>> service imap-login { > >>>>>>> client_limit = 1000 > >>>>>>> process_limit = 512 > >>>>>>> } > >>>>>>> service lmtp { > >>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { > >>>>>>> group = postfix > >>>>>>> mode = 0600 > >>>>>>> user = postfix > >>>>>>> } > >>>>>>> } > >>>>>>> ssl = required > >>>>>>> ssl_cert = >>>>>>> ssl_cipher_list = > >>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > >>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > >>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > >>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > >>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > >>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > >>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! > >>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! > >>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >>>>>>> ssl_dh_parameters_length = 2048 > >>>>>>> ssl_key = >>>>>>> ssl_prefer_server_ciphers = yes > >>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > >>>>>>> userdb { > >>>>>>> driver = prefetch > >>>>>>> } > >>>>>>> userdb { > >>>>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>>>> driver = sql > >>>>>>> } > >>>>>>> protocol imap { > >>>>>>> mail_plugins = quota imap_quota > >>>>>>> } > >>>>>>> protocol pop3 { > >>>>>>> mail_plugins = quota > >>>>>>> pop3_uidl_format = %08Xu%08Xv > >>>>>>> } > >>>>>>> protocol lda { > >>>>>>> mail_plugins = sieve quota > >>>>>>> postmaster_address = webmaster@localhost > >>>>>>> } > >>>>>>> protocol lmtp { > >>>>>>> mail_plugins = quota sieve > >>>>>>> postmaster_address = webmaster@localhost > >>>>>>> } > >>>>>>> > >>>>>>> > >>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >>>>>>> > >>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote: > >>>>>>>>> This is debug log files in syslog: > >>>>>>>>> Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb > out: > >>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ > >>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL > >>>>>>>> m5ldD4= > >>>>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: > >>>> CONT > >>>>>>>>&g
Re: Dovecot auth-worker error after cram-md5 auth
mail/%d/%n/.quotausage > >>>>>>> sieve = /var/vmail/%d/%n/.sieve > >>>>>>> sieve_max_redirects = 25 > >>>>>>> } > >>>>>>> postmaster_address = postmas...@example.com > >>>>>>> protocols = imap pop3 > >>>>>>> service auth { > >>>>>>> unix_listener /var/spool/postfix/private/auth { > >>>>>>> group = postfix > >>>>>>> mode = 0660 > >>>>>>> user = postfix > >>>>>>> } > >>>>>>> unix_listener auth-userdb { > >>>>>>> group = vmail > >>>>>>> mode = 0600 > >>>>>>> user = vmail > >>>>>>> } > >>>>>>> user = root > >>>>>>> } > >>>>>>> service imap-login { > >>>>>>> client_limit = 1000 > >>>>>>> process_limit = 512 > >>>>>>> } > >>>>>>> service lmtp { > >>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { > >>>>>>> group = postfix > >>>>>>> mode = 0600 > >>>>>>> user = postfix > >>>>>>> } > >>>>>>> } > >>>>>>> ssl = required > >>>>>>> ssl_cert = >>>>>>> ssl_cipher_list = > >>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > >>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > >>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > >>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > >>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > >>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > >>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! > >>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! > >>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >>>>>>> ssl_dh_parameters_length = 2048 > >>>>>>> ssl_key = >>>>>>> ssl_prefer_server_ciphers = yes > >>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > >>>>>>> userdb { > >>>>>>> driver = prefetch > >>>>>>> } > >>>>>>> userdb { > >>>>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>>>> driver = sql > >>>>>>> } > >>>>>>> protocol imap { > >>>>>>> mail_plugins = quota imap_quota > >>>>>>> } > >>>>>>> protocol pop3 { > >>>>>>> mail_plugins = quota > >>>>>>> pop3_uidl_format = %08Xu%08Xv > >>>>>>> } > >>>>>>> protocol lda { > >>>>>>> mail_plugins = sieve quota > >>>>>>> postmaster_address = webmaster@localhost > >>>>>>> } > >>>>>>> protocol lmtp { > >>>>>>> mail_plugins = quota sieve > >>>>>>> postmaster_address = webmaster@localhost > >>>>>>> } > >>>>>>> > >>>>>>> > >>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >>>>>>> > >>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote: > >>>>>>>>> This is debug log files in syslog: > >>>>>>>>> Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb > out: > >>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ > >>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL > >>>>>>>> m5ldD4= > >>>>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: > >
Re: Dovecot auth-worker error after cram-md5 auth
vmail >>>>>>> mode = 0600 >>>>>>> user = vmail >>>>>>> } >>>>>>> user = root >>>>>>> } >>>>>>> service imap-login { >>>>>>> client_limit = 1000 >>>>>>> process_limit = 512 >>>>>>> } >>>>>>> service lmtp { >>>>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { >>>>>>> group = postfix >>>>>>> mode = 0600 >>>>>>> user = postfix >>>>>>> } >>>>>>> } >>>>>>> ssl = required >>>>>>> ssl_cert = >>>>>> ssl_cipher_list = >>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: >>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: >>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ >>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- >>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- >>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- >>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- >>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: >>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: >>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- >>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! >>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! >>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA >>>>>>> ssl_dh_parameters_length = 2048 >>>>>>> ssl_key = >>>>>> ssl_prefer_server_ciphers = yes >>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 >>>>>>> userdb { >>>>>>> driver = prefetch >>>>>>> } >>>>>>> userdb { >>>>>>> args = /etc/dovecot/dovecot-sql.conf >>>>>>> driver = sql >>>>>>> } >>>>>>> protocol imap { >>>>>>> mail_plugins = quota imap_quota >>>>>>> } >>>>>>> protocol pop3 { >>>>>>> mail_plugins = quota >>>>>>> pop3_uidl_format = %08Xu%08Xv >>>>>>> } >>>>>>> protocol lda { >>>>>>> mail_plugins = sieve quota >>>>>>> postmaster_address = webmaster@localhost >>>>>>> } >>>>>>> protocol lmtp { >>>>>>> mail_plugins = quota sieve >>>>>>> postmaster_address = webmaster@localhost >>>>>>> } >>>>>>> >>>>>>> >>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: >>>>>>> >>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote: >>>>>>>>> This is debug log files in syslog: >>>>>>>>> Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: >>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ >>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL >>>>>>>> m5ldD4= >>>>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: >>>> CONT >>>>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( >>>>>>>>> do_not_re...@example.com,12.173.211.32): query: SELECT email as >>>> user, >>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':', >>>> maildir, >>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as >>>>>>>> userdb_mail, >>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, >>>> 'B') >>>>>> AS >>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM >>>>>>>>> mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' >>>>>>>>> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = >>>> '1' >>>>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( >>>>
Re: Dovecot auth-worker error after cram-md5 auth
ner /var/spool/postfix/private/dovecot-lmtp { > >>>>> group = postfix > >>>>> mode = 0600 > >>>>> user = postfix > >>>>> } > >>>>> } > >>>>> ssl = required > >>>>> ssl_cert = >>>>> ssl_cipher_list = > >>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > >>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > >>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > >>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > >>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > >>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > >>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! > >>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! > >>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >>>>> ssl_dh_parameters_length = 2048 > >>>>> ssl_key = >>>>> ssl_prefer_server_ciphers = yes > >>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > >>>>> userdb { > >>>>> driver = prefetch > >>>>> } > >>>>> userdb { > >>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>> driver = sql > >>>>> } > >>>>> protocol imap { > >>>>> mail_plugins = quota imap_quota > >>>>> } > >>>>> protocol pop3 { > >>>>> mail_plugins = quota > >>>>> pop3_uidl_format = %08Xu%08Xv > >>>>> } > >>>>> protocol lda { > >>>>> mail_plugins = sieve quota > >>>>> postmaster_address = webmaster@localhost > >>>>> } > >>>>> protocol lmtp { > >>>>> mail_plugins = quota sieve > >>>>> postmaster_address = webmaster@localhost > >>>>> } > >>>>> > >>>>> > >>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >>>>> > >>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote: > >>>>>>> This is debug log files in syslog: > >>>>>>> Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: > >>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ > >> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL > >>>>>> m5ldD4= > >>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: > >> CONT > >>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( > >>>>>>> do_not_re...@example.com,12.173.211.32): query: SELECT email as > >> user, > >>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':', > >> maildir, > >>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as > >>>>>> userdb_mail, > >>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, > >> 'B') > >>>> AS > >>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM > >>>>>>> mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' > >>>>>>> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = > >> '1' > >>>>>>> Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( > >>>>>>> do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 > scheme, > >>>>>> but we > >>>>>>> have only CRYPT > >>>>>>> Feb 1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out: > >>>>>>> FAIL#0112#011user=do_not_re...@example.com > >>>>>>> Feb 1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning: > >>>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 > >> authentication > >>>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT > kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l > >>>
Re: Dovecot auth-worker error after cram-md5 auth
Are you still trying to authenticate using cram-md5? Aki On 01.02.2017 09:51, Poliman - Serwis wrote: > It still use: > passdb { > driver = passwd-file > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > } > > When I delete above and delete "cram-md5" in auth_mechanisms it still not > working. > > 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >> You are probably wanting to do >> passdb { >> driver = passwd-file >> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd >> } >> >> passdb { >> driver = sql >> args = /etc/dovecot/dovecot-sql.conf >> } >> >> Why you want to use cram-md5 is beyond me, because using SSL is much >> more safer. >> >> Aki >> >> On 01.02.2017 09:41, Poliman - Serwis wrote: >>> Default it was: "auth_mechanisms = plain login" and I added cram-md5. >>> After restart all work perfectly. But after I added: >>>driver = passwd-file >>>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd >>> I can't set default lines because I got error. Please tell me which lines >>> should be changed to resolve this issue. Should I remove "login" from >>> auth_mechanism ("login" was default setting and I would like to move back >>> to default settings)? >>> >>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: >>> >>>> Because cram-md5 needs the user's password for calculating responses, it >>>> cannot work with hashed passwords (one-way encrypted). The only >>>> supported password schemes are PLAIN and CRAM-MD5. >>>> >>>> Aki >>>> >>>> On 01.02.2017 09:33, Poliman - Serwis wrote: >>>>> I always restart dovecot after change config. ;) Sure, I commented out >>>>> added two lines by me, restarted dovecot and here it is: >>>>> >>>>> # 2.2.9: /etc/dovecot/dovecot.conf >>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS >>>>> auth_mechanisms = plain login cram-md5 >>>>> listen = *,[::] >>>>> log_timestamp = "%Y-%m-%d %H:%M:%S " >>>>> mail_max_userip_connections = 100 >>>>> mail_plugins = " quota" >>>>> mail_privileged_group = vmail >>>>> passdb { >>>>> args = /etc/dovecot/dovecot-sql.conf >>>>> driver = sql >>>>> } >>>>> plugin { >>>>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage >>>>> sieve = /var/vmail/%d/%n/.sieve >>>>> sieve_max_redirects = 25 >>>>> } >>>>> postmaster_address = postmas...@example.com >>>>> protocols = imap pop3 >>>>> service auth { >>>>> unix_listener /var/spool/postfix/private/auth { >>>>> group = postfix >>>>> mode = 0660 >>>>> user = postfix >>>>> } >>>>> unix_listener auth-userdb { >>>>> group = vmail >>>>> mode = 0600 >>>>> user = vmail >>>>> } >>>>> user = root >>>>> } >>>>> service imap-login { >>>>> client_limit = 1000 >>>>> process_limit = 512 >>>>> } >>>>> service lmtp { >>>>> unix_listener /var/spool/postfix/private/dovecot-lmtp { >>>>> group = postfix >>>>> mode = 0600 >>>>> user = postfix >>>>> } >>>>> } >>>>> ssl = required >>>>> ssl_cert = >>>> ssl_cipher_list = >>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: >>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: >>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ >>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- >>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- >>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- >>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- >>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: >>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: >>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- >>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! >>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! >>
Re: Dovecot auth-worker error after cram-md5 auth
It still use: passdb { driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd } When I delete above and delete "cram-md5" in auth_mechanisms it still not working. 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > You are probably wanting to do > passdb { > driver = passwd-file > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > } > > passdb { > driver = sql > args = /etc/dovecot/dovecot-sql.conf > } > > Why you want to use cram-md5 is beyond me, because using SSL is much > more safer. > > Aki > > On 01.02.2017 09:41, Poliman - Serwis wrote: > > Default it was: "auth_mechanisms = plain login" and I added cram-md5. > > After restart all work perfectly. But after I added: > >driver = passwd-file > >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > I can't set default lines because I got error. Please tell me which lines > > should be changed to resolve this issue. Should I remove "login" from > > auth_mechanism ("login" was default setting and I would like to move back > > to default settings)? > > > > 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > > > >> Because cram-md5 needs the user's password for calculating responses, it > >> cannot work with hashed passwords (one-way encrypted). The only > >> supported password schemes are PLAIN and CRAM-MD5. > >> > >> Aki > >> > >> On 01.02.2017 09:33, Poliman - Serwis wrote: > >>> I always restart dovecot after change config. ;) Sure, I commented out > >>> added two lines by me, restarted dovecot and here it is: > >>> > >>> # 2.2.9: /etc/dovecot/dovecot.conf > >>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS > >>> auth_mechanisms = plain login cram-md5 > >>> listen = *,[::] > >>> log_timestamp = "%Y-%m-%d %H:%M:%S " > >>> mail_max_userip_connections = 100 > >>> mail_plugins = " quota" > >>> mail_privileged_group = vmail > >>> passdb { > >>> args = /etc/dovecot/dovecot-sql.conf > >>> driver = sql > >>> } > >>> plugin { > >>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage > >>> sieve = /var/vmail/%d/%n/.sieve > >>> sieve_max_redirects = 25 > >>> } > >>> postmaster_address = postmas...@example.com > >>> protocols = imap pop3 > >>> service auth { > >>> unix_listener /var/spool/postfix/private/auth { > >>> group = postfix > >>> mode = 0660 > >>> user = postfix > >>> } > >>> unix_listener auth-userdb { > >>> group = vmail > >>> mode = 0600 > >>> user = vmail > >>> } > >>> user = root > >>> } > >>> service imap-login { > >>> client_limit = 1000 > >>> process_limit = 512 > >>> } > >>> service lmtp { > >>> unix_listener /var/spool/postfix/private/dovecot-lmtp { > >>> group = postfix > >>> mode = 0600 > >>> user = postfix > >>> } > >>> } > >>> ssl = required > >>> ssl_cert = >>> ssl_cipher_list = > >>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > >> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > >> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > >> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > >> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > >> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > >> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! > >> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! > >> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >>> ssl_dh_parameters_length = 2048 > >>> ssl_key = >>> ssl_prefer_server_ciphers = yes > >>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > >>> userdb { > >>> driver = prefetch > >>> } > >>> userdb { > >>> args = /etc/dovecot/dovecot-sql.conf > >>> driver = sql > >>> } > >
Re: Dovecot auth-worker error after cram-md5 auth
It was only for testing purposes. That's why I want change it back to default settings. ;) I will check above lines and give response asap. 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > You are probably wanting to do > passdb { > driver = passwd-file > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > } > > passdb { > driver = sql > args = /etc/dovecot/dovecot-sql.conf > } > > Why you want to use cram-md5 is beyond me, because using SSL is much > more safer. > > Aki > > On 01.02.2017 09:41, Poliman - Serwis wrote: > > Default it was: "auth_mechanisms = plain login" and I added cram-md5. > > After restart all work perfectly. But after I added: > >driver = passwd-file > >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > I can't set default lines because I got error. Please tell me which lines > > should be changed to resolve this issue. Should I remove "login" from > > auth_mechanism ("login" was default setting and I would like to move back > > to default settings)? > > > > 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > > > >> Because cram-md5 needs the user's password for calculating responses, it > >> cannot work with hashed passwords (one-way encrypted). The only > >> supported password schemes are PLAIN and CRAM-MD5. > >> > >> Aki > >> > >> On 01.02.2017 09:33, Poliman - Serwis wrote: > >>> I always restart dovecot after change config. ;) Sure, I commented out > >>> added two lines by me, restarted dovecot and here it is: > >>> > >>> # 2.2.9: /etc/dovecot/dovecot.conf > >>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS > >>> auth_mechanisms = plain login cram-md5 > >>> listen = *,[::] > >>> log_timestamp = "%Y-%m-%d %H:%M:%S " > >>> mail_max_userip_connections = 100 > >>> mail_plugins = " quota" > >>> mail_privileged_group = vmail > >>> passdb { > >>> args = /etc/dovecot/dovecot-sql.conf > >>> driver = sql > >>> } > >>> plugin { > >>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage > >>> sieve = /var/vmail/%d/%n/.sieve > >>> sieve_max_redirects = 25 > >>> } > >>> postmaster_address = postmas...@example.com > >>> protocols = imap pop3 > >>> service auth { > >>> unix_listener /var/spool/postfix/private/auth { > >>> group = postfix > >>> mode = 0660 > >>> user = postfix > >>> } > >>> unix_listener auth-userdb { > >>> group = vmail > >>> mode = 0600 > >>> user = vmail > >>> } > >>> user = root > >>> } > >>> service imap-login { > >>> client_limit = 1000 > >>> process_limit = 512 > >>> } > >>> service lmtp { > >>> unix_listener /var/spool/postfix/private/dovecot-lmtp { > >>> group = postfix > >>> mode = 0600 > >>> user = postfix > >>> } > >>> } > >>> ssl = required > >>> ssl_cert = >>> ssl_cipher_list = > >>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > >> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > >> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > >> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > >> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > >> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > >> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! > >> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! > >> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >>> ssl_dh_parameters_length = 2048 > >>> ssl_key = >>> ssl_prefer_server_ciphers = yes > >>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > >>> userdb { > >>> driver = prefetch > >>> } > >>> userdb { > >>> args = /etc/dovecot/dovecot-sql.conf > >>> driver = sql > >>> } > >>> protocol imap { > >&g
Re: Dovecot auth-worker error after cram-md5 auth
You are probably wanting to do passdb { driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd } passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf } Why you want to use cram-md5 is beyond me, because using SSL is much more safer. Aki On 01.02.2017 09:41, Poliman - Serwis wrote: > Default it was: "auth_mechanisms = plain login" and I added cram-md5. > After restart all work perfectly. But after I added: >driver = passwd-file >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > I can't set default lines because I got error. Please tell me which lines > should be changed to resolve this issue. Should I remove "login" from > auth_mechanism ("login" was default setting and I would like to move back > to default settings)? > > 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >> Because cram-md5 needs the user's password for calculating responses, it >> cannot work with hashed passwords (one-way encrypted). The only >> supported password schemes are PLAIN and CRAM-MD5. >> >> Aki >> >> On 01.02.2017 09:33, Poliman - Serwis wrote: >>> I always restart dovecot after change config. ;) Sure, I commented out >>> added two lines by me, restarted dovecot and here it is: >>> >>> # 2.2.9: /etc/dovecot/dovecot.conf >>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS >>> auth_mechanisms = plain login cram-md5 >>> listen = *,[::] >>> log_timestamp = "%Y-%m-%d %H:%M:%S " >>> mail_max_userip_connections = 100 >>> mail_plugins = " quota" >>> mail_privileged_group = vmail >>> passdb { >>> args = /etc/dovecot/dovecot-sql.conf >>> driver = sql >>> } >>> plugin { >>> quota = dict:user::file:/var/vmail/%d/%n/.quotausage >>> sieve = /var/vmail/%d/%n/.sieve >>> sieve_max_redirects = 25 >>> } >>> postmaster_address = postmas...@example.com >>> protocols = imap pop3 >>> service auth { >>> unix_listener /var/spool/postfix/private/auth { >>> group = postfix >>> mode = 0660 >>> user = postfix >>> } >>> unix_listener auth-userdb { >>> group = vmail >>> mode = 0600 >>> user = vmail >>> } >>> user = root >>> } >>> service imap-login { >>> client_limit = 1000 >>> process_limit = 512 >>> } >>> service lmtp { >>> unix_listener /var/spool/postfix/private/dovecot-lmtp { >>> group = postfix >>> mode = 0600 >>> user = postfix >>> } >>> } >>> ssl = required >>> ssl_cert = >> ssl_cipher_list = >>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: >> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ >> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- >> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- >> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- >> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- >> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: >> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: >> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- >> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! >> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! >> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA >>> ssl_dh_parameters_length = 2048 >>> ssl_key = >> ssl_prefer_server_ciphers = yes >>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 >>> userdb { >>> driver = prefetch >>> } >>> userdb { >>> args = /etc/dovecot/dovecot-sql.conf >>> driver = sql >>> } >>> protocol imap { >>> mail_plugins = quota imap_quota >>> } >>> protocol pop3 { >>> mail_plugins = quota >>> pop3_uidl_format = %08Xu%08Xv >>> } >>> protocol lda { >>> mail_plugins = sieve quota >>> postmaster_address = webmaster@localhost >>> } >>> protocol lmtp { >>> mail_plugins = quota sieve >>> postmaster_address = webmaster@localhost >>> } >>> >>> >>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: >>> >>>> On 01.02.2017 08:18, Poliman - Serwis wrote: >>>>> This is debug log files in syslog: >>>>> Feb 1 07:10:25 vps342401 dovecot: auth: Debug:
Re: Dovecot auth-worker error after cram-md5 auth
Default it was: "auth_mechanisms = plain login" and I added cram-md5. After restart all work perfectly. But after I added: driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd I can't set default lines because I got error. Please tell me which lines should be changed to resolve this issue. Should I remove "login" from auth_mechanism ("login" was default setting and I would like to move back to default settings)? 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > Because cram-md5 needs the user's password for calculating responses, it > cannot work with hashed passwords (one-way encrypted). The only > supported password schemes are PLAIN and CRAM-MD5. > > Aki > > On 01.02.2017 09:33, Poliman - Serwis wrote: > > I always restart dovecot after change config. ;) Sure, I commented out > > added two lines by me, restarted dovecot and here it is: > > > > # 2.2.9: /etc/dovecot/dovecot.conf > > # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS > > auth_mechanisms = plain login cram-md5 > > listen = *,[::] > > log_timestamp = "%Y-%m-%d %H:%M:%S " > > mail_max_userip_connections = 100 > > mail_plugins = " quota" > > mail_privileged_group = vmail > > passdb { > > args = /etc/dovecot/dovecot-sql.conf > > driver = sql > > } > > plugin { > > quota = dict:user::file:/var/vmail/%d/%n/.quotausage > > sieve = /var/vmail/%d/%n/.sieve > > sieve_max_redirects = 25 > > } > > postmaster_address = postmas...@example.com > > protocols = imap pop3 > > service auth { > > unix_listener /var/spool/postfix/private/auth { > > group = postfix > > mode = 0660 > > user = postfix > > } > > unix_listener auth-userdb { > > group = vmail > > mode = 0600 > > user = vmail > > } > > user = root > > } > > service imap-login { > > client_limit = 1000 > > process_limit = 512 > > } > > service lmtp { > > unix_listener /var/spool/postfix/private/dovecot-lmtp { > > group = postfix > > mode = 0600 > > user = postfix > > } > > } > > ssl = required > > ssl_cert = > ssl_cipher_list = > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! > EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:! > EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ssl_dh_parameters_length = 2048 > > ssl_key = > ssl_prefer_server_ciphers = yes > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > > userdb { > > driver = prefetch > > } > > userdb { > > args = /etc/dovecot/dovecot-sql.conf > > driver = sql > > } > > protocol imap { > > mail_plugins = quota imap_quota > > } > > protocol pop3 { > > mail_plugins = quota > > pop3_uidl_format = %08Xu%08Xv > > } > > protocol lda { > > mail_plugins = sieve quota > > postmaster_address = webmaster@localhost > > } > > protocol lmtp { > > mail_plugins = quota sieve > > postmaster_address = webmaster@localhost > > } > > > > > > 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > > > >> > >> On 01.02.2017 08:18, Poliman - Serwis wrote: > >>> This is debug log files in syslog: > >>> Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: > >>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL > >> m5ldD4= > >>> Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT > >>> Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( > >>> do_not_re...@example.com,12.173.211.32): query: SELECT email as user, > >>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, > >>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as > >> userdb_mail, > >>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') > AS >
Re: Dovecot auth-worker error after cram-md5 auth
Because cram-md5 needs the user's password for calculating responses, it cannot work with hashed passwords (one-way encrypted). The only supported password schemes are PLAIN and CRAM-MD5. Aki On 01.02.2017 09:33, Poliman - Serwis wrote: > I always restart dovecot after change config. ;) Sure, I commented out > added two lines by me, restarted dovecot and here it is: > > # 2.2.9: /etc/dovecot/dovecot.conf > # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS > auth_mechanisms = plain login cram-md5 > listen = *,[::] > log_timestamp = "%Y-%m-%d %H:%M:%S " > mail_max_userip_connections = 100 > mail_plugins = " quota" > mail_privileged_group = vmail > passdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > plugin { > quota = dict:user::file:/var/vmail/%d/%n/.quotausage > sieve = /var/vmail/%d/%n/.sieve > sieve_max_redirects = 25 > } > postmaster_address = postmas...@example.com > protocols = imap pop3 > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-userdb { > group = vmail > mode = 0600 > user = vmail > } > user = root > } > service imap-login { > client_limit = 1000 > process_limit = 512 > } > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > ssl = required > ssl_cert = ssl_cipher_list = > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > ssl_dh_parameters_length = 2048 > ssl_key = ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > userdb { > driver = prefetch > } > userdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > protocol imap { > mail_plugins = quota imap_quota > } > protocol pop3 { > mail_plugins = quota > pop3_uidl_format = %08Xu%08Xv > } > protocol lda { > mail_plugins = sieve quota > postmaster_address = webmaster@localhost > } > protocol lmtp { > mail_plugins = quota sieve > postmaster_address = webmaster@localhost > } > > > 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >> >> On 01.02.2017 08:18, Poliman - Serwis wrote: >>> This is debug log files in syslog: >>> Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: >>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL >> m5ldD4= >>> Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT >>> Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( >>> do_not_re...@example.com,12.173.211.32): query: SELECT email as user, >>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, >>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as >> userdb_mail, >>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS >>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM >>> mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' >>> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' >>> Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( >>> do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, >> but we >>> have only CRYPT >>> Feb 1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out: >>> FAIL#0112#011user=do_not_re...@example.com >>> Feb 1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning: >>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication >>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4= >>> Feb 1 07:11:02 vps342401 CRON[27074]: (root) CMD >>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo >>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) >>> Feb 1 07:11:02 vps342401 C
Re: Dovecot auth-worker error after cram-md5 auth
I always restart dovecot after change config. ;) Sure, I commented out added two lines by me, restarted dovecot and here it is: # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS auth_mechanisms = plain login cram-md5 listen = *,[::] log_timestamp = "%Y-%m-%d %H:%M:%S " mail_max_userip_connections = 100 mail_plugins = " quota" mail_privileged_group = vmail passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve = /var/vmail/%d/%n/.sieve sieve_max_redirects = 25 } postmaster_address = postmas...@example.com protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 512 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = : > > > On 01.02.2017 08:18, Poliman - Serwis wrote: > > This is debug log files in syslog: > > Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: > > CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL > m5ldD4= > > Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT > > Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( > > do_not_re...@example.com,12.173.211.32): query: SELECT email as user, > > password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, > > '/', IF(maildir_format='maildir','Maildir',maildir_format)) as > userdb_mail, > > uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS > > userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM > > mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' > > do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' > > Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( > > do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, > but we > > have only CRYPT > > Feb 1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out: > > FAIL#0112#011user=do_not_re...@example.com > > Feb 1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning: > > host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication > > failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4= > > Feb 1 07:11:02 vps342401 CRON[27074]: (root) CMD > > (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo > > `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) > > Feb 1 07:11:02 vps342401 CRON[27075]: (root) CMD > > (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo > > `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) > > Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: > > AUTH#0113#011CRAM-MD5#011service=smtp#011nologin# > 011lip=173.72.31.7#011rip=12.173.211.32#011secured > > Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out: > > CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL > m5ldD4= > > Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT > > Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql( > > do_not_re...@example.com,12.173.211.32): query: SELECT email as user, > > password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, > > '/', IF(maildir_format='maildir','Maildir',maildir_format)) as > userdb_mail, > > uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS > > userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM > > mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' > > do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' > > Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): password( > > do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but > we > > have only CRYPT > > Feb 1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out: > > FAIL#0113#011user=do_not_re...@example.com > > > > > > > > # > > I added in dovecot.conf lines in passdb block: > >driver = passwd-file > >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > and commented out default lines > > #args = /etc/dovecot/dovecot-sql.conf > > #driver = sql > > When I try set again default lines I got above error > > Can you run doveconf -n with the configur
Re: Dovecot auth-worker error after cram-md5 auth
On 01.02.2017 08:18, Poliman - Serwis wrote: > This is debug log files in syslog: > Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: > CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4= > Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT > Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( > do_not_re...@example.com,12.173.211.32): query: SELECT email as user, > password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, > '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, > uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS > userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM > mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' > do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' > Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( > do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, but we > have only CRYPT > Feb 1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out: > FAIL#0112#011user=do_not_re...@example.com > Feb 1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning: > host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication > failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4= > Feb 1 07:11:02 vps342401 CRON[27074]: (root) CMD > (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo > `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) > Feb 1 07:11:02 vps342401 CRON[27075]: (root) CMD > (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo > `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) > Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: > AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#011lip=173.72.31.7#011rip=12.173.211.32#011secured > Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out: > CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoLm5ldD4= > Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT > Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql( > do_not_re...@example.com,12.173.211.32): query: SELECT email as user, > password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, > '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, > uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS > userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM > mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' > do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' > Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): password( > do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but we > have only CRYPT > Feb 1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out: > FAIL#0113#011user=do_not_re...@example.com > > > > # > I added in dovecot.conf lines in passdb block: >driver = passwd-file >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > and commented out default lines > #args = /etc/dovecot/dovecot-sql.conf > #driver = sql > When I try set again default lines I got above error Can you run doveconf -n with the configuration that causes the above error? Also it clearly does SQL lookup, so that error is happening with SQL passdb. You need to remember to restart dovecot between configuration changes. Aki > > 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > >> >> On 31.01.2017 09:06, Poliman - Serwis wrote: >>> I set up cram-md5 using this tutorial >>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in >>> passdb code block: >>> listen = *,[::] >>> protocols = imap pop3 >>> #auth_mechanisms = plain login cram-md5 >>> auth_mechanisms = cram-md5 plain login >>> #dodana nizej linia >>> ssl = required >>> disable_plaintext_auth = yes >>> log_timestamp = "%Y-%m-%d %H:%M:%S " >>> mail_privileged_group = vmail >>> postmaster_address = postmas...@vps342401.ovh.net >>> ssl_cert = >> ssl_key = >> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 >>> ssl_cipher_list = >>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image: >>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$ >>> ssl_prefer_server_ciphers = yes >>> ssl_dh_parameters_length = 2048 >>> >>> >>> mail_max_userip_connections = 100 >>> passdb { &g
Re: Dovecot auth-worker error after cram-md5 auth
This is debug log files in syslog: Feb 1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out: CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4= Feb 1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql( do_not_re...@example.com,12.173.211.32): query: SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' Feb 1 07:10:26 vps342401 dovecot: auth-worker(27069): password( do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, but we have only CRYPT Feb 1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out: FAIL#0112#011user=do_not_re...@example.com Feb 1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning: host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4= Feb 1 07:11:02 vps342401 CRON[27074]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) Feb 1 07:11:02 vps342401 CRON[27075]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done) Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#011lip=173.72.31.7#011rip=12.173.211.32#011secured Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out: CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoLm5ldD4= Feb 1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql( do_not_re...@example.com,12.173.211.32): query: SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = 'do_not_re...@example.com' OR email = ' do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1' Feb 1 07:11:11 vps342401 dovecot: auth-worker(27069): password( do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but we have only CRYPT Feb 1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out: FAIL#0113#011user=do_not_re...@example.com # I added in dovecot.conf lines in passdb block: driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd and commented out default lines #args = /etc/dovecot/dovecot-sql.conf #driver = sql When I try set again default lines I got above error 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > > > On 31.01.2017 09:06, Poliman - Serwis wrote: > > I set up cram-md5 using this tutorial > > https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in > > passdb code block: > > listen = *,[::] > > protocols = imap pop3 > > #auth_mechanisms = plain login cram-md5 > > auth_mechanisms = cram-md5 plain login > > #dodana nizej linia > > ssl = required > > disable_plaintext_auth = yes > > log_timestamp = "%Y-%m-%d %H:%M:%S " > > mail_privileged_group = vmail > > postmaster_address = postmas...@vps342401.ovh.net > > ssl_cert = > ssl_key = > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > > ssl_cipher_list = > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image: > > :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$ > > ssl_prefer_server_ciphers = yes > > ssl_dh_parameters_length = 2048 > > > > > > mail_max_userip_connections = 100 > > passdb { > > # args = /etc/dovecot/dovecot-sql.conf > > # driver = sql > > driver = passwd-file > > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > } > > userdb { > > driver = prefetch > > } > > userdb { > > args = /etc/dovecot/dovecot-sql.conf > > driver = sql > > } > > Of course I created cram-md5.pwd file. All mails go out and come nicely. > > But after I want to do default settings by commented out these two lines: > > driver = passwd-file > > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > and uncomment > > # args = /etc/doveco
Re: Dovecot auth-worker error after cram-md5 auth
On 31.01.2017 09:47, Poliman - Serwis wrote: > Output will be in console or in some king of log file? > > 2017-01-31 8:27 GMT+01:00 Evgeniy Korneechev <ekorneec...@altlinux.org>: > >> - Исходное сообщение - >>> От: "Poliman - Serwis" <ser...@poliman.pl> >>> Кому: "Aki Tuomi" <aki.tu...@dovecot.fi> >>> Копия: "dovecot" <dovecot@dovecot.org> >>> Отправленные: Вторник, 31 Январь 2017 г 10:16:48 >>> Тема: Re: Dovecot auth-worker error after cram-md5 auth >>> Thank You for answer. Where could I setup these two lines? >> dovecot.conf? >> >> -- >> WBR, >> BaseALT/ALTLinux Team >> > > That depends on your logging settings, but it will emit them into whatever your debug_log_path is. Default is syslog. Aki
Re: Dovecot auth-worker error after cram-md5 auth
Output will be in console or in some king of log file? 2017-01-31 8:27 GMT+01:00 Evgeniy Korneechev <ekorneec...@altlinux.org>: > - Исходное сообщение - > > От: "Poliman - Serwis" <ser...@poliman.pl> > > Кому: "Aki Tuomi" <aki.tu...@dovecot.fi> > > Копия: "dovecot" <dovecot@dovecot.org> > > Отправленные: Вторник, 31 Январь 2017 г 10:16:48 > > Тема: Re: Dovecot auth-worker error after cram-md5 auth > > > Thank You for answer. Where could I setup these two lines? > > dovecot.conf? > > -- > WBR, > BaseALT/ALTLinux Team > -- *Pozdrawiam / Best Regards* *Piotr Bracha* *tel. 534 555 877* *ser...@poliman.pl <ser...@poliman.pl>*
Re: Dovecot auth-worker error after cram-md5 auth
- Исходное сообщение - > От: "Poliman - Serwis" <ser...@poliman.pl> > Кому: "Aki Tuomi" <aki.tu...@dovecot.fi> > Копия: "dovecot" <dovecot@dovecot.org> > Отправленные: Вторник, 31 Январь 2017 г 10:16:48 > Тема: Re: Dovecot auth-worker error after cram-md5 auth > Thank You for answer. Where could I setup these two lines? dovecot.conf? -- WBR, BaseALT/ALTLinux Team
Re: Dovecot auth-worker error after cram-md5 auth
Thank You for answer. Where could I setup these two lines? 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>: > > > On 31.01.2017 09:06, Poliman - Serwis wrote: > > I set up cram-md5 using this tutorial > > https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in > > passdb code block: > > listen = *,[::] > > protocols = imap pop3 > > #auth_mechanisms = plain login cram-md5 > > auth_mechanisms = cram-md5 plain login > > #dodana nizej linia > > ssl = required > > disable_plaintext_auth = yes > > log_timestamp = "%Y-%m-%d %H:%M:%S " > > mail_privileged_group = vmail > > postmaster_address = postmas...@vps342401.ovh.net > > ssl_cert = > ssl_key = > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > > ssl_cipher_list = > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image: > > :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$ > > ssl_prefer_server_ciphers = yes > > ssl_dh_parameters_length = 2048 > > > > > > mail_max_userip_connections = 100 > > passdb { > > # args = /etc/dovecot/dovecot-sql.conf > > # driver = sql > > driver = passwd-file > > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > } > > userdb { > > driver = prefetch > > } > > userdb { > > args = /etc/dovecot/dovecot-sql.conf > > driver = sql > > } > > Of course I created cram-md5.pwd file. All mails go out and come nicely. > > But after I want to do default settings by commented out these two lines: > > driver = passwd-file > > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > and uncomment > > # args = /etc/dovecot/dovecot-sql.conf > > # driver = sql > > I can't send emails - I use Thunderbird - get error "logging on server > > mail.example.com not work out". Error in logs: > > dovecot: auth-worker(22698): Error: Auth worker sees different > > passdbs/userdbs than auth server. > > dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF > > > > Is it possible that hashed password from cram-md5.pwd file was written to > > database (if yes then where - I have ISPconfig)? I wasn't change any > userdb > > {} block and this second userdb block has this same lines like default > > settings in passdb block. > > > Try > > auth_debug=yes > auth_verbose=yes > > and see if it gives any more reasonable messages. > > Aki > -- *Pozdrawiam / Best Regards* *Piotr Bracha* *tel. 534 555 877* *ser...@poliman.pl <ser...@poliman.pl>*
Re: Dovecot auth-worker error after cram-md5 auth
On 31.01.2017 09:06, Poliman - Serwis wrote: > I set up cram-md5 using this tutorial > https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in > passdb code block: > listen = *,[::] > protocols = imap pop3 > #auth_mechanisms = plain login cram-md5 > auth_mechanisms = cram-md5 plain login > #dodana nizej linia > ssl = required > disable_plaintext_auth = yes > log_timestamp = "%Y-%m-%d %H:%M:%S " > mail_privileged_group = vmail > postmaster_address = postmas...@vps342401.ovh.net > ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > ssl_cipher_list = > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image: > :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$ > ssl_prefer_server_ciphers = yes > ssl_dh_parameters_length = 2048 > > > mail_max_userip_connections = 100 > passdb { > # args = /etc/dovecot/dovecot-sql.conf > # driver = sql > driver = passwd-file > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > } > userdb { > driver = prefetch > } > userdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > Of course I created cram-md5.pwd file. All mails go out and come nicely. > But after I want to do default settings by commented out these two lines: > driver = passwd-file > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > and uncomment > # args = /etc/dovecot/dovecot-sql.conf > # driver = sql > I can't send emails - I use Thunderbird - get error "logging on server > mail.example.com not work out". Error in logs: > dovecot: auth-worker(22698): Error: Auth worker sees different > passdbs/userdbs than auth server. > dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF > > Is it possible that hashed password from cram-md5.pwd file was written to > database (if yes then where - I have ISPconfig)? I wasn't change any userdb > {} block and this second userdb block has this same lines like default > settings in passdb block. > Try auth_debug=yes auth_verbose=yes and see if it gives any more reasonable messages. Aki
Dovecot auth-worker error after cram-md5 auth
I set up cram-md5 using this tutorial https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in passdb code block: listen = *,[::] protocols = imap pop3 #auth_mechanisms = plain login cram-md5 auth_mechanisms = cram-md5 plain login #dodana nizej linia ssl = required disable_plaintext_auth = yes log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail postmaster_address = postmas...@vps342401.ovh.net ssl_cert = *
Re: Haproxy and Dovecot auth
On 15 Oct 2015, at 20:26, Giuseppe Civitellawrote: > When I redirect the smtpd_sasl_path through an Haproxy balanced > connection, I receive an error the first time I try to sen an email. > The error is: > SASL PLAIN authentication failed: Connection lost to authentication server > If then I send more emails I receive no errors. > If I do not send emails for a few minutes, the error appears again. We’ve seen this happen as well, and concluded that this is caused by the Postfix SASL client not recovering gracefully from lost TCP connections. If I remember correctly, Postfix keeps a SASL authentication connection open for re-use, but when this connection breaks down (e.g. due to a time out in the TCP connection itself or due to Dovecot closing it on the other end due to inactivity) then the next/first authentication attempt fails. Postfix will then not handle this error as a temporary failure, but as an authentication failure (i.e. ‘wrong username/password’). After this, it will close the connection and the next authentication attempt will re-establish the connection, and that will of course succeed again. This explains why you get this error only the first time (because it failed due to the old/broken cnnection) and why after a few minutes the error appears again (because by then the connection is stale again). Now, I haven’t actually confirmed this, but I’m pretty sure the problem is in the Dovecot SASL client in Postfix. It is written with the assumption that the connection is over a UNIX socket. In those cases a broken connection is detected earlier/differently (EPIPE) and Postfix will actually recover by reconnecting and trying again. You might be able to confirm and possibly work around this issue by forwarding UNIX socket connections to TCP, with tools like socat, netcat, spiped etc. -Arjan signature.asc Description: Message signed with OpenPGP using GPGMail
Haproxy and Dovecot auth
Hi all, I'd like to use Haproxy to balance an auth service on a couple of Dovecot directors to have a redundant sasl service for my Postfix instances. While I configure the Postfixes to use, as smtpd_sasl_path, a direct connection to one of the directors I notice no errors. When I redirect the smtpd_sasl_path through an Haproxy balanced connection, I receive an error the first time I try to sen an email. The error is: SASL PLAIN authentication failed: Connection lost to authentication server If then I send more emails I receive no errors. If I do not send emails for a few minutes, the error appears again. The relevant Haproxy configuration is the following: listen auth *:12345 mode tcp balance source log global option tcplog option log-health-checks stick-table type ip size 200k expire 30m stick on src default-server inter 1000 fall 3 rise 1 server dovecot-director01 dovecot-director01:12345 check Do anyone have an idea about what it's missing? Thanks a lot Giuseppe -- Giuseppe Civitella gcivite...@entermail.it
Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://
On 08 Oct 2015, at 22:46, Heiko Schlittermannwrote: > > Hi, > > I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13 > there seems to be the same bug/feature). > > The userdb and passdb use LDAP. All further configuration is done in > auth-ldap.conf.ext. > >uri = ldaps:/// ># tls = >tls_cert_file = /etc/ssl/certs/client-cert.pem >tls_key_file = /etc/ssl/certs/client-key.file > > Dovecot ignores the tls_* options. If I use an ldap:// URI and > switch on TLS using tls=yes it works as expected. > > But I do not see any reason why LDAPS should not read the tls_* > settings. I guess. > This small patch solved it for me > > --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100 > +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08 21:24:47.051446465 > +0200 > @@ -1043,7 +1043,7 @@ > > static void db_ldap_set_tls_options(struct ldap_connection *conn) > { > - if (!conn->set.tls) > + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0)) >return; That's a bit ugly. I think also the URIs support multiple ones, so some ldap and some ldaps URLs could even be mixed, which of course would be quite ugly.. I think the fix is to just remove the if (tls)-check completely. I don't think setting those harms anything even if tls/ldaps isn't being used?
Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://
Timo Sirainen(Di 13 Okt 2015 20:19:54 CEST): .. > > --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100 > > +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08 > > 21:24:47.051446465 +0200 > > @@ -1043,7 +1043,7 @@ > > > > static void db_ldap_set_tls_options(struct ldap_connection *conn) > > { > > - if (!conn->set.tls) > > + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0)) > >return; > > That's a bit ugly. I think also the URIs support multiple ones, so some ldap > and some ldaps URLs could even be mixed, which of course would be quite > ugly.. I think the fix is to just remove the if (tls)-check completely. I > don't think setting those harms anything even if tls/ldaps isn't being used? Yes, thinking about mixed schema in the URIs whould have been my next question :) Ok, I can test what happens if we set tls_options w/o using LDAP+TLS or LDAPS at all. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Dovecot auth-ldap ignores tls_* settings when using ldaps://
Hi, I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13 there seems to be the same bug/feature). The userdb and passdb use LDAP. All further configuration is done in auth-ldap.conf.ext. uri = ldaps:/// # tls = tls_cert_file = /etc/ssl/certs/client-cert.pem tls_key_file = /etc/ssl/certs/client-key.file Dovecot ignores the tls_* options. If I use an ldap:// URI and switch on TLS using tls=yes it works as expected. But I do not see any reason why LDAPS should not read the tls_* settings. This small patch solved it for me --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100 +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08 21:24:47.051446465 +0200 @@ -1043,7 +1043,7 @@ static void db_ldap_set_tls_options(struct ldap_connection *conn) { - if (!conn->set.tls) + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0)) return; #ifdef OPENLDAP_TLS_OPTIONS It would be great, if somebody can confirm this and if this or some equivalent patch could make it upstream. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: dovecot auth using 100% CPU
Edward Betts edw...@4angle.com: Jorge Bastos mysql.jo...@decimal.pt wrote: What do you see in the logs? My guess is that someone is trying a brute force auth against you, Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP authentication. The exim4 logs show brute force attacks. A little late response, but since you're using debian you could try pulling in fail2ban: apt-get install fail2ban fail2ban scans the logs of various services for attacks and firewalls out the attacking IP addresses. There are no built-in rules for exim or dovecot in the debian fail2ban package, but there is something here that could possibly be adapted...? http://wiki2.dovecot.org/HowTo/Fail2Ban Here's a filter for exim: https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/exim.conf
Re: dovecot auth using 100% CPU
Am Freitag, den 03.07.2015, 14:28 +0200 schrieb Steinar Bang: fail2ban scans the logs of various services for attacks and firewalls out the attacking IP addresses. There are no built-in rules for exim or dovecot in the debian fail2ban package, but there is something here that could possibly be adapted...? Are you talking about wheezy or jessie? jessie has rules. But they need to be enabled like this: # cat /etc/fail2ban/jail.d/local.conf [exim] enabled = true [exim-spam] enabled = true [dovecot] enabled = true
Re: dovecot auth using 100% CPU
Am Freitag, den 03.07.2015, 21:53 +0200 schrieb Steinar Bang: Felix Zielcke fziel...@z-51.de: Are you talking about wheezy or jessie? Well I looked on a jessie system, but the fail2ban was pulled in when it was wheezy (or maybe even easier). They're in /etc/fail2ban/filter.d And yes I also needed a while to figure this system out. Escpecially that they need to be enabled in a jaild/*.conf file. Though this is a fresh Debian jessie install. And files in /etc are specially handled on upgrades, instead of all the other files in a Debian package.
Re: dovecot auth using 100% CPU
Felix Zielcke fziel...@z-51.de: Are you talking about wheezy or jessie? Well I looked on a jessie system, but the fail2ban was pulled in when it was wheezy (or maybe even easier). jessie has rules. But they need to be enabled like this: # cat /etc/fail2ban/jail.d/local.conf [exim] enabled = true [exim-spam] enabled = true [dovecot] enabled = true Ok, thanks!
Re: Dovecot auth username mapping
Am 2015-07-02 um 01:41 schrieb Laz C. Peterson: I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. Any thoughts to this? In case you have multiple passdb backends, it could be, that LDAP only gets its chance, after PAM did time out. -- peter
Re: Dovecot auth username mapping
Hi Laz, I’m just wondering… why are you using LDAP and/or PAM to access the MySQL server? If also the password is stored in the db you could use MySQL directly? Because then you could use password_query and user_query to actually split the provided email address into name and domain parts. Then you can lookup each individually or adjust as needed... I have something like this: user_query = SELECT CONCAT('/var/mail/virtual/', SUBSTRING(`mail_addr`, LOCATE('@', `mail_addr`) +1 ), '/', \ SUBSTRING(`mail_addr`, 1, LOCATE('@', `mail_addr`) -1) ) AS 'home', '1000' AS 'uid', \ '8' AS 'gid', CONCAT('*:bytes=', `quota`, 'M') AS 'quota_rule' FROM `mail_users` \ WHERE `mail_addr` = '%u' AND `status` = 'ok' AND `mail_type` LIKE '%%_mail%%‘ With an SQL statement you could even use sub-selects and whatnot to do complicated things. Perhaps you could do something similar with the LDAP string but I never used LDAP that much… Philon Am 02.07.2015 um 02:27 schrieb Laz C. Peterson l...@paravis.net: It’s actually unbelievable how much slower LDAP auth is than PAM. Does anyone have any suggestions how I can improve Dovecot LDAP auth? I have tried caching authentications and that doesn’t help either. ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 1, 2015, at 4:41 PM, Laz C. Peterson l...@paravis.net wrote: Thank you for the response Axel. I will look into that. I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately. When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing. I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow! This would definitely be an option though, as it does serve the purpose. I just can’t figure out how to fix the performance issue. Any thoughts to this? ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttg...@skynet.be wrote: Le 1 juil. 2015 à 04:38, Laz C. Peterson a écrit : I have an interesting case here … Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be l...@paravis.net mailto:l...@paravis.net. All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing. I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username. I’m sure there has to be a way. Any help will be greatly appreciated. Thank you! Hello Laz, I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar. Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in. That said, I hope to be wrong, Axel
Re: Dovecot auth username mapping
Peter, Yes that is a possibility. I will try disabling PAM (or switching the auth order) and see if that makes a difference. Thanks for the suggestion! ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 1, 2015, at 11:34 PM, Peter Chiochetti p...@myzel.net wrote: Am 2015-07-02 um 01:41 schrieb Laz C. Peterson: I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. Any thoughts to this? In case you have multiple passdb backends, it could be, that LDAP only gets its chance, after PAM did time out. -- peter
Re: Dovecot auth username mapping
Ahh Peter, good call on this one! beating head into deskpausebeating head into desk againthumbs up So after playing around with the order of authentication in Dovecot, you are correct, the PAM timeout was causing the holdup. I guess since PAM has no way of looking up whether or not a user exists prior to authenticating, this is causing the hiccup, versus LDAP which can search for a user’s existence prior to the auth. Switching these around, I notice almost *no* degradation in performance for PAM authentications, and the LDAP authentications run smooth as I would hope them to. Awesome, so now we have our solution! (I think.) Gotta say, a lot of love goes out to the Dovecot community (especially Timo!) for all the inspiration and help that I’ve received. Dovecot is a great app and this community is the backbone of it all. Cheers to all! Thanks again. ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 2, 2015, at 6:25 AM, Laz C. Peterson l...@paravis.net wrote: Peter, Yes that is a possibility. I will try disabling PAM (or switching the auth order) and see if that makes a difference. Thanks for the suggestion! ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 1, 2015, at 11:34 PM, Peter Chiochetti p...@myzel.net wrote: Am 2015-07-02 um 01:41 schrieb Laz C. Peterson: I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. Any thoughts to this? In case you have multiple passdb backends, it could be, that LDAP only gets its chance, after PAM did time out. -- peter
Re: Dovecot auth username mapping
Le 1 juil. 2015 à 04:38, Laz C. Peterson a écrit : I have an interesting case here … Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be l...@paravis.net mailto:l...@paravis.net. All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing. I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username. I’m sure there has to be a way. Any help will be greatly appreciated. Thank you! Hello Laz, I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar. Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in. That said, I hope to be wrong, Axel
Re: Dovecot auth username mapping
Thank you for the response Axel. I will look into that. I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately. When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing. I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow! This would definitely be an option though, as it does serve the purpose. I just can’t figure out how to fix the performance issue. Any thoughts to this? ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttg...@skynet.be wrote: Le 1 juil. 2015 à 04:38, Laz C. Peterson a écrit : I have an interesting case here … Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be l...@paravis.net mailto:l...@paravis.net. All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing. I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username. I’m sure there has to be a way. Any help will be greatly appreciated. Thank you! Hello Laz, I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar. Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in. That said, I hope to be wrong, Axel
Re: Dovecot auth username mapping
It’s actually unbelievable how much slower LDAP auth is than PAM. Does anyone have any suggestions how I can improve Dovecot LDAP auth? I have tried caching authentications and that doesn’t help either. ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 1, 2015, at 4:41 PM, Laz C. Peterson l...@paravis.net wrote: Thank you for the response Axel. I will look into that. I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP authentication, but now performance is unbelievably slow. For example, with PAM/Kerberos, a user can log into webmail and have all of their emails/folders showing almost immediately. When using Dovecot LDAP, it takes literally 8-10 seconds to see the same thing. I was hoping that was a possible replacement for this, but my goodness it was so incredibly slow! This would definitely be an option though, as it does serve the purpose. I just can’t figure out how to fix the performance issue. Any thoughts to this? ~ Laz Peterson Paravis, LLC Ph: 951.319.3240 x201 On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttg...@skynet.be wrote: Le 1 juil. 2015 à 04:38, Laz C. Peterson a écrit : I have an interesting case here … Virtual mailboxes, domain/username/aliases stored in MySQL, authentication done using PAM. PAM authenticates through Kerberos, which are internal realms and not the email domains — for example, my username would be laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be l...@paravis.net mailto:l...@paravis.net. All of this works just fine. But what I want to do is allow the users to log in using their email address and not their full Kerberos name. It is becoming laborious to help the users understand the difference between their username@LOCAL.REALM and username@email.address mailto:username@email.address and why we have to have two separate identities that mean the same thing. I have the SQL statements to convert either the Kerberos login or the email address to the actual Kerberos login (so they may use either). But I cannot seem to figure out how to get Dovecot to acknowledge this as the mapped username. I’m sure there has to be a way. Any help will be greatly appreciated. Thank you! Hello Laz, I fear you’ll have to resort to CheckPassword (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar. Indeed, your MySql database may contain everything needed to convert email addresses to kerb login (and vice-versa), but Dovecot’s PAM interface understandably just knows about a (login, password) pair, where the login is the one provided by the user wanting to log in. That said, I hope to be wrong, Axel
Re: dovecot auth using 100% CPU
Jorge Bastos mysql.jo...@decimal.pt wrote: What do you see in the logs? My guess is that someone is trying a brute force auth against you, Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP authentication. The exim4 logs show brute force attacks. -- Edward.
Re: dovecot auth using 100% CPU
On 2015-06-21 10:41:48 +0100, Edward Betts wrote: 0.40 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) 0.35 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) something is fishy in your setup darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
RE: dovecot auth using 100% CPU
What do you see in the logs? My guess is that someone is trying a brute force auth against you, -Original Message- From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Edward Betts Sent: domingo, 21 de Junho de 2015 10:42 To: dovecot@dovecot.org Subject: dovecot auth using 100% CPU Every few days I find that dovecot auth is using all my CPU. This is from dovecot 2.2.13, I've just upgraded to 2.2.18 strace -r -p 17956 output: Process 17956 attached 0.00 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek) 0.57 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0 0.43 epoll_ctl(15, EPOLL_CTL_ADD, 19, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0 0.40 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) 0.35 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, si_uid=108} --- 0.20 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, u64=140128453618224}}}, 14, 12614) = 1 0.31 read(19, , 8192)= 0 0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0 0.27 close(19) = 0 0.29 socket(PF_LOCAL, SOCK_STREAM, 0) = 19 0.27 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR) 0.28 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.29 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker}, 110) = 0 0.33 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.33 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek) 0.26 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0 0.30 epoll_ctl(15, EPOLL_CTL_ADD, 19, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0 0.35 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) 0.29 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, si_uid=108} --- 0.15 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, u64=140128453618224}}}, 14, 12614) = 1 0.31 read(19, , 8192)= 0 0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0 0.27 close(19) = 0 0.28 socket(PF_LOCAL, SOCK_STREAM, 0) = 19 0.36 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR) 0.26 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.24 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker}, 110) = 0 0.34 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.30 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek) 0.25 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0 0.31 epoll_ctl(15, EPOLL_CTL_ADD, 19, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0 0.36 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) 0.30 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, si_uid=108} --- 0.16 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, u64=140128453618224}}}, 14, 12614) = 1 0.31 read(19, , 8192)= 0 0.27 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0 0.28 close(19) = 0 Any ideas what's wrong? The machine is running Debian. -- Edward.
dovecot auth using 100% CPU
Every few days I find that dovecot auth is using all my CPU. This is from dovecot 2.2.13, I've just upgraded to 2.2.18 strace -r -p 17956 output: Process 17956 attached 0.00 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek) 0.57 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0 0.43 epoll_ctl(15, EPOLL_CTL_ADD, 19, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0 0.40 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) 0.35 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, si_uid=108} --- 0.20 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, u64=140128453618224}}}, 14, 12614) = 1 0.31 read(19, , 8192)= 0 0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0 0.27 close(19) = 0 0.29 socket(PF_LOCAL, SOCK_STREAM, 0) = 19 0.27 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR) 0.28 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.29 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker}, 110) = 0 0.33 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.33 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek) 0.26 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0 0.30 epoll_ctl(15, EPOLL_CTL_ADD, 19, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0 0.35 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) 0.29 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, si_uid=108} --- 0.15 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, u64=140128453618224}}}, 14, 12614) = 1 0.31 read(19, , 8192)= 0 0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0 0.27 close(19) = 0 0.28 socket(PF_LOCAL, SOCK_STREAM, 0) = 19 0.36 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR) 0.26 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.24 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker}, 110) = 0 0.34 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.30 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek) 0.25 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0 0.31 epoll_ctl(15, EPOLL_CTL_ADD, 19, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0 0.36 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 EPIPE (Broken pipe) 0.30 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, si_uid=108} --- 0.16 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, u64=140128453618224}}}, 14, 12614) = 1 0.31 read(19, , 8192)= 0 0.27 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0 0.28 close(19) = 0 Any ideas what's wrong? The machine is running Debian. -- Edward.
what's the different between the processes dovecot-auth and dovecot -w
hi: what's the different between the processes dovecot-auth and dovecot -w ? What's the function on each of them ? thanks
Googling: dovecot: auth-worker(default): pam_start() failed: Critical error - immediate abort
Howdy, Googling: dovecot: auth-worker(default): pam_start() failed: Critical error - immediate abort dobbeltganger dovecot: auth-worker(default): pam(user,1.2.3.4): lookup service=dovecot dobbeltganger out of memory [4543] returns just 3 references. Examining memory server side reveals use of virtual memory but not 100% OS: Ubuntu 14.04 client 10.04 server-side. Email client: Thunderbird (Thunderbird prompts for the password which has worked for years). dovecot -n # 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.34.1-rscloud x86_64 Ubuntu 10.04.4 LTS log_timestamp: %Y-%m-%d %H:%M:%S ssl: required verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-logina login_processes_count: 5 login_max_processes_count: 256 mail_max_userip_connections: 40 mail_privileged_group: mail mail_location: maildir:~/Maildir mail_debug: yes mbox_write_locks: fcntl dotlock auth default: realms: davidwbrown.name, karlbrown.name default_realm: dobbeltganger.com username_format: %n verbose: yes debug: yes debug_passwords: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
Re: Crash in dovecot/auth with backtrace
* Timo Sirainen dovecot@dovecot.org: On 23 Apr 2015, at 17:34, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: I'm seeing this odd crash with USER\t531\t*@liquid-scan.de\tservice=quota-status Which looks like something is being tested against our quota-status -- but I fail to see why an NON LOCAL address is being tested Oh, that's not very good. Fixed: http://hg.dovecot.org/dovecot-2.2/rev/65f825a8cd0b Thanks a lot :) -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Crash in dovecot/auth with backtrace
I'm seeing this odd crash with USER\t531\t*@liquid-scan.de\tservice=quota-status Which looks like something is being tested against our quota-status -- but I fail to see why an NON LOCAL address is being tested GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as i486-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/local/dovecot-2.2/libexec/dovecot/auth...done. [New LWP 2289] [Thread debugging using libthread_db enabled] Using host libthread_db library /lib/i386-linux-gnu/i686/cmov/libthread_db.so.1. Core was generated by `dovecot/auth'. Program terminated with signal 6, Aborted. #0 0xb7724424 in __kernel_vsyscall () #0 0xb7724424 in __kernel_vsyscall () No symbol table info available. #1 0xb74a0661 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = optimized out pid = -1218617356 selftid = 2289 #2 0xb74a3a92 in *__GI_abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0xbfd1c924, sa_sigaction = 0xbfd1c924}, sa_mask = {__val = {3077760610, 3218196756, 3076712520, 3218196744, 3077843556, 0, 3074764848, 1, 0, 1, 3077716256, 145215752, 1097, 3077184659, 3, 145244200, 1, 128, 0, 3218196816, 3218196744, 3218196756, 3218196764, 3077716256, 0, 3077194863, 145215720, 3076749582, 3077199789, 3077686824, 1097, 3077686824}}, sa_flags = 0, sa_restorer = 0xb76a5c2f internal_handler+527} sigs = {__val = {32, 0 repeats 31 times}} #3 0xb76a624e in default_fatal_finish (type=optimized out, status=status@entry=0) at failures.c:202 backtrace = 0x8a7c8d8 /usr/local/dovecot-2.2/lib/dovecot/libdovecot.so.0(+0x7825e) [0xb76a625e] - /usr/local/dovecot-2.2/lib/dovecot/libdovecot.so.0(+0x782e1) [0xb76a62e1] - /usr/local/dovecot-2.2/lib/dovecot/libdovecot #4 0xb76a62e1 in i_internal_fatal_handler (ctx=0xbfd1c9f0, format=0x807a0c4 file %s: line %d (%s): assertion failed: (%s), args=0xbfd1ca14 \257j\a\b\371\004) at failures.c:671 status = 0 #5 0xb76a6e5f in i_panic ( format=format@entry=0x807a0c4 file %s: line %d (%s): assertion failed: (%s)) at failures.c:276 ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0, timestamp_usecs = 0} args = 0xbfd1ca14 \257j\a\b\371\004 #6 0x0805873a in auth_request_set_login_username (request=0x8a945d8, username=0x8a7c548 , error_r=0xbfd1cad4) at auth-request.c:1273 master_passdb = optimized out __FUNCTION__ = auth_request_set_login_username #7 0x08054c44 in master_input_auth_request (conn=conn@entry=0x8aa18b8, args=args@entry=0x8a941c1 531\t*@liquid-scan.de\tservice=quota-status, cmd=cmd@entry=0x8076925 USER, request_r=request_r@entry=0xbfd1cad0, error_r=error_r@entry=0xbfd1cad4) at auth-master-connection.c:209 auth_request = 0x8a945d8 list = 0x8a7c53c name = optimized out arg = optimized out username = 0x8a7c504 *@liquid-scan.de id = 531 #8 0x0805539c in master_input_user ( args=0x8a941c1 531\t*@liquid-scan.de\tservice=quota-status, conn=0x8aa18b8) at auth-master-connection.c:306 auth_request = 0x8a92e70 error = 0x8ab8e81 31298 ret = optimized out #9 auth_master_input_line ( line=0x8a941bc USER\t531\t*@liquid-scan.de\tservice=quota-status, conn=0x8aa18b8) at auth-master-connection.c:615 No locals. #10 master_input (conn=0x8aa18b8) at auth-master-connection.c:679 _data_stack_cur_id = 3 line = optimized out ret = 40 #11 0xb76baf8b in io_loop_call_io (io=0x8a92ba8) at ioloop.c:501 ioloop = 0x8a844e8 t_id = 2 __FUNCTION__ = io_loop_call_io #12 0xb76bc272 in io_loop_handler_run_internal (ioloop=ioloop@entry=0x8a844e8) at ioloop-epoll.c:220 ctx = 0x8a8b500 events = 0x8f1 event = 0x8a8b558 list = 0x8a92be0 io = optimized out tv = {tv_sec = 0, tv_usec = 999856} events_count = error reading variable events_count (Could not find type for DW_OP_GNU_const_type) msecs = optimized out ret = 3 i = optimized out j = optimized out call = optimized out __FUNCTION__ = io_loop_handler_run_internal #13 0xb76bb01c in io_loop_handler_run (ioloop=ioloop@entry=0x8a844e8) at ioloop.c:548 No locals. #14 0xb76bb0a8 in io_loop_run (ioloop=0x8a844e8) at ioloop.c:525 __FUNCTION__ = io_loop_run #15 0xb76527ae in master_service_run (service=0x8a84418, callback=0x8063df0 client_connected
Re: Crash in dovecot/auth with backtrace
On 23 Apr 2015, at 17:34, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: I'm seeing this odd crash with USER\t531\t*@liquid-scan.de\tservice=quota-status Which looks like something is being tested against our quota-status -- but I fail to see why an NON LOCAL address is being tested Oh, that's not very good. Fixed: http://hg.dovecot.org/dovecot-2.2/rev/65f825a8cd0b
postfix sasl - haproxy - dovecot auth
Hello, is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this: clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1, 20025:auth-backend-2 The configuration I have now gives me this error randomly: 535 5.7.8 Error: authentication failed: Connection lost to authentication server This is probably because haproxy change servers while session is still active (postfix sasl don’t establish new connection to auth service every time new auth request arrives) Note that haproxy is between postfix and dovecot and is not facing clients directly, so there is no way to keep persistent connections by client ip. # POSTFIX smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_exceptions_networks = smtpd_sasl_local_domain = smtpd_sasl_path = inet:127.0.0.1:20025 smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot # HAPROX frontend postfix-sasl bind 127.0.0.1:20025 default_backend dovecot-auth backend dovecot-auth mode tcp option tcplog option srvtcpka hash-type consistent balance roundrobin server mail-backend-1 31.220.19.52:20025 check server mail-backend-2 31.220.19.53:20025 check
Re: postfix sasl - haproxy - dovecot auth
Edgaras Lukoševičius skrev den 2015-03-27 12:21: is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this: clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1, 20025:auth-backend-2 configure cyrus-sasl as a remote imap client is more simple if imap hostname is dns round robin it would be ha-avail already keep postfix simple
Re: postfix sasl - haproxy - dovecot auth
Can’t dovecot authenticate against imap? What I need is to make smtp authentication balanced and keep everything in backend (private network) On 27 Mar 2015, at 13:29, Benny Pedersen m...@junc.eu wrote: Edgaras Lukoševičius skrev den 2015-03-27 12:21: is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this: clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1, 20025:auth-backend-2 configure cyrus-sasl as a remote imap client is more simple if imap hostname is dns round robin it would be ha-avail already keep postfix simple
Re: postfix sasl - haproxy - dovecot auth
On 03/27/2015 07:21 AM, Edgaras Lukoševičius wrote: Hello, is it possible to configure configure haproxy to work with postfix sasl and dovecot auth like this: clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1, 20025:auth-backend-2 Why don't you set up a dovecot locally (with only auth service) on each postfix box?
Re: postfix sasl - haproxy - dovecot auth
Once upon a time, Edgaras Lukoševičius edgaras.lukosevic...@gmail.com said: What I need is to make smtp authentication balanced and keep everything in backend (private network) If you have more than one Postfix server, each one must talk to its own private Dovecot server for auth. The Dovecot auth protocol includes a client (Postfix) assigned ID, and Postfix uses the process ID. If you have multiple Postfix servers talking to one Dovecot server, you'll get ID conflicts and dropped auths. I ended up putting a local instance of Dovecot on each Postfix server, with no protcols configured except for auth. Not quite as HA, but I have my monitoring system doing SMTP AUTH (never have had a problem with the setup); you could probably have HAProxy do it as well (IIRC it can do some basic expect-style send/receive). -- Chris Adams c...@cmadams.net