Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'

[Aki Tuomi]

You can probably use auth_default_realm for this, see 
https://doc.dovecot.org/settings/core/?highlight=realm#core_setting-auth_default_realm

Aki


> On 24/01/2022 20:05 da...@kosmosisland.com wrote:
> 
>  
> Hello Aki,
> 
> Thank you, that works.  But it doesn't solve my main problem.  Newer
> versions of Outlook started to parse the "@domain" out of the
> "user@domain" which yielded only "user".  I found that by prepending a '\'
> (backslash) it would yield "user@domain" correctly.  But with GSSAPI, the
> backslash fails and removing it allows for correct authentication of the
> whole user name including "@domain".  The problem now is having to
> configure all the many clients in the field that have the backslash
> prepended to the user name.  Is here a way around this with version 2.3?
> 
> Regards,
> David Koski
> da...@kosmosisland.com
> dko...@sutinen.com
> 
> >
> >
> > On 23 January 2022 1.29.43 UTC, David Koski 
> > wrote:
> >>Is NTLM now dead?  The Readme says:
> >>
> >>2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek
> >> (48d6f7282)
> >>
> >>     auth: Remove ntlm mechanism & the LANMAN and NTLM password
> >> schemes
> >>
> >>>
> >>> Regards,
> >>> David Koski
> >>>
> >>
> >
> > You should use GSSAPI instead.
> >
> > Aki
> >

Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'

[david]

Hello Aki,

Thank you, that works.  But it doesn't solve my main problem.  Newer
versions of Outlook started to parse the "@domain" out of the
"user@domain" which yielded only "user".  I found that by prepending a '\'
(backslash) it would yield "user@domain" correctly.  But with GSSAPI, the
backslash fails and removing it allows for correct authentication of the
whole user name including "@domain".  The problem now is having to
configure all the many clients in the field that have the backslash
prepended to the user name.  Is here a way around this with version 2.3?

Regards,
David Koski
da...@kosmosisland.com
dko...@sutinen.com

>
>
> On 23 January 2022 1.29.43 UTC, David Koski 
> wrote:
>>Is NTLM now dead?  The Readme says:
>>
>>2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek
>> (48d6f7282)
>>
>>     auth: Remove ntlm mechanism & the LANMAN and NTLM password
>> schemes
>>
>>>
>>> Regards,
>>> David Koski
>>>
>>
>
> You should use GSSAPI instead.
>
> Aki
>

Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'

[Aki Tuomi]

On 23 January 2022 1.29.43 UTC, David Koski  wrote:
>Is NTLM now dead?  The Readme says:
>
>2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek 
> (48d6f7282)
>
>     auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes
>
>>
>> Regards,
>> David Koski
>>
>

You should use GSSAPI instead. 

Aki

Re: NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'

[David Koski]

Is NTLM now dead?  The Readme says:

2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek 
 (48d6f7282)


    auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes

M   COPYING
M   configure.ac
M   src/Makefile.am
M   src/auth/Makefile.am
D   src/auth/mech-ntlm.c
M   src/auth/mech.c
M   src/auth/password-scheme.c
M   src/auth/test-libpassword.c
M   src/auth/test-mech.c
M   src/doveadm/Makefile.am
D   src/lib-ntlm/Makefile.am
D   src/lib-ntlm/ntlm-des.c
D   src/lib-ntlm/ntlm-des.h
D   src/lib-ntlm/ntlm-encrypt.c
D   src/lib-ntlm/ntlm-encrypt.h
D   src/lib-ntlm/ntlm-flags.h
D   src/lib-ntlm/ntlm-message.c
D   src/lib-ntlm/ntlm-message.h
D   src/lib-ntlm/ntlm-types.h
D   src/lib-ntlm/ntlm.h

David

On 1/22/22 4:22 PM, David Koski wrote:
After upgrading Debian to 11 I found Dovecot at version 2.3.13 
(89f716dc2).  Now auth method NTLM fails and is not even listed:


# doveadm pw -l
SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA 
DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 
SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 MD5 PBKDF2 
SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5


/var/log/dovecot.log
Jan 22 16:20:32 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:32 master: Error: service(auth): command startup failed, 
throttling for 2.000 secs

Jan 22 16:20:34 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:34 master: Error: service(auth): command startup failed, 
throttling for 4.000 secs

Jan 22 16:20:38 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:38 master: Error: service(auth): command startup failed, 
throttling for 8.000 secs

Jan 22 16:20:46 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:46 master: Error: service(auth): command startup failed, 
throttling for 16.000 secs


# doveconf -n
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2
# Hostname: imail.khmfdbyekekelj1rmytwnfh1bc.dx.internal.cloudapp.net
auth_mechanisms = plain login ntlm
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext

namespace compat {
  alias_for =
  hidden = yes
  inbox = no
  list = no
  location =
  prefix = INBOX.
  separator = .
}
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  separator = .
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  mail_plugins = " quota trash sieve"
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-client {
    mode = 0660
  }
}
service stats {
  unix_listener stats-reader {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener stats-writer {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl_cert = 

NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'

[David Koski]

After upgrading Debian to 11 I found Dovecot at version 2.3.13 
(89f716dc2).  Now auth method NTLM fails and is not even listed:


# doveadm pw -l
SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA 
DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 
SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 MD5 PBKDF2 SHA256 
CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5


/var/log/dovecot.log
Jan 22 16:20:32 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:32 master: Error: service(auth): command startup failed, 
throttling for 2.000 secs

Jan 22 16:20:34 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:34 master: Error: service(auth): command startup failed, 
throttling for 4.000 secs

Jan 22 16:20:38 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:38 master: Error: service(auth): command startup failed, 
throttling for 8.000 secs

Jan 22 16:20:46 auth: Fatal: Unknown authentication mechanism 'NTLM'
Jan 22 16:20:46 master: Error: service(auth): command startup failed, 
throttling for 16.000 secs


# doveconf -n
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2
# Hostname: imail.khmfdbyekekelj1rmytwnfh1bc.dx.internal.cloudapp.net
auth_mechanisms = plain login ntlm
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart extracttext

namespace compat {
  alias_for =
  hidden = yes
  inbox = no
  list = no
  location =
  prefix = INBOX.
  separator = .
}
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  separator = .
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  mail_plugins = " quota trash sieve"
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-client {
    mode = 0660
  }
}
service stats {
  unix_listener stats-reader {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener stats-writer {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl_cert = 

RE: Unable to authenticate on Dovecot - auth-userdb issue?

[Mark ADAMS]

uth-userdb {
group =
mode = 0666
user = $default_internal_user
 }
  user = dovecot
}
service imap-login {
  inet_listener imap {
port = 143
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
service pop3-login {
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
service stats {
  unix_listener stats-reader {
group = mail
mode = 0666
  }
  unix_listener stats-writer {
group = mail
mode = 0666
  }
}
ssl = required
ssl_cert = mailto:ad+li...@uni-x.org>
Sent: Friday, January 10, 2020 11:34 AM
To: Mark ADAMS<mailto:mada...@msn.com>
Subject: Re: Unable to authenticate on Dovecot - auth-userdb issue?

Mark,

first of all: please take care to whom you reply. Do not communicate
directly with my list mail address. Please keep the discussion on the
dovecot list. Thanks.


Am 09.01.2020 um 18:29 schrieb Mark ADAMS:
> At this point, passdb does not support lookups according to the log. Is there 
> something else I should be looking at?
>
> I’ve worked on this and seem to be making little progress. A sample 
> transaction log looks like this:
>
>
> Jan 09 10:22:32 shuttle dovecot[26851]: master: Warning: SIGHUP received - 
> reloading configuration
> Jan 09 10:23:04 shuttle postfix/smtpd[5448]: connect from pvr[192.168.1.103]
> Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: Loading modules from 
> directory: /usr/lib64/dovecot/modules/auth
> Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: Module loaded: 
> /usr/lib64/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
> Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: Read auth token secret 
> from /run/dovecot/auth-token-secret.dat
> Jan 09 10:23:04 shuttle dovecot[5432]: auth: Debug: auth client connected 
> (pid=0)
> Jan 09 10:23:20 shuttle postfix/smtpd[5448]: 0C6BF4A6302: 
> client=pvr[192.168.1.103]
> Jan 09 10:23:30 shuttle postfix/cleanup[5459]: 0C6BF4A6302: message-id=<>
> Jan 09 10:23:30 shuttle postfix/qmgr[1385]: 0C6BF4A6302: from=, 
> size=180, nrcpt=1 (queue active)
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: master in: USER1  
>   root@shuttleservice=lda
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: static(root): Performing 
> userdb lookup
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: pam(root): Performing 
> passdb lookup
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: pam(root): passdb doesn't 
> support credential lookups
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: pam(root): Finished 
> passdb lookup
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Error: static(root): passdb 
> doesn't support lookups, can't verify user's existence
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: static(root): Finished 
> userdb lookup
> Jan 09 10:23:30 shuttle dovecot[5432]: auth: Debug: userdb out: FAIL1
> Jan 09 10:23:30 shuttle dovecot[5466]: lda(root@shuttle)<5466><>: Error: 
> auth-master: userdb lookup(root@shuttle): Auth USER lookup failed
> Jan 09 10:23:30 shuttle dovecot[5466]: lda: Fatal: Internal error occurred. 
> Refer to server log for more information.
> Jan 09 10:23:30 shuttle postfix/pipe[5465]: 0C6BF4A6302: to=, 
> relay=dovecot, delay=17, delays=17/0.01/0/0.06, dsn=4.3.0, status=deferred 
> (tempora>
> Jan 09 10:23:31 shuttle sshd[5468]: Connection closed by 192.168.1.100 port 
> 48324 [preauth]
> Jan 09 10:23:31 shuttle postfix/smtpd[5448]: disconnect from 
> pvr[192.168.1.103] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
>
>
> My current dovecot configuration looks like this:
>
> # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
> # OS: Linux 5.4.6-desktop-2.mga7 x86_64 Mageia 7
> # Hostname: shuttle
> auth_debug_passwords = yes
> auth_username_format = %Ln
> disable_plaintext_auth = no
> first_valid_uid = 0
> last_valid_uid = 10001
> mail_gid = 10001
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> mail_privileged_group = mail
> mail_uid = 10001
> namespace inbox {
>inbox = yes
>location =
>mailbox Drafts {
>  special_use = \Drafts
>}
>mailbox Junk {
>  special_use = \Junk
>}
>mailbox Sent {
>  special_use = \Sent
>}
>mailbox "Sent Messages" {
>  special_use = \Sent
>}
>mailbox Trash {
>  special_use = \Trash
>}
>prefix =
> }
> passdb {
>args = %s
>driver = pam
> }
> plugin {
>sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> service anvil {
>unix_listener anvil {
>  group = mail
>  mode = 0666
>}
> }
> service auth-worker {
>user = vmail
> }
> service auth {
>unix_listener /var/

Re: Unable to authenticate on Dovecot - auth-userdb issue?

[Alexander Dalloz]

Am 03.01.2020 um 03:27 schrieb Mark ADAMS:

Jan 02 18:47:37 shuttle dovecot[6744]: lda(root@shuttle)<6744><>: Error: 
auth-master: userdb lookup(root@shuttle): connect(/run/dovecot/auth-userdb) failed: 
Permission denied (euid=8(mail) egid=12(mail) missing +r perm: /run/dovecot/auth-userdb, 
dir owned by 0:0 mode=0755)


Run "namei -lv /run/dovecot/auth-userdb" to check the permissions of the  
complete path. The auth-userdb socket actually is owned mail:mail  
according to your error logging. Is dovecot member of the mail group?


Actually it does not match the config details you have pasted:

  unix_listener auth-userdb {
group = dovecot
mode = 0600
user = vmail
  }

On my side it looks like this and I have not custom configured that  
part. The defaults are:


  unix_listener auth-userdb {
group =
mode = 0666
user = $default_internal_user
  }

So on my system the permissions look like this:

# namei -lv /var/run/dovecot/auth-userdb
f: /var/run/dovecot/auth-userdb
dr-xr-xr-x rootroot/
drwxr-xr-x rootrootvar
drwxr-xr-x rootrootrun
drwxr-xr-x rootdovecot dovecot
srw-rw-rw- dovecot rootauth-userdb


Jan 02 18:47:37 shuttle dovecot[6744]: lda: Fatal: Internal error occurred. 
Refer to server log for more information.
Jan 02 18:47:37 shuttle postfix/pipe[6743]: 6345D4A4A97: to=, 
relay=dovecot, delay=1.1, delays=1.1/0.01/0/0.06, dsn=4.3.0, status=deferred 
(temporary failure. Command output: lda(root@shuttle): Error: 
net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied )
^C



Note: this error references "/run/dovecot/auth-userdb". That isn't even supposed to be 
the location of that file. I have no idea why that location shows up.  The correct location should 
be "/etc/dovecot/auth-userdb". The file does exist at that location.


Mark,

I have no idea why you expect the dovecot sockets to be located inside  
/etc/dovecot/. /etc is the FHS location for configurations. /run or  
/var/run (typically a symlink on modern linux distributions) is the  
right location for runtime files like service sockets.


You say /etc/dovecot/auth-userdb exists. Am I correct to guess that you  
have created that manually with whatever content?


Alexander

Unable to authenticate on Dovecot - auth-userdb issue?

[Mark ADAMS]

Some general information:

Mageia Linux 5.4.6-desktop-2.mga7

2.3.7.2 (3c910f64b)

postfix + dovecot + mysql

192.168.1.105 (shuttle) the email server machine
192.168.1.103 (pvr) the mail client machine


I am unable to authenticate to send email. I've looked at postfix but I can't 
get past dovecot's authentication. Here is what I'm seeing in logs:

Jan 02 18:46:47 shuttle sshd[6660]: Connection closed by 192.168.1.100 port 
48506 [preauth]
Jan 02 18:47:05 shuttle postfix/smtpd[6352]: connect from pvr[192.168.1.103]
Jan 02 18:47:16 shuttle postfix/smtpd[6352]: lost connection after CONNECT from 
pvr[192.168.1.103]
Jan 02 18:47:16 shuttle postfix/smtpd[6352]: disconnect from pvr[192.168.1.103] 
commands=0/0
Jan 02 18:47:36 shuttle postfix/smtpd[6352]: connect from pvr[192.168.1.103]
Jan 02 18:47:36 shuttle postfix/smtpd[6352]: 6345D4A4A97: 
client=pvr[192.168.1.103]
Jan 02 18:47:37 shuttle postfix/cleanup[6500]: 6345D4A4A97: message-id=<>
Jan 02 18:47:37 shuttle postfix/qmgr[1385]: 6345D4A4A97: from=, 
size=485, nrcpt=1 (queue active)
Jan 02 18:47:37 shuttle postfix/smtpd[6352]: disconnect from pvr[192.168.1.103] 
helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 02 18:47:37 shuttle dovecot[6744]: lda(root@shuttle)<6744><>: Error: 
auth-master: userdb lookup(root@shuttle): connect(/run/dovecot/auth-userdb) 
failed: Permission denied (euid=8(mail) egid=12(mail) missing +r perm: 
/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)
Jan 02 18:47:37 shuttle dovecot[6744]: lda: Fatal: Internal error occurred. 
Refer to server log for more information.
Jan 02 18:47:37 shuttle postfix/pipe[6743]: 6345D4A4A97: to=, 
relay=dovecot, delay=1.1, delays=1.1/0.01/0/0.06, dsn=4.3.0, status=deferred 
(temporary failure. Command output: lda(root@shuttle): Error: 
net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied )
^C



Note: this error references "/run/dovecot/auth-userdb". That isn't even 
supposed to be the location of that file. I have no idea why that location 
shows up.  The correct location should be "/etc/dovecot/auth-userdb". The file 
does exist at that location.

There is no "base_dir" configured in /etc/dovecot/dovecot.conf. When I do try 
an point the configuration at the correct base_dir, I get this when I try to 
restart dovecot:


-- The unit dovecot.service has entered the 'failed' state with result 
'exit-code'.
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(aggregator): 
unlink(/etc/dovecot/replication-notify-fifo) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(pop3): 
unlink(/etc/dovecot/login/pop3) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(old-stats): 
unlink(/etc/dovecot/old-stats) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(old-stats): 
unlink(/etc/dovecot/old-stats-mail) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(old-stats): 
unlink(/etc/dovecot/old-stats-user) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(log): 
unlink(/etc/dovecot/log-errors) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(lmtp): 
unlink(/etc/dovecot/lmtp) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(ipc): 
unlink(/etc/dovecot/ipc) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(ipc): 
unlink(/etc/dovecot/login/ipc-proxy) failed: Read-only file system
Jan 02 18:51:50 shuttle dovecot[7226]: master: Error: service(indexer-worker): 
unlink(/etc/dovecot/indexer-worker) failed: Read-only file system

And there are about 30 lines of "read-only file system" errors.  I haven't been 
able to track down the cause of that.

Once the line "base_dir = /etc/dovecot" is commented out in 
/etc/dovecot/dovecot.conf, I can start dovecot:

# systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor 
preset: disabled)
   Active: active (running) since Thu 2020-01-02 18:54:15 MST; 5s ago
 Docs: man:dovecot(1)
   http://wiki2.dovecot.org/
 Main PID: 7550 (dovecot)
   Memory: 3.8M
   CGroup: /system.slice/dovecot.service
   ├─7550 /usr/sbin/dovecot -F
   ├─7554 dovecot/anvil
   ├─7555 dovecot/log
   └─7556 dovecot/config

Jan 02 18:54:15 shuttle systemd[1]: Started Dovecot IMAP/POP3 email server.
Jan 02 18:54:15 shuttle dovecot[7550]: master: Dovecot v2.3.7.2 (3c910f64b) 
starting up for imap, pop3, lmtp
Jan 02 18:54:15 shuttle dovecot[7550]: master: Error: 
t_readlink(/etc/dovecot/dovecot.conf) failed: readlink() failed: Invalid 
argument


I have no idea what's up with the t_readlink error. Might be related to the 
errors above. I can't really fin

Dovecot auth crashing??

[Odhiambo Washington]

Dovecot-2.3.9

I am seeing a lot of the following on my logs:

Dec 13 09:16:25 auth: Warning: Timeout leak: 0x105fb00
(auth-request-handler.c:584)
Dec 13 09:16:25 auth: Warning: Timeout leak: 0x105fb00
(auth-request-handler.c:584)
Dec 13 09:16:25 auth: Warning: Timeout leak: 0x105fb00
(auth-request-handler.c:584)
Dec 13 09:16:25 auth: Warning: Event 0x827d6e20 leaked (parent=0x827d4220):
auth-request.c:878
Dec 13 09:16:25 auth: Warning: Event 0x827d6420 leaked (parent=0x827d4820):
auth-request.c:878
Dec 13 09:16:25 auth: Warning: Event 0x82780c20 leaked (parent=0x827d6220):
auth-request.c:878
Dec 13 09:16:25 auth: Warning: Event 0x827d6c20 leaked (parent=0x827d4220):
auth-request.c:115
Dec 13 09:16:25 auth: Warning: Event 0x827d4220 leaked (parent=0x827d6a20):
auth-request.c:114
Dec 13 09:16:25 auth: Warning: Event 0x827d6a20 leaked (parent=0x0):
auth-client-connection.c:338
Dec 13 09:16:25 auth: Warning: Event 0x827d4c20 leaked (parent=0x827d4820):
auth-request.c:115
Dec 13 09:16:25 auth: Warning: Event 0x827d4820 leaked (parent=0x827fe620):
auth-request.c:114
Dec 13 09:16:25 auth: Warning: Event 0x827fe620 leaked (parent=0x0):
auth-client-connection.c:338
Dec 13 09:16:25 auth: Warning: Event 0x827ff420 leaked (parent=0x827d6220):
auth-request.c:115
Dec 13 09:16:25 auth: Warning: Event 0x827d6220 leaked (parent=0x82780e20):
auth-request.c:114
Dec 13 09:16:25 auth: Warning: Event 0x82780e20 leaked (parent=0x0):
auth-client-connection.c:338
Dec 13 11:27:29 master: Warning: Killed with signal 15 (by pid=9326 uid=0
code=kill)
Dec 13 11:27:37 master: Warning: Killed with signal 15 (by pid=16518 uid=0
code=kill)
Dec 13 11:27:38 auth: Error: net_connect_unix(auth-worker) failed: No such
file or directory
Dec 13 11:27:39 auth: Error: net_connect_unix(auth-worker) failed: No such
file or directory
Dec 13 11:27:59 auth: Error:
net_connect_unix(/var/run/dovecot//stats-writer) failed: No such file or
directory
Dec 13 11:27:59 auth: Warning: Timeout leak: 0x105fb00
(auth-request-handler.c:584)
Dec 13 11:27:59 auth: Warning: Timeout leak: 0x105fb00
(auth-request-handler.c:584)
Dec 13 11:27:59 auth: Warning: Event 0x82781a20 leaked (parent=0x827d4620):
auth-request.c:878
Dec 13 11:27:59 auth: Warning: Event 0x827d4220 leaked (parent=0x827d4820):
auth-request.c:878
Dec 13 11:27:59 auth: Warning: Event 0x82780e20 leaked (parent=0x827d4620):
auth-request.c:115
Dec 13 11:27:59 auth: Warning: Event 0x827d4620 leaked (parent=0x827d0820):
auth-request.c:114
Dec 13 11:27:59 auth: Warning: Event 0x827d0820 leaked (parent=0x0):
auth-client-connection.c:338
Dec 13 11:27:59 auth: Warning: Event 0x82781220 leaked (parent=0x827d4820):
auth-request.c:115
Dec 13 11:27:59 auth: Warning: Event 0x827d4820 leaked (parent=0x827d0c20):
auth-request.c:114
Dec 13 11:27:59 auth: Warning: Event 0x827d0c20 leaked (parent=0x0):
auth-client-connection.c:338
Dec 13 11:28:07 auth: Warning: Timeout leak: 0x105fb00
(auth-request-handler.c:584)
Dec 13 11:28:07 auth: Warning: Event 0x82780c20 leaked (parent=0x82781c20):
auth-request.c:878
Dec 13 11:28:07 auth: Warning: Event 0x82781e20 leaked (parent=0x82781c20):
auth-request.c:115
Dec 13 11:28:07 auth: Warning: Event 0x82781c20 leaked (parent=0x82781a20):
auth-request.c:114
Dec 13 11:28:07 auth: Warning: Event 0x82781a20 leaked (parent=0x0):
auth-client-connection.c:338



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

RE: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve

[John Stoffel via dovecot]

Marc> I am sure resolving works fine. I tested this in a running mesos
Marc> container, but also in docker run[1]. I need to have the search
Marc> local option in resolve.conf.

Marc> It was actually working, until I started adding the proxy for
Marc> managesieve, but when I reverted, it still does not work. I
Marc> think the building from cache mislead me.

Can you post more of the logs by any chance, especially from the
startup?  And are you sure you reverted all the config completely?  

Marc> I suspect this is a different problem, that at some point is
Marc> giving this error. Maybe I need some specific config for the
Marc> dns-client socket.

Maybe, I really don't know docker at all, or how to work with it.
Haven't had a need.

Marc> PS. This is just a proxy I need temporary. But I am thinking of
Marc> creating a container that directly connects to ceph storage so
Marc> you do not need any local storage.

That might do the trick, but I'd first just get the base install
working again, and maybe post your config from before and after so
people can get a better idea of what you're trying to do here. 

Marc> [1]
Marc> docker run --dns-search='local' -v /dev/log:/dev/log -it dovecot-proxy 
Marc> bash

Marc> [2]
Marc> passdb {
Marc>   driver = ldap
Marc>   args = /etc/dovecot/dovecot-ldap.conf.ext
Marc>   default_fields = proxy=y host=svr1
Marc> }

Marc> -Original Message-
Marc> From: John Stoffel [mailto:j...@stoffel.org] 
Marc> Sent: zaterdag 30 november 2019 20:51
Marc> To: Marc Roos
Marc> Cc: dovecot
Marc> Subject: Re: dovecot: auth: Error: DNS lookup for xxx failed: Name does 
Marc> not resolve


Marc> I had a working container with dovecot configured as proxy. And 
Marc> all of a sudden I am getting these messages 'dovecot: auth:
Marc> Error: DNS lookup for roosit03 failed: Name does not resolve'
Marc> Pinging/nslookup these hostnames is ok

Marc> Does nslookup work inside the container?  Sounds to me like the setup 
Marc> isn't working properly, but it's hard to know unless you give us more 
Marc> details.  Can you spin up another container with the same config but not 
Marc> running dovecot to do a check on DNS resolution?

Marc> Does the container's logs give you more details?  How often do you 
Marc> stop/restart the container?  I would think that Dovecot in a container 
Marc> isn't really ideal since you need to access the mailstores, and somehow 
Marc> you get email delivered to the mailstore by postfix/sendmail/exim or 
Marc> some other tool.

Marc> John

RE: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve

[Marc Roos via dovecot]

 
I am sure resolving works fine. I tested this in a running mesos 
container, but also in docker run[1]. I need to have the search local 
option in resolve.conf. 

It was actually working, until I started adding the proxy for 
managesieve, but when I reverted, it still does not work. I think the 
building from cache mislead me.

I suspect this is a different problem, that at some point is giving this 
error. Maybe I need some specific config for the dns-client socket. 

PS. This is just a proxy I need temporary. But I am thinking of creating 
a container that directly connects to ceph storage so you do not need 
any local storage. 

[1]
docker run --dns-search='local' -v /dev/log:/dev/log -it dovecot-proxy 
bash

[2]
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
  default_fields = proxy=y host=svr1
}

-Original Message-
From: John Stoffel [mailto:j...@stoffel.org] 
Sent: zaterdag 30 november 2019 20:51
To: Marc Roos
Cc: dovecot
Subject: Re: dovecot: auth: Error: DNS lookup for xxx failed: Name does 
not resolve


Marc> I had a working container with dovecot configured as proxy. And 
Marc> all of a sudden I am getting these messages 'dovecot: auth:
Marc> Error: DNS lookup for roosit03 failed: Name does not resolve'
Marc> Pinging/nslookup these hostnames is ok

Does nslookup work inside the container?  Sounds to me like the setup 
isn't working properly, but it's hard to know unless you give us more 
details.  Can you spin up another container with the same config but not 
running dovecot to do a check on DNS resolution?

Does the container's logs give you more details?  How often do you 
stop/restart the container?  I would think that Dovecot in a container 
isn't really ideal since you need to access the mailstores, and somehow 
you get email delivered to the mailstore by postfix/sendmail/exim or 
some other tool.

John

Re: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve

[John Stoffel via dovecot]

Marc> I had a working container with dovecot configured as proxy. And
Marc> all of a sudden I am getting these messages 'dovecot: auth:
Marc> Error: DNS lookup for roosit03 failed: Name does not resolve'
Marc> Pinging/nslookup these hostnames is ok

Does nslookup work inside the container?  Sounds to me like the setup
isn't working properly, but it's hard to know unless you give us more
details.  Can you spin up another container with the same config but
not running dovecot to do a check on DNS resolution?

Does the container's logs give you more details?  How often do you
stop/restart the container?  I would think that Dovecot in a container
isn't really ideal since you need to access the mailstores, and
somehow you get email delivered to the mailstore by
postfix/sendmail/exim or some other tool.

John

dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve

[Marc Roos via dovecot]

I had a working container with dovecot configured as proxy. And all of a 
sudden I am getting these messages 'dovecot: auth: Error: DNS lookup for 
roosit03 failed: Name does not resolve'
Pinging/nslookup these hostnames is ok

Re: Dovecot auth

[Aki Tuomi via dovecot]

On 26.11.2019 17.39, j.emerlik via dovecot wrote:
> Hi,
> is possible to configure post-login script for Service auth ?
> I would like to run post script after successful login to postfix (smtp).
> Regards,
> Jack
>
With recent dovecot you can write Lua script to be ran as part of
authentication that might be able to do this.

Aki

Dovecot auth

[j.emerlik via dovecot]

Hi,
is possible to configure post-login script for Service auth ?
I would like to run post script after successful login to postfix (smtp).
Regards,
Jack

Re: dovecot auth error: Illegal seek

[panetta]

Thanks Aki for the answer.

I did some tests and found a solution. I write down my experience It 
could be useful to someone.


First I putted  "passwd-file" passdb (only)  before "pam" passdb, as Aki 
suggested,

but "illegal seek error" persisted.

Then I putted both "passwd-file" passdb and "static" userdb before "pam" 
passdb and "passwd" userdb (used for local user),
but that generated a strange behavior because "static" driver overrides 
info also for local user.


Finally I putted both "passwd-file" passdb and "passwd-file" userdb 
before "pam" and "passwd"

and that works without errors.

My working dovecot config:

host-prompt# dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-5-686-pae i686 Debian 7.11
auth_mechanisms = plain login
auth_username_format = %Ln
listen = *
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = Server ready.
mail_full_filesystem_access = yes
mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u
mail_privileged_group = mail
passdb {
  args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users
  driver = passwd-file
}
passdb {
  driver = pam
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 0
  }
}
ssl_cert = to avoid writing uid,gid,home for each user, but in the end, with 
passwd-file and

override_fields i got the desired scenario.

Regards,
Claudio


Il 30/03/18 14:27, Aki Tuomi ha scritto:

On 30 March 2018 at 15:11 panetta <pane...@mat.unical.it> wrote:


Hi,

I recently configured dovecot to manage auth
for both local and virtual user.
When i login as a virtual user (claudio.panetta) I get the following
message:

dovecot: auth: Error:
passwd(claudio.panetta,160.97.62.1,): getpwnam()
failed: Illegal seek

but login is ok and sending/receiving email is ok,
how can, if possible, I suppress this error message?

In the following my dovecot config:

host-prompt# dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-5-686-pae i686 Debian 7.11
auth_mechanisms = plain login
auth_username_format = %Ln
listen = *
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = Server ready.
mail_full_filesystem_access = yes
mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u
mail_privileged_group = mail
passdb {
    driver = pam
}
passdb {
    args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users
    driver = passwd-file
}
protocols = " imap"
service auth {
    unix_listener /var/spool/postfix/private/auth {
      group = postfix
      mode = 0660
      user = postfix
    }
    user = root
}
service imap-login {
    inet_listener imap {
      port = 0
    }
}
ssl_cert = 
Hi! Put the file based passdb before the pam one. Also not sure what you are 
trying to do with the static userdb. It looks like you wanted to use 
passwd-file?

Aki

Re: dovecot auth error: Illegal seek

[Aki Tuomi]

> On 30 March 2018 at 15:11 panetta <pane...@mat.unical.it> wrote:
> 
> 
> Hi,
> 
> I recently configured dovecot to manage auth
> for both local and virtual user.
> When i login as a virtual user (claudio.panetta) I get the following 
> message:
> 
> dovecot: auth: Error: 
> passwd(claudio.panetta,160.97.62.1,): getpwnam() 
> failed: Illegal seek
> 
> but login is ok and sending/receiving email is ok,
> how can, if possible, I suppress this error message?
> 
> In the following my dovecot config:
> 
> host-prompt# dovecot -n
> # 2.1.7: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-5-686-pae i686 Debian 7.11
> auth_mechanisms = plain login
> auth_username_format = %Ln
> listen = *
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> login_greeting = Server ready.
> mail_full_filesystem_access = yes
> mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u
> mail_privileged_group = mail
> passdb {
>    driver = pam
> }
> passdb {
>    args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users
>    driver = passwd-file
> }
> protocols = " imap"
> service auth {
>    unix_listener /var/spool/postfix/private/auth {
>      group = postfix
>      mode = 0660
>      user = postfix
>    }
>    user = root
> }
> service imap-login {
>    inet_listener imap {
>      port = 0
>    }
> }
> ssl_cert =  ssl_key =  userdb {
>    driver = passwd
> }
> userdb {
>    args = username_format=%n /etc/dovecot/users uid=vmail gid=vmail 
> home=/var/vmail/%d/%n mail=maildir:/var/vmail/%d/%n/Maildir
>    driver = static
> }
> verbose_proctitle = yes
> 
> host-prompt# cat /etc/dovecot/users
> claudio.panetta:{MD5-CRYPT}$1$abcdefghijklmnopqrst
> ciccio.pasticcio:{MD5-CRYPT}$1$abcdefghijklmnopqrst
> 
> Regards,
> Claudio
> 
>

Hi! Put the file based passdb before the pam one. Also not sure what you are 
trying to do with the static userdb. It looks like you wanted to use 
passwd-file?

Aki

dovecot auth error: Illegal seek

[panetta]

Hi,

I recently configured dovecot to manage auth
for both local and virtual user.
When i login as a virtual user (claudio.panetta) I get the following 
message:


dovecot: auth: Error: 
passwd(claudio.panetta,160.97.62.1,): getpwnam() 
failed: Illegal seek


but login is ok and sending/receiving email is ok,
how can, if possible, I suppress this error message?

In the following my dovecot config:

host-prompt# dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-5-686-pae i686 Debian 7.11
auth_mechanisms = plain login
auth_username_format = %Ln
listen = *
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = Server ready.
mail_full_filesystem_access = yes
mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u
mail_privileged_group = mail
passdb {
  driver = pam
}
passdb {
  args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users
  driver = passwd-file
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 0
  }
}
ssl_cert =   args = username_format=%n /etc/dovecot/users uid=vmail gid=vmail 
home=/var/vmail/%d/%n mail=maildir:/var/vmail/%d/%n/Maildir

  driver = static
}
verbose_proctitle = yes

host-prompt# cat /etc/dovecot/users
claudio.panetta:{MD5-CRYPT}$1$abcdefghijklmnopqrst
ciccio.pasticcio:{MD5-CRYPT}$1$abcdefghijklmnopqrst

Regards,
Claudio

Re: dovecot auth and horde webmail

[Aki Tuomi]

This sounds awfully like problem in horde.

Aki

> On 24 February 2018 at 01:21 David Mehler  wrote:
> 
> 
> Hello,
> 
> I'm not sure if this is a Dovecot-specific question, or Postfix or
> Horde webmail. As Dovecot is used for authenticating both Postfix as
> well as horde I thought i'd start here.
> 
> I've got a new horde webmail install going on a FreeBSD 11.1 jail.
> I've got Dovecot set up so that it appends a domain name if one is not
> given, so that user and u...@example.com can both log in.
> 
> When I logged in with horde webmail I used for the first attempt
> username with no @example.com suffix. I logged in ok, but couldn't
> send an email, gave me a weird error no address associated with host.
> I logged out, logged back in using u...@example.com the full address,
> and this time the message sending went through.
> 
> Any ideas or if this is not a Dovecot question let me know, as that
> means I'll have two other places to try.
> 
> Thanks.
> Dave.
> 
> doveconf -n
> # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.21 (92477967)
> # OS: FreeBSD 11.1-RELEASE-p4 amd64
> auth_cache_size = 16 k
> auth_default_realm = example.com
> auth_mechanisms = plain login
> auth_realms = example.com example2.com
> dict {
>   acl = mysql:/usr/local/etc/dovecot/shared-folders.conf
>   sqlquota = mysql:/usr/local/etc/dovecot/quota.conf
> }
> first_valid_gid = 999
> first_valid_uid = 999
> hostname = mail.example.com
> imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
> last_valid_gid = 999
> last_valid_uid = 999
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> listen = 127.0.0.1 xxx.xxx.xxx.xxx
> lmtp_rcpt_check_quota = yes
> mail_access_groups = vmail
> mail_fsync = never
> mail_gid = vmail
> mail_home = /home/vmail/%d/%n
> mail_location = maildir:~/mail/:LAYOUT=fs:INDEX=~/mail/
> mail_plugins = acl mail_log notify quota quota_clone trash virtual welcome 
> zlib
> mail_server_admin = mailto:postmas...@example.com
> mail_uid = vmail
> mailbox_list_index = yes
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext imapflags notify imapsieve vnd.dovecot.imapsieve
> namespace {
>   hidden = no
>   list = yes
>   location = 
> maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public
>   mailbox TestFolder {
> auto = subscribe
> comment = Public Folder for message sharing
>   }
>   prefix = public/
>   separator = /
>   subscriptions = yes
>   type = public
> }
> namespace {
>   list = yes
>   location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln
>   prefix = shared/%%u/
>   separator = /
>   subscriptions = yes
>   type = shared
> }
> namespace {
>   location = virtual:/usr/local/etc/dovecot/virtual
>   mailbox All {
> auto = subscribe
> comment = All my messages
> special_use = \All
>   }
>   prefix = virtual/
>   separator = /
> }
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Archive {
> auto = no
> special_use = \Archive
>   }
>   mailbox Archives {
> auto = subscribe
> special_use = \Archive
>   }
>   mailbox "Deleted Messages" {
> auto = no
> autoexpunge = 30 days
> special_use = \Trash
>   }
>   mailbox Drafts {
> auto = subscribe
> special_use = \Drafts
>   }
>   mailbox Junk {
> auto = no
> autoexpunge = 30 days
> special_use = \Junk
>   }
>   mailbox "Junk E-mail" {
> auto = no
> autoexpunge = 30 days
> special_use = \Junk
>   }
>   mailbox Sent {
> auto = subscribe
> special_use = \Sent
>   }
>   mailbox "Sent Items" {
> auto = no
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> auto = no
> special_use = \Sent
>   }
>   mailbox Spam {
> auto = subscribe
> autoexpunge = 30 days
> special_use = \Junk
>   }
>   mailbox Trash {
> auto = subscribe
> autoexpunge = 30 days
> special_use = \Trash
>   }
>   prefix =
>   separator = /
>   type = private
> }
> passdb {
>   args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> plugin {
>   acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
>   acl_anyone = allow
>   acl_globals_only = yes
>   acl_shared_dict = proxy::acl
>   imapsieve_mailbox1_before =
> file:/usr/local/lib/dovecot/sieve/report-spam.sieve
>   imapsieve_mailbox1_causes = COPY
>   imapsieve_mailbox1_name = Spam
>   imapsieve_mailbox2_before = 
> file:/usr/local/lib/dovecot/sieve/report-ham.sieve
>   imapsieve_mailbox2_causes = COPY
>   imapsieve_mailbox2_from = Spam
>   imapsieve_mailbox2_name = *
>   mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
>   mail_log_fields = uid box msgid 

dovecot auth and horde webmail

[David Mehler]

Hello,

I'm not sure if this is a Dovecot-specific question, or Postfix or
Horde webmail. As Dovecot is used for authenticating both Postfix as
well as horde I thought i'd start here.

I've got a new horde webmail install going on a FreeBSD 11.1 jail.
I've got Dovecot set up so that it appends a domain name if one is not
given, so that user and u...@example.com can both log in.

When I logged in with horde webmail I used for the first attempt
username with no @example.com suffix. I logged in ok, but couldn't
send an email, gave me a weird error no address associated with host.
I logged out, logged back in using u...@example.com the full address,
and this time the message sending went through.

Any ideas or if this is not a Dovecot question let me know, as that
means I'll have two other places to try.

Thanks.
Dave.

doveconf -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: FreeBSD 11.1-RELEASE-p4 amd64
auth_cache_size = 16 k
auth_default_realm = example.com
auth_mechanisms = plain login
auth_realms = example.com example2.com
dict {
  acl = mysql:/usr/local/etc/dovecot/shared-folders.conf
  sqlquota = mysql:/usr/local/etc/dovecot/quota.conf
}
first_valid_gid = 999
first_valid_uid = 999
hostname = mail.example.com
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
last_valid_gid = 999
last_valid_uid = 999
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1 xxx.xxx.xxx.xxx
lmtp_rcpt_check_quota = yes
mail_access_groups = vmail
mail_fsync = never
mail_gid = vmail
mail_home = /home/vmail/%d/%n
mail_location = maildir:~/mail/:LAYOUT=fs:INDEX=~/mail/
mail_plugins = acl mail_log notify quota quota_clone trash virtual welcome zlib
mail_server_admin = mailto:postmas...@example.com
mail_uid = vmail
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapflags notify imapsieve vnd.dovecot.imapsieve
namespace {
  hidden = no
  list = yes
  location = 
maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public
  mailbox TestFolder {
auto = subscribe
comment = Public Folder for message sharing
  }
  prefix = public/
  separator = /
  subscriptions = yes
  type = public
}
namespace {
  list = yes
  location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln
  prefix = shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
namespace {
  location = virtual:/usr/local/etc/dovecot/virtual
  mailbox All {
auto = subscribe
comment = All my messages
special_use = \All
  }
  prefix = virtual/
  separator = /
}
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
auto = no
special_use = \Archive
  }
  mailbox Archives {
auto = subscribe
special_use = \Archive
  }
  mailbox "Deleted Messages" {
auto = no
autoexpunge = 30 days
special_use = \Trash
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = no
autoexpunge = 30 days
special_use = \Junk
  }
  mailbox "Junk E-mail" {
auto = no
autoexpunge = 30 days
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Items" {
auto = no
special_use = \Sent
  }
  mailbox "Sent Messages" {
auto = no
special_use = \Sent
  }
  mailbox Spam {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
  }
  mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
  acl_anyone = allow
  acl_globals_only = yes
  acl_shared_dict = proxy::acl
  imapsieve_mailbox1_before =
file:/usr/local/lib/dovecot/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Spam
  imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_name = *
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
  quota = count:User quota
  quota_clone_dict = proxy::sqlquota
  quota_exceeded_message = Storage quota for this account has been
exceeded, please try again later.
  quota_grace = 10%%
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full
  quota_status_success = DUNNO
  quota_vsizes = true
  quota_warning = storage=100%% quota-exceeded 100 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% 

Re: Dovecot auth SASL for exim and plain auth issue without initial response

[Stephan Bosch]

Op 1/3/2018 om 11:28 AM schreef Stephan Bosch:
> Op 1/3/2018 om 10:58 AM schreef Stephan Bosch:
>> Op 1/3/2018 om 8:31 AM schreef Daniel Kenzelmann:
>>> 3. Januar 2018 00:49, "Stephan Bosch" <step...@rename-it.nl> schrieb:
>>>
>>>> Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm not entirely sure whether this issue is with exim or with dovecot.
>>>>>
>>>>> First some background:
>>>>> I'm using exim with dovecot-auth which in turn is using LDAP for
>>>>> authentication.
>>>>>
>>>>> When using AUTH PLAIN with the optional initial response argument,
>>>>> everything is fine.
>>>>>
>>>>> However when using AUTH PLAIN without the optional response argument,
>>>>> instead of getting an empty challenge ("334 ") as per RFC i am getting
>>>>> a "535 Incorrect authentication data".
>>>>>
>>>>> Example:
>>>>> Working:
>>>>> 220  ESMTP 2018-01-02 22:32:33+0100
>>>>> EHLO test
>>>>> 250- Hello X [x.x.x.x]
>>>>> 250-SIZE 52428800
>>>>> 250-8BITMIME
>>>>> 250-PIPELINING
>>>>> 250-AUTH PLAIN LOGIN
>>>>> 250-CHUNKING
>>>>> 250 HELP
>>>>> AUTH PLAIN ==
>>>>> 235 Authentication succeeded
>>>>>
>>>>> NOT-WORKING:
>>>>> 220  ESMTP 2018-01-02 22:34:37+0100
>>>>> EHLO test
>>>>> 250- Hello X [x.x.x.x]
>>>>> 250-SIZE 52428800
>>>>> 250-8BITMIME
>>>>> 250-PIPELINING
>>>>> 250-AUTH PLAIN LOGIN
>>>>> 250-CHUNKING
>>>>> 250 HELP
>>>>> AUTH PLAIN
>>>>> 535 Incorrect authentication data
>>>>>
>>>>> Here the SASL mechanism should return an empty challenge as per RFC
>>>>> (i.e. "334 " in SMTP):
>>>> This is a an error produced by Exim. I find the Exim error handling in
>>>> Exim's implementation of the AUTH command rather peculiar. Still, I
>>>> managed to decipher at least part of it.
>>>>
>>>> That error is produced when FAIL status is returned from the driver:
>>>>
>>>> https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665
>>>>
>>>> This FAIL status can be returned by the driver itself, but -- in this
>>>> case more likely -- the Dovecot driver in Exim also returns FAIL status
>>>> when Dovecot auth service returns "FAIL":
>>>>
>>>> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472
>>>>
>>>> So, this may very well be an issue triggered by Dovecot. What version of
>>>> Dovecot is this? Some things were modified in initial response handling
>>>> recently (v2.3) and I may have messed up something.
>>>>
>>>> Does Dovecot log anything interesting with auth_verbose and auth_debug
>>>> enabled?
>>>>
>>>> Regards,
>>>>
>>>> Stephan.
>>> Hi,
>>>
>>> System is gentoo,
>>> dovecot version is 2.3.0
>>> exim version is 4.90
>>>
>>> Debug log does only show the following:
>>> auth: Debug: auth client connected (pid=0)
>>> auth: Debug: client in: AUTH   1   PLAIN   service=smtpsecured 
>>> rip=XX.XX.XX.XX   lip=XX.XX.XX.XX   nologin resp=
>>> auth: plain(?,XX.XX.XX.XX): invalid input
>>> auth: Debug: client passdb out: FAIL   1
>>>
>>> I'm not 100% sure but i think it worked earlier, so this might be connected 
>>> to the 2.3 update. (if REALLY needed i can try to confirm by downgrading 
>>> dovecot)
>> Ok. I know what is going on already. This commit triggers the problem:
>>
>> https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc6fa
>>
>> That fix was added to handle the EXTERNAL SASL mechanism properly when
>> used in ManageSieve, and somehow I didn't realize that the original
>> comment means that Exim would also send an empty resp field for an
>> absent initial response:
>>
>> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L403
>>
>> This is now handled as an empty initial response instead (as it should
>> be), which -- in this case -- makes the PLAIN mechanism complain about
>> invalid data.
>>
>> So, the fundamental blame lies with Exim for violating the protocol.
>> However, I don't think it is a good idea to break compatibility like
>> that, especially when we want to back-port this fix to Dovecot v2.2.
>>
>> To solve this now, we can recognize an empty initial response for
>> service=smtp differently (EXTERNAL is not used there much I think) and
>> perhaps make that configurable with some setting.
> Right, I can also just base behavior on the client protocol version.

Fix pending (2 commits against master):

https://github.com/stephanbosch/dovecot-core/commits/fix-auth-exim

Regards,

Stephan.

Re: Dovecot auth SASL for exim and plain auth issue without initial response

[Stephan Bosch]

Op 1/3/2018 om 10:58 AM schreef Stephan Bosch:
> Op 1/3/2018 om 8:31 AM schreef Daniel Kenzelmann:
>> 3. Januar 2018 00:49, "Stephan Bosch" <step...@rename-it.nl> schrieb:
>>
>>> Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann:
>>>
>>>> Hi,
>>>>
>>>> I'm not entirely sure whether this issue is with exim or with dovecot.
>>>>
>>>> First some background:
>>>> I'm using exim with dovecot-auth which in turn is using LDAP for
>>>> authentication.
>>>>
>>>> When using AUTH PLAIN with the optional initial response argument,
>>>> everything is fine.
>>>>
>>>> However when using AUTH PLAIN without the optional response argument,
>>>> instead of getting an empty challenge ("334 ") as per RFC i am getting
>>>> a "535 Incorrect authentication data".
>>>>
>>>> Example:
>>>> Working:
>>>> 220  ESMTP 2018-01-02 22:32:33+0100
>>>> EHLO test
>>>> 250- Hello X [x.x.x.x]
>>>> 250-SIZE 52428800
>>>> 250-8BITMIME
>>>> 250-PIPELINING
>>>> 250-AUTH PLAIN LOGIN
>>>> 250-CHUNKING
>>>> 250 HELP
>>>> AUTH PLAIN ==
>>>> 235 Authentication succeeded
>>>>
>>>> NOT-WORKING:
>>>> 220  ESMTP 2018-01-02 22:34:37+0100
>>>> EHLO test
>>>> 250- Hello X [x.x.x.x]
>>>> 250-SIZE 52428800
>>>> 250-8BITMIME
>>>> 250-PIPELINING
>>>> 250-AUTH PLAIN LOGIN
>>>> 250-CHUNKING
>>>> 250 HELP
>>>> AUTH PLAIN
>>>> 535 Incorrect authentication data
>>>>
>>>> Here the SASL mechanism should return an empty challenge as per RFC
>>>> (i.e. "334 " in SMTP):
>>> This is a an error produced by Exim. I find the Exim error handling in
>>> Exim's implementation of the AUTH command rather peculiar. Still, I
>>> managed to decipher at least part of it.
>>>
>>> That error is produced when FAIL status is returned from the driver:
>>>
>>> https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665
>>>
>>> This FAIL status can be returned by the driver itself, but -- in this
>>> case more likely -- the Dovecot driver in Exim also returns FAIL status
>>> when Dovecot auth service returns "FAIL":
>>>
>>> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472
>>>
>>> So, this may very well be an issue triggered by Dovecot. What version of
>>> Dovecot is this? Some things were modified in initial response handling
>>> recently (v2.3) and I may have messed up something.
>>>
>>> Does Dovecot log anything interesting with auth_verbose and auth_debug
>>> enabled?
>>>
>>> Regards,
>>>
>>> Stephan.
>> Hi,
>>
>> System is gentoo,
>> dovecot version is 2.3.0
>> exim version is 4.90
>>
>> Debug log does only show the following:
>> auth: Debug: auth client connected (pid=0)
>> auth: Debug: client in: AUTH   1   PLAIN   service=smtpsecured 
>> rip=XX.XX.XX.XX   lip=XX.XX.XX.XX   nologin resp=
>> auth: plain(?,XX.XX.XX.XX): invalid input
>> auth: Debug: client passdb out: FAIL   1
>>
>> I'm not 100% sure but i think it worked earlier, so this might be connected 
>> to the 2.3 update. (if REALLY needed i can try to confirm by downgrading 
>> dovecot)
> Ok. I know what is going on already. This commit triggers the problem:
>
> https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc6fa
>
> That fix was added to handle the EXTERNAL SASL mechanism properly when
> used in ManageSieve, and somehow I didn't realize that the original
> comment means that Exim would also send an empty resp field for an
> absent initial response:
>
> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L403
>
> This is now handled as an empty initial response instead (as it should
> be), which -- in this case -- makes the PLAIN mechanism complain about
> invalid data.
>
> So, the fundamental blame lies with Exim for violating the protocol.
> However, I don't think it is a good idea to break compatibility like
> that, especially when we want to back-port this fix to Dovecot v2.2.
>
> To solve this now, we can recognize an empty initial response for
> service=smtp differently (EXTERNAL is not used there much I think) and
> perhaps make that configurable with some setting.

Right, I can also just base behavior on the client protocol version.

Regards,

Stephan.

Re: Dovecot auth SASL for exim and plain auth issue without initial response

[Daniel Kenzelmann]

3. Januar 2018 00:49, "Stephan Bosch" <step...@rename-it.nl> schrieb:

> Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann:
> 
>> Hi,
>> 
>> I'm not entirely sure whether this issue is with exim or with dovecot.
>> 
>> First some background:
>> I'm using exim with dovecot-auth which in turn is using LDAP for
>> authentication.
>> 
>> When using AUTH PLAIN with the optional initial response argument,
>> everything is fine.
>> 
>> However when using AUTH PLAIN without the optional response argument,
>> instead of getting an empty challenge ("334 ") as per RFC i am getting
>> a "535 Incorrect authentication data".
>> 
>> Example:
>> Working:
>> 220  ESMTP 2018-01-02 22:32:33+0100
>> EHLO test
>> 250- Hello X [x.x.x.x]
>> 250-SIZE 52428800
>> 250-8BITMIME
>> 250-PIPELINING
>> 250-AUTH PLAIN LOGIN
>> 250-CHUNKING
>> 250 HELP
>> AUTH PLAIN ==
>> 235 Authentication succeeded
>> 
>> NOT-WORKING:
>> 220  ESMTP 2018-01-02 22:34:37+0100
>> EHLO test
>> 250- Hello X [x.x.x.x]
>> 250-SIZE 52428800
>> 250-8BITMIME
>> 250-PIPELINING
>> 250-AUTH PLAIN LOGIN
>> 250-CHUNKING
>> 250 HELP
>> AUTH PLAIN
>> 535 Incorrect authentication data
>> 
>> Here the SASL mechanism should return an empty challenge as per RFC
>> (i.e. "334 " in SMTP):
> 
> This is a an error produced by Exim. I find the Exim error handling in
> Exim's implementation of the AUTH command rather peculiar. Still, I
> managed to decipher at least part of it.
> 
> That error is produced when FAIL status is returned from the driver:
> 
> https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665
> 
> This FAIL status can be returned by the driver itself, but -- in this
> case more likely -- the Dovecot driver in Exim also returns FAIL status
> when Dovecot auth service returns "FAIL":
> 
> https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472
> 
> So, this may very well be an issue triggered by Dovecot. What version of
> Dovecot is this? Some things were modified in initial response handling
> recently (v2.3) and I may have messed up something.
> 
> Does Dovecot log anything interesting with auth_verbose and auth_debug
> enabled?
> 
> Regards,
> 
> Stephan.


Hi,

System is gentoo,
dovecot version is 2.3.0
exim version is 4.90

Debug log does only show the following:
auth: Debug: auth client connected (pid=0)
auth: Debug: client in: AUTH   1   PLAIN   service=smtpsecured 
rip=XX.XX.XX.XX   lip=XX.XX.XX.XX   nologin resp=
auth: plain(?,XX.XX.XX.XX): invalid input
auth: Debug: client passdb out: FAIL   1

I'm not 100% sure but i think it worked earlier, so this might be connected to 
the 2.3 update. (if REALLY needed i can try to confirm by downgrading dovecot)

Thanks,
Daniel

Re: Dovecot auth SASL for exim and plain auth issue without initial response

[Stephan Bosch]

Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann:
> Hi,
>
> I'm not entirely sure whether this issue is with exim or with dovecot.
>
> First some background:
> I'm using exim with dovecot-auth which in turn is using LDAP for
> authentication.
>
> When using AUTH PLAIN with the optional initial response argument,
> everything is fine.
>
> However when using AUTH PLAIN without the optional response argument,
> instead of getting an empty challenge ("334 ") as per RFC i am getting
> a "535 Incorrect authentication data".
>
> Example:
> Working:
> 220  ESMTP 2018-01-02 22:32:33+0100
> EHLO test
> 250- Hello X [x.x.x.x]
> 250-SIZE 52428800
> 250-8BITMIME
> 250-PIPELINING
> 250-AUTH PLAIN LOGIN
> 250-CHUNKING
> 250 HELP
> AUTH PLAIN ==
> 235 Authentication succeeded
>
> NOT-WORKING:
> 220  ESMTP 2018-01-02 22:34:37+0100
> EHLO test
> 250- Hello X [x.x.x.x]
> 250-SIZE 52428800
> 250-8BITMIME
> 250-PIPELINING
> 250-AUTH PLAIN LOGIN
> 250-CHUNKING
> 250 HELP
> AUTH PLAIN
> 535 Incorrect authentication data
>
>
> Here the SASL mechanism should return an empty challenge as per RFC
> (i.e. "334 " in SMTP):

This is a an error produced by Exim. I find the Exim error handling in
Exim's implementation of the AUTH command rather peculiar. Still, I
managed to decipher at least part of it.

That error is produced when FAIL status is returned from the driver:

https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665

This FAIL status can be returned by the driver itself, but -- in this
case more likely -- the Dovecot driver in Exim also returns FAIL status
when Dovecot auth service returns "FAIL":

https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472

So, this may very well be an issue triggered by Dovecot. What version of
Dovecot is this? Some things were modified in initial response handling
recently (v2.3) and I may have messed up something.

Does Dovecot log anything interesting with auth_verbose and auth_debug
enabled?

Regards,

Stephan.

Dovecot auth SASL for exim and plain auth issue without initial response

[Daniel Kenzelmann]

Hi,

I'm not entirely sure whether this issue is with exim or with dovecot.

First some background:
I'm using exim with dovecot-auth which in turn is using LDAP for
authentication.

When using AUTH PLAIN with the optional initial response argument,
everything is fine.

However when using AUTH PLAIN without the optional response argument,
instead of getting an empty challenge ("334 ") as per RFC i am getting
a "535 Incorrect authentication data".

Example:
Working:
220  ESMTP 2018-01-02 22:32:33+0100
EHLO test
250- Hello X [x.x.x.x]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250 HELP
AUTH PLAIN ==
235 Authentication succeeded

NOT-WORKING:
220  ESMTP 2018-01-02 22:34:37+0100
EHLO test
250- Hello X [x.x.x.x]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250 HELP
AUTH PLAIN
535 Incorrect authentication data


Here the SASL mechanism should return an empty challenge as per RFC
(i.e. "334 " in SMTP):

RFC 4954 - SMTP Service Extension for Authentication


4.  The AUTH Command

 [..]
 The optional initial response argument to the AUTH command is
 used to save a round-trip when using authentication mechanisms
 that support an initial client response. 
>If the initial
>response argument is omitted and the chosen mechanism requires
>an initial client response, the server MUST proceed as defined
>in Section 5.1 of [SASL].  In SMTP, a server challenge that
>contains no data is defined as a 334 reply with no text part.
>Note that there is still a space following the reply code, so
>the complete response line is "334 ".
 [..]



RFC 4422 - Simple Authentication and Security Layer (SASL)

5.  Mechanism Requirements

   SASL mechanism specifications MUST supply the following information:

   1) The name of the mechanism (see Section 3.1).  This name MUST be
  registered as discussed in Section 7.1.

   2) A definition of the server-challenges and client-responses of the
  authentication exchange, as well as the following:

 a) An indication of whether the mechanism is client-first,
variable, or server-first. 

===>If a SASL mechanism is defined as
===>client-first and the client does not send an initial response
===>in the authentication request, then the first server challenge
===>MUST be empty
  (the EXTERNAL mechanism is an example of this
case).  If a SASL mechanism is defined as variable, then the
specification needs to state how the server behaves when the
initial client response in the authentication request is
omitted (the DIGEST-MD5 mechanism [DIGEST-MD5] is an example of
this case).  If a SASL mechanism is defined as server-first,
then the client MUST NOT send an initial client response in the
authentication request (the CRAM-MD5 mechanism [CRAM-MD5] is an
example of this case).



Thanks,
Daniel

Re: Dovecot auth error

[Mathieu R.]

It was ! Thank you a lot. It's always small mistake like that which give me
headache...

Le mar. 7 nov. 2017 à 10:20, David Zambonini <dovecot-...@deemzed.uk> a
écrit :

> On 07/11/2017 14:18, Mathieu R. wrote:
> > Maybe i got no answer because there is an error which seem obvious in my
> > logs :
> >
> > Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
> > configuration file /etc/dovecot/dovecot-sql.conf.ext
>
> This might sound silly, but in your doveconf you have:
>
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
>
> Yet from this:
>
> >> grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf
>
> It sounds like the config file you're working with is
> /etc/dovecot/dovecot-sql.conf, not /etc/dovecot/dovecot-sql.conf.ext.
> It's not as simple as a filename problem, is it?
>
> --
> David Zambonini
>
-- 

Mathieu R.

Re: Dovecot auth error

[David Zambonini]

On 07/11/2017 14:18, Mathieu R. wrote:
> Maybe i got no answer because there is an error which seem obvious in my
> logs :
> 
> Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
> configuration file /etc/dovecot/dovecot-sql.conf.ext

This might sound silly, but in your doveconf you have:

passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

Yet from this:

>> grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf

It sounds like the config file you're working with is
/etc/dovecot/dovecot-sql.conf, not /etc/dovecot/dovecot-sql.conf.ext.
It's not as simple as a filename problem, is it?

-- 
David Zambonini

Re: Dovecot auth error

[Aki Tuomi]

apparently my reply got lost.. have you installed dovecot-mysql package?


---Aki TuomiDovecot oy
 Original message From: "Mathieu R." <math...@400iso.net> Date: 
07/11/2017  16:18  (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Dovecot 
auth error 
Maybe i got no answer because there is an error which seem obvious in my
logs :

Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
configuration file /etc/dovecot/dovecot-sql.conf.ext

I've obviously seen that, and tried to configure driver in that file, but
it had no positive outcome, sous i reversed my config to the previous state.

Considering what i've read, dovecot's MySQL configuration should be OK, but
i still have that fatal error

Le sam. 4 nov. 2017 à 21:02, Mathieu R. <math...@400iso.net> a écrit :

> I just tried to configure a new dovecot/postfix server, and i end up with
> a dovecot auth error at startup.
> I can't find a solution by myself.
> Below are details, thanks in advance for your precious help, and excuse my
> poor english :
>
> dovecot --version
> 2.2.27 (c0f36b0) (Debian)
>
> Dovecot -n :
> https://400iso.net/public/dov.txt
>
>
> grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf
> driver = mysql
> connect = host=127.0.0.1 dbname=postfix user=postfix password=password
> default_pass_scheme = MD5-CRYPT
> user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid,
> CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE
> username = '%u' AND active='1'
> password_query = SELECT password FROM mailbox WHERE username = '%u'
>
>
> Here is part of the server's log :
>
> Nov  4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from
> [209.85.215.51]:47485 to [149.56.x.x]:25
> Nov  4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed
> by domain dnsbl.sorbs.net as 127.0.0.6
> Nov  4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD
> [209.85.215.51]:47485
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: connect from
> mail-lf0-f51.google.com[209.85.215.51]
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection
> established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
> configuration file /etc/dovecot/dovecot-sql.conf.ext
> Nov  4 20:57:55 vps81550 dovecot: master: Error: service(auth): command
> startup failed, throttling for 2 secs
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL
> authentication mechanisms
> Nov  4 20:57:56 vps81550 postfix/master[21528]: warning: process
> /usr/lib/postfix/sbin/smtpd pid 21585 exit status 1
> Nov  4 20:57:56 vps81550 postfix/master[21528]: warning:
> /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
> --
>
> Mathieu R.
>
-- 

Mathieu R.

Re: Dovecot auth error

[Mathieu R.]

Maybe i got no answer because there is an error which seem obvious in my
logs :

Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
configuration file /etc/dovecot/dovecot-sql.conf.ext

I've obviously seen that, and tried to configure driver in that file, but
it had no positive outcome, sous i reversed my config to the previous state.

Considering what i've read, dovecot's MySQL configuration should be OK, but
i still have that fatal error

Le sam. 4 nov. 2017 à 21:02, Mathieu R. <math...@400iso.net> a écrit :

> I just tried to configure a new dovecot/postfix server, and i end up with
> a dovecot auth error at startup.
> I can't find a solution by myself.
> Below are details, thanks in advance for your precious help, and excuse my
> poor english :
>
> dovecot --version
> 2.2.27 (c0f36b0) (Debian)
>
> Dovecot -n :
> https://400iso.net/public/dov.txt
>
>
> grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf
> driver = mysql
> connect = host=127.0.0.1 dbname=postfix user=postfix password=password
> default_pass_scheme = MD5-CRYPT
> user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid,
> CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE
> username = '%u' AND active='1'
> password_query = SELECT password FROM mailbox WHERE username = '%u'
>
>
> Here is part of the server's log :
>
> Nov  4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from
> [209.85.215.51]:47485 to [149.56.x.x]:25
> Nov  4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed
> by domain dnsbl.sorbs.net as 127.0.0.6
> Nov  4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD
> [209.85.215.51]:47485
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: connect from
> mail-lf0-f51.google.com[209.85.215.51]
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection
> established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
> configuration file /etc/dovecot/dovecot-sql.conf.ext
> Nov  4 20:57:55 vps81550 dovecot: master: Error: service(auth): command
> startup failed, throttling for 2 secs
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL
> authentication mechanisms
> Nov  4 20:57:56 vps81550 postfix/master[21528]: warning: process
> /usr/lib/postfix/sbin/smtpd pid 21585 exit status 1
> Nov  4 20:57:56 vps81550 postfix/master[21528]: warning:
> /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
> --
>
> Mathieu R.
>
-- 

Mathieu R.

Re: Dovecot auth error

[Aki Tuomi]

On 05.11.2017 03:02, Mathieu R. wrote:
> I just tried to configure a new dovecot/postfix server, and i end up with a
> dovecot auth error at startup.
> I can't find a solution by myself.
> Below are details, thanks in advance for your precious help, and excuse my
> poor english :
>
> dovecot --version
> 2.2.27 (c0f36b0) (Debian)
>
> Dovecot -n :
> https://400iso.net/public/dov.txt
>
>
> grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf
> driver = mysql
> connect = host=127.0.0.1 dbname=postfix user=postfix password=password
> default_pass_scheme = MD5-CRYPT
> user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid,
> CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE
> username = '%u' AND active='1'
> password_query = SELECT password FROM mailbox WHERE username = '%u'
>
>
> Here is part of the server's log :
>
> Nov  4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from
> [209.85.215.51]:47485 to [149.56.x.x]:25
> Nov  4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed
> by domain dnsbl.sorbs.net as 127.0.0.6
> Nov  4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD
> [209.85.215.51]:47485
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: connect from
> mail-lf0-f51.google.com[209.85.215.51]
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection
> established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with cipher
> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
> configuration file /etc/dovecot/dovecot-sql.conf.ext
> Nov  4 20:57:55 vps81550 dovecot: master: Error: service(auth): command
> startup failed, throttling for 2 secs
> Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL
> authentication mechanisms
> Nov  4 20:57:56 vps81550 postfix/master[21528]: warning: process
> /usr/lib/postfix/sbin/smtpd pid 21585 exit status 1
> Nov  4 20:57:56 vps81550 postfix/master[21528]: warning:
> /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
This usually means that you have not installed mysql support for
dovecot. In dovecot, it's usually a separate package,
called dovecot-mysql.

Aki

Dovecot auth error

[Mathieu R.]

I just tried to configure a new dovecot/postfix server, and i end up with a
dovecot auth error at startup.
I can't find a solution by myself.
Below are details, thanks in advance for your precious help, and excuse my
poor english :

dovecot --version
2.2.27 (c0f36b0) (Debian)

Dovecot -n :
https://400iso.net/public/dov.txt


grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=127.0.0.1 dbname=postfix user=postfix password=password
default_pass_scheme = MD5-CRYPT
user_query = SELECT '/srv/vmail/%d/%n' AS home, 3000 AS uid, 3000 AS gid,
CONCAT('*:bytes=', CAST(quota AS CHAR)) AS quota_rule FROM mailbox WHERE
username = '%u' AND active='1'
password_query = SELECT password FROM mailbox WHERE username = '%u'


Here is part of the server's log :

Nov  4 20:57:49 vps81550 postfix/postscreen[21578]: CONNECT from
[209.85.215.51]:47485 to [149.56.x.x]:25
Nov  4 20:57:49 vps81550 postfix/dnsblog[21583]: addr 209.85.215.51 listed
by domain dnsbl.sorbs.net as 127.0.0.6
Nov  4 20:57:55 vps81550 postfix/postscreen[21578]: PASS OLD
[209.85.215.51]:47485
Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: connect from
mail-lf0-f51.google.com[209.85.215.51]
Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: Untrusted TLS connection
established from mail-lf0-f51.google.com[209.85.215.51] TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov  4 20:57:55 vps81550 dovecot: auth: Fatal: sql: driver not set in
configuration file /etc/dovecot/dovecot-sql.conf.ext
Nov  4 20:57:55 vps81550 dovecot: master: Error: service(auth): command
startup failed, throttling for 2 secs
Nov  4 20:57:55 vps81550 postfix/smtpd[21585]: fatal: no SASL
authentication mechanisms
Nov  4 20:57:56 vps81550 postfix/master[21528]: warning: process
/usr/lib/postfix/sbin/smtpd pid 21585 exit status 1
Nov  4 20:57:56 vps81550 postfix/master[21528]: warning:
/usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
-- 

Mathieu R.

Re: dovecot auth errors for a new user

[Ruben Safir]

On Sun, Jul 30, 2017 at 10:04:38PM +0200, Alexander Dalloz wrote:
> Am 30.07.2017 um 21:49 schrieb Ruben Safir:
> >2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error:
> >user facebook: Initialization failed: Namespace '': Mail storage
> >autodetection failed with home=/home/facebook
> >2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error:
> >Invalid user settings. Refer to server log for more information.
> 
> Define mail_location; see https://wiki.dovecot.org/MailLocation
> 
> > # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586)
> 
> And do you think it is clever to run on an EOLed distribution release?
> 
> Alexander



got it, thanks

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: dovecot auth errors for a new user

[Ruben Safir]

On Sun, Jul 30, 2017 at 10:04:38PM +0200, Alexander Dalloz wrote:
> Am 30.07.2017 um 21:49 schrieb Ruben Safir:
> >2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error:
> >user facebook: Initialization failed: Namespace '': Mail storage
> >autodetection failed with home=/home/facebook
> >2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error:
> >Invalid user settings. Refer to server log for more information.
> 
> Define mail_location; see https://wiki.dovecot.org/MailLocation
> 
> > # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586)
> 
> And do you think it is clever to run on an EOLed distribution release?

the mail sits in /var/spool/mail/user



> 
> Alexander

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: dovecot auth errors for a new user

[Alexander Dalloz]

Am 30.07.2017 um 21:49 schrieb Ruben Safir:

2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error:
user facebook: Initialization failed: Namespace '': Mail storage
autodetection failed with home=/home/facebook
2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error:
Invalid user settings. Refer to server log for more information.


Define mail_location; see https://wiki.dovecot.org/MailLocation

> # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586)

And do you think it is clever to run on an EOLed distribution release?

Alexander

Re: dovecot auth errors for a new user

[Ruben Safir]

2017-07-30T15:47:23.113000-04:00 www dovecot: pop3(facebook): Error:
user facebook: Initialization failed: Namespace '': Mail storage
autodetection failed with home=/home/facebook
2017-07-30T15:47:23.116805-04:00 www dovecot: pop3(facebook): Error:
Invalid user settings. Refer to server log for more information.


On 07/30/2017 03:42 PM, Ruben Safir wrote:
> I've been running dovecott without trouble for quite a why and now when
> I added a new user, it is not accepting the user and I can not track the
> problem.  It says find more information in the server log, but it is not
> in /var/log/messages or /var/log/mail.err and nothing with lsof
> dovecot|grep log show anything to tail
> 
> www:~ # dovecot -n
> # 2.2.13: /etc/dovecot/dovecot.conf
> # OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586)
> base_dir = /var/run/dovecot/
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date ihave
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Trash {
> special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   driver = pam
> }
> plugin {
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
> }
> protocols = pop3
> ssl_cert =  ssl_key =  userdb {
>   driver = passwd
> }
> 
> 
> www:/etc/dovecot # dovecot --version
> 2.2.13
> 
> 
> Sending of password for user facebook did not succeed. Mail server
> mrbrklyn.com responded: Internal error occurred. Refer to server log for
> more information.
> 
> 2017-07-30T15:41:58.803006-04:00 www dovecot: pop3-login: Login:
> user=, method=PLAIN, rip=10.0.0.62, lip=96.57.23.82,
> mpid=25269, TLS, session=
> 2017-07-30T15:41:58.812827-04:00 www dovecot: pop3(facebook): Error:
> user facebook: Initialization failed: Namespace '': Mail storage
> autodetection failed with home=/home/facebook
> 2017-07-30T15:41:58.816903-04:00 www dovecot: pop3(facebook): Error:
> Invalid user settings. Refer to server log for more information.
> 


-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

dovecot auth errors for a new user

[Ruben Safir]

I've been running dovecott without trouble for quite a why and now when
I added a new user, it is not accepting the user and I can not track the
problem.  It says find more information in the server log, but it is not
in /var/log/messages or /var/log/mail.err and nothing with lsof
dovecot|grep log show anything to tail

www:~ # dovecot -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.7-53-pae i686 openSUSE 13.2 (i586)
base_dir = /var/run/dovecot/
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = pop3
ssl_cert = , method=PLAIN, rip=10.0.0.62, lip=96.57.23.82,
mpid=25269, TLS, session=
2017-07-30T15:41:58.812827-04:00 www dovecot: pop3(facebook): Error:
user facebook: Initialization failed: Namespace '': Mail storage
autodetection failed with home=/home/facebook
2017-07-30T15:41:58.816903-04:00 www dovecot: pop3(facebook): Error:
Invalid user settings. Refer to server log for more information.

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Re: dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11

[Aki Tuomi]

> On May 26, 2017 at 3:26 PM dove...@jeffandjessi.com wrote:
> 
> 
>  
> 
> Still Trying to track down a dovecot issue  
> 
> The error message is: 
> 
> dovecot: auth-worker: Fatal: master: service(auth-worker): child X
> killed with signal 11 (core not dumped - set service auth-worker {
> drop_priv_before_exec=yes }) 
> 
> The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very
> basic config. 
> 
> both authentications work ... the symptom is that after a connection is
> made the auth worker loads and emails are downloaded and everything "is
> fine". However, about 30 second to a minute after the connection is done
> the process dies with the error message. Then the process starts all
> over with on the next checking of email ,but again everything "works"
> just seeing this error and the process dieing each time? 
> 
> enabled all extra verbose logging ,but nothing gives any clues 
> 
> Tried to enable core dumps ,but couldnt get core dumps to work ? 
> 
> The only thing is that a recently pkgsrc (netbsd) update create 2
> packages, one for dovecot and one for mysql plugin , sense then now this
> error appears. 
> 
> ,but it appears the .so lib files are installed and linked correctly. 
> 
> Double checked all file permissions and user permissions as well as
> chroot , etc, etc, ,etc 
> 
> cant seem to narrow this one down  
> 
> any ideas on trouble shooting would be great  
> 
> even tried running a trace with gdb -p on the process ,but it just dies
> with a signal 11  
> 
> anybody have any ideas how to trouble shoot this or is this a bug in the
> software  
> 
> help !! 
>

Hi!

As mentioned before, your issue unfortunately cannot be solved without core 
dump. Please try https://www.dovecot.org/bugreport.html if doing all this 
allows you to get a core dump. Unfortunately there is no other solution at the 
moment, or some other way to debug this further.

Aki

dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11

[dovecot]

 

Still Trying to track down a dovecot issue  

The error message is: 

dovecot: auth-worker: Fatal: master: service(auth-worker): child X
killed with signal 11 (core not dumped - set service auth-worker {
drop_priv_before_exec=yes }) 

The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very
basic config. 

both authentications work ... the symptom is that after a connection is
made the auth worker loads and emails are downloaded and everything "is
fine". However, about 30 second to a minute after the connection is done
the process dies with the error message. Then the process starts all
over with on the next checking of email ,but again everything "works"
just seeing this error and the process dieing each time? 

enabled all extra verbose logging ,but nothing gives any clues 

Tried to enable core dumps ,but couldnt get core dumps to work ? 

The only thing is that a recently pkgsrc (netbsd) update create 2
packages, one for dovecot and one for mysql plugin , sense then now this
error appears. 

,but it appears the .so lib files are installed and linked correctly. 

Double checked all file permissions and user permissions as well as
chroot , etc, etc, ,etc 

cant seem to narrow this one down  

any ideas on trouble shooting would be great  

even tried running a trace with gdb -p on the process ,but it just dies
with a signal 11  

anybody have any ideas how to trouble shoot this or is this a bug in the
software  

help !! 
 

dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11

[dovecot]

 

Trying to track down a dovecot issue  

The error message is: 

dovecot: auth-worker: Fatal: master: service(auth-worker): child X
killed with signal 11 (core not dumped - set service auth-worker {
drop_priv_before_exec=yes }) 

The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very
basic config. 

both authentications work ... the symptom is that after a connection is
made the auth worker loads and emails are downloaded and everything "is
fine". However, about 30 second to a minute after the connection is done
the process dies with the error message. Then the process starts all
over with on the next checking of email ,but again everything "works"
just seeing this error and the process dieing each time? 

enabled all extra verbose logging ,but nothing gives any clues 

Tried to enable core dumps ,but couldnt get core dumps to work ? 

The only thing is that a recently pkgsrc (netbsd) update create 2
packages, one for dovecot and one for mysql plugin , sense then now this
error appears. 

,but it appears the .so lib files are installed and linked correctly. 

Double checked all file permissions and user permissions as well as
chroot , etc, etc, ,etc 

cant seem to narrow this one down  

any ideas on trouble shooting would be great  

even tried running a trace with gdb -p on the process ,but it just dies
with a signal 11  

 

Re: dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11

[Aki Tuomi]

On 22.05.2017 21:53, dove...@jeffandjessi.com wrote:
> Tried to enable core dumps ,but couldnt get core dumps to work ? 
>
> The only thing is that a recently pkgsrc (netbsd) update create 2
> packages, one for dovecot and one for mysql plugin , sense then now this
> error appears. 
>
> ,but it appears the .so lib files are installed and linked correctly. 
>
> Double checked all file permissions and user permissions as well as
> chroot , etc, etc, ,etc 
>
> cant seem to narrow this one down  
>
> any ideas on trouble shooting would be great  
>
> even tried running a trace with gdb -p on the process ,but it just dies
> with a signal 11  
>
>  

Getting a core dump these days can be bit troublesome:

1. mkdir /var/core && chmod 1777 /var/core
2. sysctl kernel.core_pattern=/var/core/core.%p
3. sysctl fs.suid_dumpable = 2
4a. systemd: create /etc/systemd/system/dovecot.service.d/env.conf

[Service]
LimitCORE=infinity

4b. ulimit -c unlimited
5. set in dovecot.conf

service auth-worker {
  chroot =
}

6. try again

dovecot: auth-worker: Fatal: master: service(auth-worker): child XXXXX killed with signal 11

[dovecot]

 

Trying to track down a dovecot issue  

The error message is: 

dovecot: auth-worker: Fatal: master: service(auth-worker): child X
killed with signal 11 (core not dumped - set service auth-worker {
drop_priv_before_exec=yes }) 

The setup is dovecot 2.2.29.1 with passwd and mysql auth db's and a very
basic config. 

both authentications work ... the symptom is that after a connection is
made the auth worker loads and emails are downloaded and everything "is
fine". However, about 30 second to a minute after the connection is done
the process dies with the error message. Then the process starts all
over with on the next checking of email ,but again everything "works"
just seeing this error and the process dieing each time? 

enabled all extra verbose logging ,but nothing gives any clues 

Tried to enable core dumps ,but couldnt get core dumps to work ? 

The only thing is that a recently pkgsrc (netbsd) update create 2
packages, one for dovecot and one for mysql plugin , sense then now this
error appears. 

,but it appears the .so lib files are installed and linked correctly. 

Double checked all file permissions and user permissions as well as
chroot , etc, etc, ,etc 

cant seem to narrow this one down  

any ideas on trouble shooting would be great  

even tried running a trace with gdb -p on the process ,but it just dies
with a signal 11  

 

Re: dovecot/auth CPU spikes

[nicolas]

And output from strace, nothing i can make sense of really...

10:38:46.859514 epoll_wait(16, [{EPOLLIN, {u32=1696469520, 
u64=15038376972816}}], 17, -1) = 1
10:38:47.768364 accept(7, {sa_family=AF_LOCAL, NULL}, [2]) = 23
10:38:47.768687 getsockname(23, {sa_family=AF_LOCAL, 
sun_path="/var/run/dovecot/login/log255r"}, [31]) = 0
10:38:47.768945 fcntl(23, F_GETFL) = 0x2 (flags O_RDWR)
10:38:47.769132 fcntl(23, F_SETFL, O_RDWR|O_NONBLOCK) = 0
10:38:47.769316 write(5, "372f53453", 12) = 12
10:38:47.769529 read(4, "nBW211316333t371341203251206317b367220", 16) = 16
10:38:47.769747 fstat(23, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
10:38:47.769979 lseek(23, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
10:38:47.770129 getsockname(23, {sa_family=AF_LOCAL, 
sun_path="/var/run/dovecot/login/log"e"}, [31]) = 0
10:38:47.770320 epoll_ctl(16, EPOLL_CTL_ADD, 23, 
{EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=1696840896, u64=15038377344192}}) = 0
10:38:47.770533 write(23, "VERSIONt1t1nMECHtPLAINtplaintext"..., 118) = 118
10:38:47.770735 epoll_wait(16, [{EPOLLIN, {u32=1696840896, 
u64=15038377344192}}], 17, -1) = 1
10:38:47.770927 read(23, "VERSIONt1t1nCPIDt10995n", 8192) = 23
10:38:47.771109 epoll_wait(16, [{EPOLLIN, {u32=1696840896, 
u64=15038377344192}}], 17, -1) = 1
10:38:47.916004 read(23, "AUTHt1tPLAINtservice=imaptsecure"..., 8169) = 145
10:38:47.916428 writev(15, [{"PENALTY-GETt2001:41d0:a::", 25}, {"n", 1}], 2) = 
26
10:38:47.916851 epoll_wait(16, [{EPOLLIN, {u32=1696458048, 
u64=15038376961344}}], 17, 5000) = 1
10:38:47.917177 read(15, "0 0n", 332) = 4
10:38:47.917478 writev(23, [{"CONTt1t", 7}, {"n", 1}], 2) = 8
10:38:47.917835 read(15, 0xdad65237f68, 328) = -1 EAGAIN (Resource temporarily 
unavailable)
10:38:47.918218 epoll_wait(16, [{EPOLLIN, {u32=1696840896, 
u64=15038377344192}}], 17, 149998) = 1
10:38:47.919198 read(23, "CONTt1tAG5pY29sYXNAYW5kcmlsbG9uL"..., 8024) = 52
10:38:49.558718 writev(23, [{"OKt1tuser=addr...@domain.nett", 32}, {"n", 1}], 
2) = 33
10:38:49.558978 epoll_wait(16, [{EPOLLIN, {u32=1696470560, 
u64=15038376973856}}], 17, 15) = 1

Re: dovecot/auth CPU spikes

[nicolas]

Full dovecot -n output
=
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 3.14.32--grs-ipv6-64 x86_64 Ubuntu 16.04.1 LTS ext4
auth_cache_size = 10 M
auth_mechanisms = plain login
default_internal_user = vmail
first_valid_uid = 0
mail_location = maildir:/home/data/vmail/%d/%n
mail_plugins = " fts fts_solr"
mail_privileged_group = vmail
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
namespace inbox {
 inbox = yes
 location =
 mailbox Archive {
 auto = subscribe
 special_use = Archive
 }
 mailbox Drafts {
 auto = subscribe
 special_use = Drafts
 }
 mailbox Junk {
 auto = subscribe
 special_use = Junk
 }
 mailbox Sent {
 auto = subscribe
 special_use = Sent
 }
 mailbox "Sent Messages" {
 special_use = Sent
 }
 mailbox Trash {
 auto = subscribe
 special_use = Trash
 }
 prefix =
}
passdb {
 args = /etc/dovecot/dovecot-sql.conf.ext
 driver = sql
}
plugin {
 antispam_backend = pipe
 antispam_mail_notspam = learn_ham
 antispam_mail_sendmail = /usr/bin/rspamc
 antispam_mail_sendmail_args = -h;localhost:11334;-P;q1
 antispam_mail_spam = learn_spam
 antispam_spam = Junk
 antispam_trash = Trash
 fts = solr
 fts_solr = break-imap-search url=http://localhost:8080/solr/
 sieve = file:~/sieve;active=~/.dovecot.sieve
 sieve_before = /var/lib/dovecot/sieve.d/
}
postmaster_address = postmas...@domain.net
protocols = imap lmtp sieve pop3
service auth-worker {
 unix_listener auth-worker {
 user = vmail
 }
 user = vmail
}
service auth {
 unix_listener /var/spool/postfix/private/auth {
 group = postfix
 mode = 0666
 user = postfix
 }
 unix_listener auth-userdb {
 group = vmail
 mode = 0660
 user = vmail
 }
 user = vmail
}
service imap-login {
 inet_listener imap {
 port = 0
 }
 service_count = 1
}
service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
 group = postfix
 mode = 0666
 user = postfix
 }
 user = vmail
}
service pop3-login {
 inet_listener pop3 {
 port = 0
 }
}
ssl = required
ssl_cert =

dovecot/auth CPU spikes

[nicolas]

Hi All,

I have recently moved by webmail server from a VPS to a hosted dedicated server 
running Ubuntu 16.04.
Everything is fine except that login is particularly and consistently long 
(around 4-5 seconds).

I have noticed that the process dovecot/auth seems to eat all of the resources 
of one of the cores available on the host during login. The authentication 
backend is a postgres database which is running absolutely fine.

I have been scavenging on the dovecot mailing list for some time but I have not 
been able to find a solution to my problem so decided to send this bottle to 
the sea.

Here is my config:
$ sudo dovecot -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 3.14.32--grs-ipv6-64 x86_64 Ubuntu 16.04.1 LTS ext4
auth_cache_size = 10 M
auth_mechanisms = plain login
default_internal_user = vmail
first_valid_uid = 0
mail_location = maildir:/home/data/vmail/%d/%n
mail_plugins = " fts fts_solr"
mail_privileged_group = vmail
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
namespace inbox {
 inbox = yes
 location =
 mailbox Archive {
 auto = subscribe
 special_use = Archive
 }
 mailbox Drafts {
 auto = subscribe
 special_use = Drafts
 }
 mailbox Junk {
 auto = subscribe
 special_use = Junk
 }
 mailbox Sent {
 auto = subscribe
 special_use = Sent
 }
 mailbox "Sent Messages" {
 special_use = Sent
 }
 mailbox Trash {
 auto = subscribe
 special_use = Trash
 }
 prefix =
}
passdb {
 args = /etc/dovecot/dovecot-sql.conf.ext
 driver = sql
}
plugin {
 antispam_backend = pipe
 antispam_mail_notspam = learn_ham
 antispam_mail_sendmail = /usr/bin/rspamc
 antispam_mail_sendmail_args = -h;localhost:11334;-P;q1
 antispam_mail_spam = learn_spam
 antispam_spam = Junk
 antispam_trash = Trash
 fts = solr
 fts_solr = break-imap-search url=http://localhost:8080/solr/
 sieve = file:~/sieve;active=~/.dovecot.sieve
 sieve_before = /var/lib/dovecot/sieve.d/
}
postmaster_address = postmas...@domain.net
protocols = imap lmtp sieve pop3
service auth-worker {
 unix_listener auth-worker {
 user = vmail
 }
 user = vmail
}
service auth {
 unix_listener /var/spool/postfix/private/auth {
 group = postfix
 mode = 0666
 user = postfix
 }
 unix_listener auth-userdb {
 group = vmail
 mode = 0660
 user = vmail
 }
 user = vmail
}
service imap-login {
 inet_listener imap {
 port = 0
 }
 service_count = 1
}
service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
 group = postfix
 mode = 0666
 user = postfix
 }
 user = vmail
}
service pop3-login {
 inet_listener pop3 {
 port = 0
 }
}
ssl = required
ssl_cert =

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

 unix_listener /var/spool/postfix/private/auth {
 group = postfix
 mode = 0660
 user = postfix
   }
   unix_listener auth-userdb {
 group = vmail
 mode = 0600
 user = vmail
   }
   user = root
}
service imap-login {
   client_limit = 1000
   process_limit = 512
}
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
 group = postfix
 mode = 0600
 user = postfix
   }
}
ssl = required
ssl_cert = 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_dh_parameters_length = 2048
ssl_key = :


On 01.02.2017 08:18, Poliman - Serwis wrote:

This is debug log files in syslog:
Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb

out:

CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ

4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL

m5ldD4=

Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:

CONT

Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug:

sql(

do_not_re...@example.com,12.173.211.32): query: SELECT email

as

user,

password, maildir as userdb_home, CONCAT( maildir_format, ':',

maildir,

'/', IF(maildir_format='maildir','Maildir',maildir_format)) as

userdb_mail,

uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',

quota,

'B')

AS

userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve

FROM

mail_user WHERE (login = 'do_not_re...@example.com' OR email

= '

do_not_re...@example.com') AND `disablesmtp` = 'n' AND

server_id =

'1'

Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069):

password(

do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5

scheme,

but we

have only CRYPT
Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb

out:

FAIL#0112#011user=do_not_re...@example.com
Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5

authentication

failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT

kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l

dD4=

Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
(/usr/local/ispconfig/server/server.sh 2>&1 | while read line;

do

echo

`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
(/usr/local/ispconfig/server/cron.sh 2>&1 | while read line;

do

echo

`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#

011lip=173.72.31.7#011rip=12.173.211.32#011secured

Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb

out:

CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ

4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL

m5ldD4=

Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:

CONT

Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug:

sql(

do_not_re...@example.com,12.173.211.32): query: SELECT email

as

user,

password, maildir as userdb_home, CONCAT( maildir_format, ':',

maildir,

'/', IF(maildir_format='maildir','Maildir',maildir_format)) as

userdb_mail,

uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',

quota,

'B')

AS

userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve

FROM

mail_user WHERE (login = 'do_not_re...@example.com' OR email

= '

do_not_re...@example.com') AND `disablesmtp` = 'n' AND

server_id =

'1'

Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069):

password(

do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5

scheme,

but

we

have only CRYPT
Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb

out:

FAIL#0113#011user=do_not_re...@example.com



#
I added in dovecot.conf lines in passdb block:
driver = passwd-file
args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
and commented out default lines
   #args = /etc/dovecot/dovecot-sql.conf
   #driver = sql
When I try set again default lines I got above error

Can you run doveconf -n with the configuration that causes the

above

error? Also it clearly does SQL lookup, so that error is

happening

with

SQL passdb. You need to remember to restart dovecot between
configuration changes.

Aki


2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


On 31.01.2017 09:06, Poliman - Serwis wrote:

I set up cram-md5 using this tutorial
https://wiki2.dovecot.org/HowTo/CRAM-MD5 in

/etc/dovecot/dovecot.conf

in

passdb code block:
listen = *,[::]
protocols = imap pop3
#aut

Re: Dovecot auth-worker error after cram-md5 auth

[Steffen Kaiser]

3
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
  user = root
}
service imap-login {
  client_limit = 1000
  process_limit = 512
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = required
ssl_cert = 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_dh_parameters_length = 2048
ssl_key = :


On 01.02.2017 08:18, Poliman - Serwis wrote:

This is debug log files in syslog:
Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb

out:

CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ

4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL

m5ldD4=

Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:

CONT

Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug:

sql(

do_not_re...@example.com,12.173.211.32): query: SELECT email

as

user,

password, maildir as userdb_home, CONCAT( maildir_format, ':',

maildir,

'/', IF(maildir_format='maildir','Maildir',maildir_format)) as

userdb_mail,

uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',

quota,

'B')

AS

userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve

FROM

mail_user WHERE (login = 'do_not_re...@example.com' OR email

= '

do_not_re...@example.com') AND `disablesmtp` = 'n' AND

server_id =

'1'

Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069):

password(

do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5

scheme,

but we

have only CRYPT
Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb

out:

FAIL#0112#011user=do_not_re...@example.com
Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5

authentication

failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT

kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l

dD4=

Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
(/usr/local/ispconfig/server/server.sh 2>&1 | while read line;

do

echo

`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
(/usr/local/ispconfig/server/cron.sh 2>&1 | while read line;

do

echo

`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#

011lip=173.72.31.7#011rip=12.173.211.32#011secured

Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb

out:

CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ

4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL

m5ldD4=

Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:

CONT

Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug:

sql(

do_not_re...@example.com,12.173.211.32): query: SELECT email

as

user,

password, maildir as userdb_home, CONCAT( maildir_format, ':',

maildir,

'/', IF(maildir_format='maildir','Maildir',maildir_format)) as

userdb_mail,

uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',

quota,

'B')

AS

userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve

FROM

mail_user WHERE (login = 'do_not_re...@example.com' OR email

= '

do_not_re...@example.com') AND `disablesmtp` = 'n' AND

server_id =

'1'

Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069):

password(

do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5

scheme,

but

we

have only CRYPT
Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb

out:

FAIL#0113#011user=do_not_re...@example.com



#
I added in dovecot.conf lines in passdb block:
   driver = passwd-file
   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
and commented out default lines
  #args = /etc/dovecot/dovecot-sql.conf
  #driver = sql
When I try set again default lines I got above error

Can you run doveconf -n with the configuration that causes the

above

error? Also it clearly does SQL lookup, so that error is

happening

with

SQL passdb. You need to remember to restart dovecot between
configuration changes.

Aki


2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


On 31.01.2017 09:06, Poliman - Serwis wrote:

I set up cram-md5 using this tutorial
https://wiki2.dovecot.org/HowTo/CRAM-MD5 in

/etc/dovecot/dovecot.conf

in

passdb code block:
listen = *,[::]
protocols = imap pop3
#aut

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

t;>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>>> >>>>>>>>> I always restart dovecot after change config. ;) Sure, I
>>> commented
>>> >>>> out
>>> >>>>>>>>> added two lines by me, restarted dovecot and here it is:
>>> >>>>>>>>>
>>> >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
>>> >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>>> >>>>>>>>> auth_mechanisms = plain login cram-md5
>>> >>>>>>>>> listen = *,[::]
>>> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>> >>>>>>>>> mail_max_userip_connections = 100
>>> >>>>>>>>> mail_plugins = " quota"
>>> >>>>>>>>> mail_privileged_group = vmail
>>> >>>>>>>>> passdb {
>>> >>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>> >>>>>>>>>   driver = sql
>>> >>>>>>>>> }
>>> >>>>>>>>> plugin {
>>> >>>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>> >>>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
>>> >>>>>>>>>   sieve_max_redirects = 25
>>> >>>>>>>>> }
>>> >>>>>>>>> postmaster_address = postmas...@example.com
>>> >>>>>>>>> protocols = imap pop3
>>> >>>>>>>>> service auth {
>>> >>>>>>>>>   unix_listener /var/spool/postfix/private/auth {
>>> >>>>>>>>> group = postfix
>>> >>>>>>>>> mode = 0660
>>> >>>>>>>>> user = postfix
>>> >>>>>>>>>   }
>>> >>>>>>>>>   unix_listener auth-userdb {
>>> >>>>>>>>> group = vmail
>>> >>>>>>>>> mode = 0600
>>> >>>>>>>>> user = vmail
>>> >>>>>>>>>   }
>>> >>>>>>>>>   user = root
>>> >>>>>>>>> }
>>> >>>>>>>>> service imap-login {
>>> >>>>>>>>>   client_limit = 1000
>>> >>>>>>>>>   process_limit = 512
>>> >>>>>>>>> }
>>> >>>>>>>>> service lmtp {
>>> >>>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>> >>>>>>>>> group = postfix
>>> >>>>>>>>> mode = 0600
>>> >>>>>>>>> user = postfix
>>> >>>>>>>>>   }
>>> >>>>>>>>> }
>>> >>>>>>>>> ssl = required
>>> >>>>>>>>> ssl_cert = >> >>>>>>>>> ssl_cipher_list =
>>> >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>> >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>>> >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>>> >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>>> >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>>> >>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>>> >>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>>> >>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>>> >>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>>> >>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>>> >>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>>> >>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>>> >>>>>>>

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

ram-md5.
>> >>>>>>> After restart all work perfectly. But after I added:
>> >>>>>>>driver = passwd-file
>> >>>>>>>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>> >>>>>>> I can't set default lines because I got error. Please tell me
>> which
>> >>>> lines
>> >>>>>>> should be changed to resolve this issue. Should I remove "login"
>> from
>> >>>>>>> auth_mechanism ("login" was default setting and I would like to
>> move
>> >>>> back
>> >>>>>>> to default settings)?
>> >>>>>>>
>> >>>>>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>> >>>>>>>
>> >>>>>>>> Because cram-md5 needs the user's password for calculating
>> >> responses,
>> >>>> it
>> >>>>>>>> cannot work with hashed passwords (one-way encrypted). The only
>> >>>>>>>> supported password schemes are PLAIN and CRAM-MD5.
>> >>>>>>>>
>> >>>>>>>> Aki
>> >>>>>>>>
>> >>>>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>> >>>>>>>>> I always restart dovecot after change config. ;) Sure, I
>> commented
>> >>>> out
>> >>>>>>>>> added two lines by me, restarted dovecot and here it is:
>> >>>>>>>>>
>> >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
>> >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>> >>>>>>>>> auth_mechanisms = plain login cram-md5
>> >>>>>>>>> listen = *,[::]
>> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>> >>>>>>>>> mail_max_userip_connections = 100
>> >>>>>>>>> mail_plugins = " quota"
>> >>>>>>>>> mail_privileged_group = vmail
>> >>>>>>>>> passdb {
>> >>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>> >>>>>>>>>   driver = sql
>> >>>>>>>>> }
>> >>>>>>>>> plugin {
>> >>>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>> >>>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
>> >>>>>>>>>   sieve_max_redirects = 25
>> >>>>>>>>> }
>> >>>>>>>>> postmaster_address = postmas...@example.com
>> >>>>>>>>> protocols = imap pop3
>> >>>>>>>>> service auth {
>> >>>>>>>>>   unix_listener /var/spool/postfix/private/auth {
>> >>>>>>>>> group = postfix
>> >>>>>>>>> mode = 0660
>> >>>>>>>>> user = postfix
>> >>>>>>>>>   }
>> >>>>>>>>>   unix_listener auth-userdb {
>> >>>>>>>>> group = vmail
>> >>>>>>>>> mode = 0600
>> >>>>>>>>> user = vmail
>> >>>>>>>>>   }
>> >>>>>>>>>   user = root
>> >>>>>>>>> }
>> >>>>>>>>> service imap-login {
>> >>>>>>>>>   client_limit = 1000
>> >>>>>>>>>   process_limit = 512
>> >>>>>>>>> }
>> >>>>>>>>> service lmtp {
>> >>>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>> >>>>>>>>> group = postfix
>> >>>>>>>>> mode = 0600
>> >>>>>>>>> user = postfix
>> >>>>>>>>>   }
>> >>>>>>>>> }
>> >>>>>>>>> ssl = required
>> >>>>>>>>> ssl_cert = > >>>>>>>>> ssl_cipher_list =
>> >>>>>>>>> ECDHE-RSA-AES128

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

t;> added two lines by me, restarted dovecot and here it is:
> >>>>>>>>>
> >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
> >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> >>>>>>>>> auth_mechanisms = plain login cram-md5
> >>>>>>>>> listen = *,[::]
> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>>>>>>>> mail_max_userip_connections = 100
> >>>>>>>>> mail_plugins = " quota"
> >>>>>>>>> mail_privileged_group = vmail
> >>>>>>>>> passdb {
> >>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>   driver = sql
> >>>>>>>>> }
> >>>>>>>>> plugin {
> >>>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
> >>>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
> >>>>>>>>>   sieve_max_redirects = 25
> >>>>>>>>> }
> >>>>>>>>> postmaster_address = postmas...@example.com
> >>>>>>>>> protocols = imap pop3
> >>>>>>>>> service auth {
> >>>>>>>>>   unix_listener /var/spool/postfix/private/auth {
> >>>>>>>>> group = postfix
> >>>>>>>>> mode = 0660
> >>>>>>>>> user = postfix
> >>>>>>>>>   }
> >>>>>>>>>   unix_listener auth-userdb {
> >>>>>>>>> group = vmail
> >>>>>>>>> mode = 0600
> >>>>>>>>> user = vmail
> >>>>>>>>>   }
> >>>>>>>>>   user = root
> >>>>>>>>> }
> >>>>>>>>> service imap-login {
> >>>>>>>>>   client_limit = 1000
> >>>>>>>>>   process_limit = 512
> >>>>>>>>> }
> >>>>>>>>> service lmtp {
> >>>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>>>>>>>> group = postfix
> >>>>>>>>> mode = 0600
> >>>>>>>>> user = postfix
> >>>>>>>>>   }
> >>>>>>>>> }
> >>>>>>>>> ssl = required
> >>>>>>>>> ssl_cert =  >>>>>>>>> ssl_cipher_list =
> >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >>>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>>>>>>>> ssl_dh_parameters_length = 2048
> >>>>>>>>> ssl_key =  >>>>>>>>> ssl_prefer_server_ciphers = yes
> >>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>>>>>> userdb {
> >>>>>>>>>   driver = prefetch
> >>>>>>>>> }
> >>>>>>>>> userdb {
> >>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>   driver = sql
> >>>>>>>>> }
> &

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

y. But after I added:
> >>>>>>>driver = passwd-file
> >>>>>>>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>> I can't set default lines because I got error. Please tell me which
> >>>> lines
> >>>>>>> should be changed to resolve this issue. Should I remove "login"
> from
> >>>>>>> auth_mechanism ("login" was default setting and I would like to
> move
> >>>> back
> >>>>>>> to default settings)?
> >>>>>>>
> >>>>>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
> >>>>>>>
> >>>>>>>> Because cram-md5 needs the user's password for calculating
> >> responses,
> >>>> it
> >>>>>>>> cannot work with hashed passwords (one-way encrypted). The only
> >>>>>>>> supported password schemes are PLAIN and CRAM-MD5.
> >>>>>>>>
> >>>>>>>> Aki
> >>>>>>>>
> >>>>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
> >>>>>>>>> I always restart dovecot after change config. ;) Sure, I
> commented
> >>>> out
> >>>>>>>>> added two lines by me, restarted dovecot and here it is:
> >>>>>>>>>
> >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
> >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> >>>>>>>>> auth_mechanisms = plain login cram-md5
> >>>>>>>>> listen = *,[::]
> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>>>>>>>> mail_max_userip_connections = 100
> >>>>>>>>> mail_plugins = " quota"
> >>>>>>>>> mail_privileged_group = vmail
> >>>>>>>>> passdb {
> >>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>   driver = sql
> >>>>>>>>> }
> >>>>>>>>> plugin {
> >>>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
> >>>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
> >>>>>>>>>   sieve_max_redirects = 25
> >>>>>>>>> }
> >>>>>>>>> postmaster_address = postmas...@example.com
> >>>>>>>>> protocols = imap pop3
> >>>>>>>>> service auth {
> >>>>>>>>>   unix_listener /var/spool/postfix/private/auth {
> >>>>>>>>> group = postfix
> >>>>>>>>> mode = 0660
> >>>>>>>>> user = postfix
> >>>>>>>>>   }
> >>>>>>>>>   unix_listener auth-userdb {
> >>>>>>>>> group = vmail
> >>>>>>>>> mode = 0600
> >>>>>>>>> user = vmail
> >>>>>>>>>   }
> >>>>>>>>>   user = root
> >>>>>>>>> }
> >>>>>>>>> service imap-login {
> >>>>>>>>>   client_limit = 1000
> >>>>>>>>>   process_limit = 512
> >>>>>>>>> }
> >>>>>>>>> service lmtp {
> >>>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>>>>>>>> group = postfix
> >>>>>>>>> mode = 0600
> >>>>>>>>> user = postfix
> >>>>>>>>>   }
> >>>>>>>>> }
> >>>>>>>>> ssl = required
> >>>>>>>>> ssl_cert =  >>>>>>>>> ssl_cipher_list =
> >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

>>>> mail_privileged_group = vmail
>>>>>>>>> passdb {
>>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>   driver = sql
>>>>>>>>> }
>>>>>>>>> plugin {
>>>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
>>>>>>>>>   sieve_max_redirects = 25
>>>>>>>>> }
>>>>>>>>> postmaster_address = postmas...@example.com
>>>>>>>>> protocols = imap pop3
>>>>>>>>> service auth {
>>>>>>>>>   unix_listener /var/spool/postfix/private/auth {
>>>>>>>>> group = postfix
>>>>>>>>> mode = 0660
>>>>>>>>> user = postfix
>>>>>>>>>   }
>>>>>>>>>   unix_listener auth-userdb {
>>>>>>>>> group = vmail
>>>>>>>>> mode = 0600
>>>>>>>>> user = vmail
>>>>>>>>>   }
>>>>>>>>>   user = root
>>>>>>>>> }
>>>>>>>>> service imap-login {
>>>>>>>>>   client_limit = 1000
>>>>>>>>>   process_limit = 512
>>>>>>>>> }
>>>>>>>>> service lmtp {
>>>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>>>>>>> group = postfix
>>>>>>>>> mode = 0600
>>>>>>>>> user = postfix
>>>>>>>>>   }
>>>>>>>>> }
>>>>>>>>> ssl = required
>>>>>>>>> ssl_cert = >>>>>>>> ssl_cipher_list =
>>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>>>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>>>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>>>> ssl_key = >>>>>>>> ssl_prefer_server_ciphers = yes
>>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>>>> userdb {
>>>>>>>>>   driver = prefetch
>>>>>>>>> }
>>>>>>>>> userdb {
>>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>   driver = sql
>>>>>>>>> }
>>>>>>>>> protocol imap {
>>>>>>>>>   mail_plugins = quota imap_quota
>>>>>>>>> }
>>>>>>>>> protocol pop3 {
>>>>>>>>>   mail_plugins = quota
>>>>>>>>>   pop3_uidl_format = %08Xu%08Xv
>>>>>>>>> }
>>>>>>>>> protocol lda {
>>>>>>>>>   mail_plugins = sieve quota
>>>>>>>>>   postmaster_address = webmaster@localhost
>>>>>>>>> }
>>>>>>>>> protocol lmtp {
>>>>>>>>>   mail_plugins = quota sieve
>>>>>>>>>   postmaster_address = webmaster@localhost
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

;   sieve = /var/vmail/%d/%n/.sieve
> >>>>>>>   sieve_max_redirects = 25
> >>>>>>> }
> >>>>>>> postmaster_address = postmas...@example.com
> >>>>>>> protocols = imap pop3
> >>>>>>> service auth {
> >>>>>>>   unix_listener /var/spool/postfix/private/auth {
> >>>>>>> group = postfix
> >>>>>>> mode = 0660
> >>>>>>> user = postfix
> >>>>>>>   }
> >>>>>>>   unix_listener auth-userdb {
> >>>>>>> group = vmail
> >>>>>>> mode = 0600
> >>>>>>> user = vmail
> >>>>>>>   }
> >>>>>>>   user = root
> >>>>>>> }
> >>>>>>> service imap-login {
> >>>>>>>   client_limit = 1000
> >>>>>>>   process_limit = 512
> >>>>>>> }
> >>>>>>> service lmtp {
> >>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>>>>>> group = postfix
> >>>>>>> mode = 0600
> >>>>>>> user = postfix
> >>>>>>>   }
> >>>>>>> }
> >>>>>>> ssl = required
> >>>>>>> ssl_cert =  >>>>>>> ssl_cipher_list =
> >>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>>>>>> ssl_dh_parameters_length = 2048
> >>>>>>> ssl_key =  >>>>>>> ssl_prefer_server_ciphers = yes
> >>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>>>> userdb {
> >>>>>>>   driver = prefetch
> >>>>>>> }
> >>>>>>> userdb {
> >>>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>   driver = sql
> >>>>>>> }
> >>>>>>> protocol imap {
> >>>>>>>   mail_plugins = quota imap_quota
> >>>>>>> }
> >>>>>>> protocol pop3 {
> >>>>>>>   mail_plugins = quota
> >>>>>>>   pop3_uidl_format = %08Xu%08Xv
> >>>>>>> }
> >>>>>>> protocol lda {
> >>>>>>>   mail_plugins = sieve quota
> >>>>>>>   postmaster_address = webmaster@localhost
> >>>>>>> }
> >>>>>>> protocol lmtp {
> >>>>>>>   mail_plugins = quota sieve
> >>>>>>>   postmaster_address = webmaster@localhost
> >>>>>>> }
> >>>>>>>
> >>>>>>>
> >>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
> >>>>>>>
> >>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
> >>>>>>>>> This is debug log files in syslog:
> >>>>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb
> out:
> >>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
> >>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
> >>>>>>>> m5ldD4=
> >>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
> >>>> CONT
> >>>>>>>>&g

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

mail/%d/%n/.quotausage
> >>>>>>>   sieve = /var/vmail/%d/%n/.sieve
> >>>>>>>   sieve_max_redirects = 25
> >>>>>>> }
> >>>>>>> postmaster_address = postmas...@example.com
> >>>>>>> protocols = imap pop3
> >>>>>>> service auth {
> >>>>>>>   unix_listener /var/spool/postfix/private/auth {
> >>>>>>> group = postfix
> >>>>>>> mode = 0660
> >>>>>>> user = postfix
> >>>>>>>   }
> >>>>>>>   unix_listener auth-userdb {
> >>>>>>> group = vmail
> >>>>>>> mode = 0600
> >>>>>>> user = vmail
> >>>>>>>   }
> >>>>>>>   user = root
> >>>>>>> }
> >>>>>>> service imap-login {
> >>>>>>>   client_limit = 1000
> >>>>>>>   process_limit = 512
> >>>>>>> }
> >>>>>>> service lmtp {
> >>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>>>>>> group = postfix
> >>>>>>> mode = 0600
> >>>>>>> user = postfix
> >>>>>>>   }
> >>>>>>> }
> >>>>>>> ssl = required
> >>>>>>> ssl_cert =  >>>>>>> ssl_cipher_list =
> >>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>>>>>> ssl_dh_parameters_length = 2048
> >>>>>>> ssl_key =  >>>>>>> ssl_prefer_server_ciphers = yes
> >>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>>>> userdb {
> >>>>>>>   driver = prefetch
> >>>>>>> }
> >>>>>>> userdb {
> >>>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>   driver = sql
> >>>>>>> }
> >>>>>>> protocol imap {
> >>>>>>>   mail_plugins = quota imap_quota
> >>>>>>> }
> >>>>>>> protocol pop3 {
> >>>>>>>   mail_plugins = quota
> >>>>>>>   pop3_uidl_format = %08Xu%08Xv
> >>>>>>> }
> >>>>>>> protocol lda {
> >>>>>>>   mail_plugins = sieve quota
> >>>>>>>   postmaster_address = webmaster@localhost
> >>>>>>> }
> >>>>>>> protocol lmtp {
> >>>>>>>   mail_plugins = quota sieve
> >>>>>>>   postmaster_address = webmaster@localhost
> >>>>>>> }
> >>>>>>>
> >>>>>>>
> >>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
> >>>>>>>
> >>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
> >>>>>>>>> This is debug log files in syslog:
> >>>>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb
> out:
> >>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
> >>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
> >>>>>>>> m5ldD4=
> >>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
> >

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

 vmail
>>>>>>> mode = 0600
>>>>>>> user = vmail
>>>>>>>   }
>>>>>>>   user = root
>>>>>>> }
>>>>>>> service imap-login {
>>>>>>>   client_limit = 1000
>>>>>>>   process_limit = 512
>>>>>>> }
>>>>>>> service lmtp {
>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>>>>> group = postfix
>>>>>>> mode = 0600
>>>>>>> user = postfix
>>>>>>>   }
>>>>>>> }
>>>>>>> ssl = required
>>>>>>> ssl_cert = >>>>>> ssl_cipher_list =
>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>> ssl_key = >>>>>> ssl_prefer_server_ciphers = yes
>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>> userdb {
>>>>>>>   driver = prefetch
>>>>>>> }
>>>>>>> userdb {
>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>>>   driver = sql
>>>>>>> }
>>>>>>> protocol imap {
>>>>>>>   mail_plugins = quota imap_quota
>>>>>>> }
>>>>>>> protocol pop3 {
>>>>>>>   mail_plugins = quota
>>>>>>>   pop3_uidl_format = %08Xu%08Xv
>>>>>>> }
>>>>>>> protocol lda {
>>>>>>>   mail_plugins = sieve quota
>>>>>>>   postmaster_address = webmaster@localhost
>>>>>>> }
>>>>>>> protocol lmtp {
>>>>>>>   mail_plugins = quota sieve
>>>>>>>   postmaster_address = webmaster@localhost
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>>>>>>>
>>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>>>>>>>> This is debug log files in syslog:
>>>>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
>>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
>>>>>>>> m5ldD4=
>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
>>>> CONT
>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>>>>>>>> do_not_re...@example.com,12.173.211.32): query: SELECT email as
>>>> user,
>>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
>>>> maildir,
>>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>>>>>> userdb_mail,
>>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
>>>> 'B')
>>>>>> AS
>>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>>>>>>>> mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
>>>>>>>>> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id =
>>>> '1'
>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
>>>>

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

ner /var/spool/postfix/private/dovecot-lmtp {
> >>>>> group = postfix
> >>>>> mode = 0600
> >>>>> user = postfix
> >>>>>   }
> >>>>> }
> >>>>> ssl = required
> >>>>> ssl_cert =  >>>>> ssl_cipher_list =
> >>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>>>> ssl_dh_parameters_length = 2048
> >>>>> ssl_key =  >>>>> ssl_prefer_server_ciphers = yes
> >>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>> userdb {
> >>>>>   driver = prefetch
> >>>>> }
> >>>>> userdb {
> >>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>   driver = sql
> >>>>> }
> >>>>> protocol imap {
> >>>>>   mail_plugins = quota imap_quota
> >>>>> }
> >>>>> protocol pop3 {
> >>>>>   mail_plugins = quota
> >>>>>   pop3_uidl_format = %08Xu%08Xv
> >>>>> }
> >>>>> protocol lda {
> >>>>>   mail_plugins = sieve quota
> >>>>>   postmaster_address = webmaster@localhost
> >>>>> }
> >>>>> protocol lmtp {
> >>>>>   mail_plugins = quota sieve
> >>>>>   postmaster_address = webmaster@localhost
> >>>>> }
> >>>>>
> >>>>>
> >>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
> >>>>>
> >>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
> >>>>>>> This is debug log files in syslog:
> >>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
> >>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
> >> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
> >>>>>> m5ldD4=
> >>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
> >> CONT
> >>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
> >>>>>>> do_not_re...@example.com,12.173.211.32): query: SELECT email as
> >> user,
> >>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
> >> maildir,
> >>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> >>>>>> userdb_mail,
> >>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
> >> 'B')
> >>>> AS
> >>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
> >>>>>>> mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
> >>>>>>> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id =
> >> '1'
> >>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
> >>>>>>> do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5
> scheme,
> >>>>>> but we
> >>>>>>> have only CRYPT
> >>>>>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
> >>>>>>> FAIL#0112#011user=do_not_re...@example.com
> >>>>>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
> >>>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5
> >> authentication
> >>>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT
> kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l
> >>>

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

Are you still trying to authenticate using cram-md5?

Aki


On 01.02.2017 09:51, Poliman - Serwis wrote:
> It still use:
> passdb {
>   driver = passwd-file
>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> }
>
> When I delete above and delete "cram-md5" in auth_mechanisms it still not
> working.
>
> 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>
>> You are probably wanting to do
>> passdb {
>>   driver = passwd-file
>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>> }
>>
>> passdb {
>>   driver = sql
>>   args = /etc/dovecot/dovecot-sql.conf
>> }
>>
>> Why you want to use cram-md5 is beyond me, because using SSL is much
>> more safer.
>>
>> Aki
>>
>> On 01.02.2017 09:41, Poliman - Serwis wrote:
>>> Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
>>> After restart all work perfectly. But after I added:
>>>driver = passwd-file
>>>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>> I can't set default lines because I got error. Please tell me which lines
>>> should be changed to resolve this issue. Should I remove "login" from
>>> auth_mechanism ("login" was default setting and I would like to move back
>>> to default settings)?
>>>
>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>>>
>>>> Because cram-md5 needs the user's password for calculating responses, it
>>>> cannot work with hashed passwords (one-way encrypted). The only
>>>> supported password schemes are PLAIN and CRAM-MD5.
>>>>
>>>> Aki
>>>>
>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>>>>> I always restart dovecot after change config. ;) Sure, I commented out
>>>>> added two lines by me, restarted dovecot and here it is:
>>>>>
>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>>>>> auth_mechanisms = plain login cram-md5
>>>>> listen = *,[::]
>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>> mail_max_userip_connections = 100
>>>>> mail_plugins = " quota"
>>>>> mail_privileged_group = vmail
>>>>> passdb {
>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>   driver = sql
>>>>> }
>>>>> plugin {
>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>>>>   sieve = /var/vmail/%d/%n/.sieve
>>>>>   sieve_max_redirects = 25
>>>>> }
>>>>> postmaster_address = postmas...@example.com
>>>>> protocols = imap pop3
>>>>> service auth {
>>>>>   unix_listener /var/spool/postfix/private/auth {
>>>>> group = postfix
>>>>> mode = 0660
>>>>> user = postfix
>>>>>   }
>>>>>   unix_listener auth-userdb {
>>>>> group = vmail
>>>>> mode = 0600
>>>>> user = vmail
>>>>>   }
>>>>>   user = root
>>>>> }
>>>>> service imap-login {
>>>>>   client_limit = 1000
>>>>>   process_limit = 512
>>>>> }
>>>>> service lmtp {
>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>>> group = postfix
>>>>> mode = 0600
>>>>> user = postfix
>>>>>   }
>>>>> }
>>>>> ssl = required
>>>>> ssl_cert = >>>> ssl_cipher_list =
>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>>

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

It still use:
passdb {
  driver = passwd-file
  args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}

When I delete above and delete "cram-md5" in auth_mechanisms it still not
working.

2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:

> You are probably wanting to do
> passdb {
>   driver = passwd-file
>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> }
>
> passdb {
>   driver = sql
>   args = /etc/dovecot/dovecot-sql.conf
> }
>
> Why you want to use cram-md5 is beyond me, because using SSL is much
> more safer.
>
> Aki
>
> On 01.02.2017 09:41, Poliman - Serwis wrote:
> > Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
> > After restart all work perfectly. But after I added:
> >driver = passwd-file
> >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > I can't set default lines because I got error. Please tell me which lines
> > should be changed to resolve this issue. Should I remove "login" from
> > auth_mechanism ("login" was default setting and I would like to move back
> > to default settings)?
> >
> > 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
> >
> >> Because cram-md5 needs the user's password for calculating responses, it
> >> cannot work with hashed passwords (one-way encrypted). The only
> >> supported password schemes are PLAIN and CRAM-MD5.
> >>
> >> Aki
> >>
> >> On 01.02.2017 09:33, Poliman - Serwis wrote:
> >>> I always restart dovecot after change config. ;) Sure, I commented out
> >>> added two lines by me, restarted dovecot and here it is:
> >>>
> >>> # 2.2.9: /etc/dovecot/dovecot.conf
> >>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> >>> auth_mechanisms = plain login cram-md5
> >>> listen = *,[::]
> >>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>> mail_max_userip_connections = 100
> >>> mail_plugins = " quota"
> >>> mail_privileged_group = vmail
> >>> passdb {
> >>>   args = /etc/dovecot/dovecot-sql.conf
> >>>   driver = sql
> >>> }
> >>> plugin {
> >>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
> >>>   sieve = /var/vmail/%d/%n/.sieve
> >>>   sieve_max_redirects = 25
> >>> }
> >>> postmaster_address = postmas...@example.com
> >>> protocols = imap pop3
> >>> service auth {
> >>>   unix_listener /var/spool/postfix/private/auth {
> >>> group = postfix
> >>> mode = 0660
> >>> user = postfix
> >>>   }
> >>>   unix_listener auth-userdb {
> >>> group = vmail
> >>> mode = 0600
> >>> user = vmail
> >>>   }
> >>>   user = root
> >>> }
> >>> service imap-login {
> >>>   client_limit = 1000
> >>>   process_limit = 512
> >>> }
> >>> service lmtp {
> >>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>> group = postfix
> >>> mode = 0600
> >>> user = postfix
> >>>   }
> >>> }
> >>> ssl = required
> >>> ssl_cert =  >>> ssl_cipher_list =
> >>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>> ssl_dh_parameters_length = 2048
> >>> ssl_key =  >>> ssl_prefer_server_ciphers = yes
> >>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>> userdb {
> >>>   driver = prefetch
> >>> }
> >>> userdb {
> >>>   args = /etc/dovecot/dovecot-sql.conf
> >>>   driver = sql
> >>> }
> >

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

It was only for testing purposes. That's why I want change it back to
default settings. ;) I will check above lines and give response asap.

2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:

> You are probably wanting to do
> passdb {
>   driver = passwd-file
>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> }
>
> passdb {
>   driver = sql
>   args = /etc/dovecot/dovecot-sql.conf
> }
>
> Why you want to use cram-md5 is beyond me, because using SSL is much
> more safer.
>
> Aki
>
> On 01.02.2017 09:41, Poliman - Serwis wrote:
> > Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
> > After restart all work perfectly. But after I added:
> >driver = passwd-file
> >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > I can't set default lines because I got error. Please tell me which lines
> > should be changed to resolve this issue. Should I remove "login" from
> > auth_mechanism ("login" was default setting and I would like to move back
> > to default settings)?
> >
> > 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
> >
> >> Because cram-md5 needs the user's password for calculating responses, it
> >> cannot work with hashed passwords (one-way encrypted). The only
> >> supported password schemes are PLAIN and CRAM-MD5.
> >>
> >> Aki
> >>
> >> On 01.02.2017 09:33, Poliman - Serwis wrote:
> >>> I always restart dovecot after change config. ;) Sure, I commented out
> >>> added two lines by me, restarted dovecot and here it is:
> >>>
> >>> # 2.2.9: /etc/dovecot/dovecot.conf
> >>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> >>> auth_mechanisms = plain login cram-md5
> >>> listen = *,[::]
> >>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>> mail_max_userip_connections = 100
> >>> mail_plugins = " quota"
> >>> mail_privileged_group = vmail
> >>> passdb {
> >>>   args = /etc/dovecot/dovecot-sql.conf
> >>>   driver = sql
> >>> }
> >>> plugin {
> >>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
> >>>   sieve = /var/vmail/%d/%n/.sieve
> >>>   sieve_max_redirects = 25
> >>> }
> >>> postmaster_address = postmas...@example.com
> >>> protocols = imap pop3
> >>> service auth {
> >>>   unix_listener /var/spool/postfix/private/auth {
> >>> group = postfix
> >>> mode = 0660
> >>> user = postfix
> >>>   }
> >>>   unix_listener auth-userdb {
> >>> group = vmail
> >>> mode = 0600
> >>> user = vmail
> >>>   }
> >>>   user = root
> >>> }
> >>> service imap-login {
> >>>   client_limit = 1000
> >>>   process_limit = 512
> >>> }
> >>> service lmtp {
> >>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>> group = postfix
> >>> mode = 0600
> >>> user = postfix
> >>>   }
> >>> }
> >>> ssl = required
> >>> ssl_cert =  >>> ssl_cipher_list =
> >>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>> ssl_dh_parameters_length = 2048
> >>> ssl_key =  >>> ssl_prefer_server_ciphers = yes
> >>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>> userdb {
> >>>   driver = prefetch
> >>> }
> >>> userdb {
> >>>   args = /etc/dovecot/dovecot-sql.conf
> >>>   driver = sql
> >>> }
> >>> protocol imap {
> >&g

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

You are probably wanting to do
passdb {
  driver = passwd-file
  args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
}

Why you want to use cram-md5 is beyond me, because using SSL is much
more safer.

Aki

On 01.02.2017 09:41, Poliman - Serwis wrote:
> Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
> After restart all work perfectly. But after I added:
>driver = passwd-file
>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> I can't set default lines because I got error. Please tell me which lines
> should be changed to resolve this issue. Should I remove "login" from
> auth_mechanism ("login" was default setting and I would like to move back
> to default settings)?
>
> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>
>> Because cram-md5 needs the user's password for calculating responses, it
>> cannot work with hashed passwords (one-way encrypted). The only
>> supported password schemes are PLAIN and CRAM-MD5.
>>
>> Aki
>>
>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>>> I always restart dovecot after change config. ;) Sure, I commented out
>>> added two lines by me, restarted dovecot and here it is:
>>>
>>> # 2.2.9: /etc/dovecot/dovecot.conf
>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>>> auth_mechanisms = plain login cram-md5
>>> listen = *,[::]
>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>> mail_max_userip_connections = 100
>>> mail_plugins = " quota"
>>> mail_privileged_group = vmail
>>> passdb {
>>>   args = /etc/dovecot/dovecot-sql.conf
>>>   driver = sql
>>> }
>>> plugin {
>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>>   sieve = /var/vmail/%d/%n/.sieve
>>>   sieve_max_redirects = 25
>>> }
>>> postmaster_address = postmas...@example.com
>>> protocols = imap pop3
>>> service auth {
>>>   unix_listener /var/spool/postfix/private/auth {
>>> group = postfix
>>> mode = 0660
>>> user = postfix
>>>   }
>>>   unix_listener auth-userdb {
>>> group = vmail
>>> mode = 0600
>>> user = vmail
>>>   }
>>>   user = root
>>> }
>>> service imap-login {
>>>   client_limit = 1000
>>>   process_limit = 512
>>> }
>>> service lmtp {
>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>> group = postfix
>>> mode = 0600
>>> user = postfix
>>>   }
>>> }
>>> ssl = required
>>> ssl_cert = >> ssl_cipher_list =
>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>>> ssl_dh_parameters_length = 2048
>>> ssl_key = >> ssl_prefer_server_ciphers = yes
>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>> userdb {
>>>   driver = prefetch
>>> }
>>> userdb {
>>>   args = /etc/dovecot/dovecot-sql.conf
>>>   driver = sql
>>> }
>>> protocol imap {
>>>   mail_plugins = quota imap_quota
>>> }
>>> protocol pop3 {
>>>   mail_plugins = quota
>>>   pop3_uidl_format = %08Xu%08Xv
>>> }
>>> protocol lda {
>>>   mail_plugins = sieve quota
>>>   postmaster_address = webmaster@localhost
>>> }
>>> protocol lmtp {
>>>   mail_plugins = quota sieve
>>>   postmaster_address = webmaster@localhost
>>> }
>>>
>>>
>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>>>
>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>>>> This is debug log files in syslog:
>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: 

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
After restart all work perfectly. But after I added:
   driver = passwd-file
   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
I can't set default lines because I got error. Please tell me which lines
should be changed to resolve this issue. Should I remove "login" from
auth_mechanism ("login" was default setting and I would like to move back
to default settings)?

2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:

> Because cram-md5 needs the user's password for calculating responses, it
> cannot work with hashed passwords (one-way encrypted). The only
> supported password schemes are PLAIN and CRAM-MD5.
>
> Aki
>
> On 01.02.2017 09:33, Poliman - Serwis wrote:
> > I always restart dovecot after change config. ;) Sure, I commented out
> > added two lines by me, restarted dovecot and here it is:
> >
> > # 2.2.9: /etc/dovecot/dovecot.conf
> > # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> > auth_mechanisms = plain login cram-md5
> > listen = *,[::]
> > log_timestamp = "%Y-%m-%d %H:%M:%S "
> > mail_max_userip_connections = 100
> > mail_plugins = " quota"
> > mail_privileged_group = vmail
> > passdb {
> >   args = /etc/dovecot/dovecot-sql.conf
> >   driver = sql
> > }
> > plugin {
> >   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
> >   sieve = /var/vmail/%d/%n/.sieve
> >   sieve_max_redirects = 25
> > }
> > postmaster_address = postmas...@example.com
> > protocols = imap pop3
> > service auth {
> >   unix_listener /var/spool/postfix/private/auth {
> > group = postfix
> > mode = 0660
> > user = postfix
> >   }
> >   unix_listener auth-userdb {
> > group = vmail
> > mode = 0600
> > user = vmail
> >   }
> >   user = root
> > }
> > service imap-login {
> >   client_limit = 1000
> >   process_limit = 512
> > }
> > service lmtp {
> >   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> > group = postfix
> > mode = 0600
> > user = postfix
> >   }
> > }
> > ssl = required
> > ssl_cert =  > ssl_cipher_list =
> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > ssl_dh_parameters_length = 2048
> > ssl_key =  > ssl_prefer_server_ciphers = yes
> > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> > userdb {
> >   driver = prefetch
> > }
> > userdb {
> >   args = /etc/dovecot/dovecot-sql.conf
> >   driver = sql
> > }
> > protocol imap {
> >   mail_plugins = quota imap_quota
> > }
> > protocol pop3 {
> >   mail_plugins = quota
> >   pop3_uidl_format = %08Xu%08Xv
> > }
> > protocol lda {
> >   mail_plugins = sieve quota
> >   postmaster_address = webmaster@localhost
> > }
> > protocol lmtp {
> >   mail_plugins = quota sieve
> >   postmaster_address = webmaster@localhost
> > }
> >
> >
> > 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
> >
> >>
> >> On 01.02.2017 08:18, Poliman - Serwis wrote:
> >>> This is debug log files in syslog:
> >>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
> >>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
> >> m5ldD4=
> >>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT
> >>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
> >>> do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
> >>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
> >>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> >> userdb_mail,
> >>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B')
> AS
>

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

Because cram-md5 needs the user's password for calculating responses, it
cannot work with hashed passwords (one-way encrypted). The only
supported password schemes are PLAIN and CRAM-MD5.

Aki

On 01.02.2017 09:33, Poliman - Serwis wrote:
> I always restart dovecot after change config. ;) Sure, I commented out
> added two lines by me, restarted dovecot and here it is:
>
> # 2.2.9: /etc/dovecot/dovecot.conf
> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> auth_mechanisms = plain login cram-md5
> listen = *,[::]
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> mail_max_userip_connections = 100
> mail_plugins = " quota"
> mail_privileged_group = vmail
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> plugin {
>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>   sieve = /var/vmail/%d/%n/.sieve
>   sieve_max_redirects = 25
> }
> postmaster_address = postmas...@example.com
> protocols = imap pop3
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
>   }
>   unix_listener auth-userdb {
> group = vmail
> mode = 0600
> user = vmail
>   }
>   user = root
> }
> service imap-login {
>   client_limit = 1000
>   process_limit = 512
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
>   }
> }
> ssl = required
> ssl_cert =  ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> ssl_dh_parameters_length = 2048
> ssl_key =  ssl_prefer_server_ciphers = yes
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> userdb {
>   driver = prefetch
> }
> userdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> protocol imap {
>   mail_plugins = quota imap_quota
> }
> protocol pop3 {
>   mail_plugins = quota
>   pop3_uidl_format = %08Xu%08Xv
> }
> protocol lda {
>   mail_plugins = sieve quota
>   postmaster_address = webmaster@localhost
> }
> protocol lmtp {
>   mail_plugins = quota sieve
>   postmaster_address = webmaster@localhost
> }
>
>
> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>
>>
>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>> This is debug log files in syslog:
>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
>> m5ldD4=
>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT
>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>> do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
>>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>> userdb_mail,
>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>> mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
>>> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1'
>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
>>> do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme,
>> but we
>>> have only CRYPT
>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
>>> FAIL#0112#011user=do_not_re...@example.com
>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication
>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4=
>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo
>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>> Feb  1 07:11:02 vps342401 C

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

I always restart dovecot after change config. ;) Sure, I commented out
added two lines by me, restarted dovecot and here it is:

# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
auth_mechanisms = plain login cram-md5
listen = *,[::]
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_max_userip_connections = 100
mail_plugins = " quota"
mail_privileged_group = vmail
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  quota = dict:user::file:/var/vmail/%d/%n/.quotausage
  sieve = /var/vmail/%d/%n/.sieve
  sieve_max_redirects = 25
}
postmaster_address = postmas...@example.com
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
  user = root
}
service imap-login {
  client_limit = 1000
  process_limit = 512
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = required
ssl_cert = :

>
>
> On 01.02.2017 08:18, Poliman - Serwis wrote:
> > This is debug log files in syslog:
> > Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
> > CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
> m5ldD4=
> > Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT
> > Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
> > do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
> > password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
> > '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> userdb_mail,
> > uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
> > userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
> > mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
> > do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1'
> > Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
> > do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme,
> but we
> > have only CRYPT
> > Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
> > FAIL#0112#011user=do_not_re...@example.com
> > Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
> > host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication
> > failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4=
> > Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
> > (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo
> > `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> > Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
> > (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
> > `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> > Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
> > AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
> > Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
> > CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
> m5ldD4=
> > Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT
> > Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
> > do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
> > password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
> > '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> userdb_mail,
> > uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
> > userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
> > mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
> > do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1'
> > Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
> > do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but
> we
> > have only CRYPT
> > Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
> > FAIL#0113#011user=do_not_re...@example.com
> >
> >
> >
> > #
> > I added in dovecot.conf lines in passdb block:
> >driver = passwd-file
> >args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > and commented out default lines
> >   #args = /etc/dovecot/dovecot-sql.conf
> >   #driver = sql
> > When I try set again default lines I got above error
>
> Can you run doveconf -n with the configur

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

On 01.02.2017 08:18, Poliman - Serwis wrote:
> This is debug log files in syslog:
> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4=
> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT
> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
> do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail,
> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
> mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1'
> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
> do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, but we
> have only CRYPT
> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
> FAIL#0112#011user=do_not_re...@example.com
> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication
> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4=
> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo
> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#011lip=173.72.31.7#011rip=12.173.211.32#011secured
> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoLm5ldD4=
> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT
> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
> do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail,
> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
> mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
> do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1'
> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
> do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but we
> have only CRYPT
> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
> FAIL#0113#011user=do_not_re...@example.com
>
>
>
> #
> I added in dovecot.conf lines in passdb block:
>driver = passwd-file
>args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> and commented out default lines
>   #args = /etc/dovecot/dovecot-sql.conf
>   #driver = sql
> When I try set again default lines I got above error

Can you run doveconf -n with the configuration that causes the above
error? Also it clearly does SQL lookup, so that error is happening with
SQL passdb. You need to remember to restart dovecot between
configuration changes.

Aki

>
> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:
>
>>
>> On 31.01.2017 09:06, Poliman - Serwis wrote:
>>> I set up cram-md5 using this tutorial
>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in
>>> passdb code block:
>>> listen = *,[::]
>>> protocols = imap pop3
>>> #auth_mechanisms = plain login cram-md5
>>> auth_mechanisms = cram-md5 plain login
>>> #dodana nizej linia
>>> ssl = required
>>> disable_plaintext_auth = yes
>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>> mail_privileged_group = vmail
>>> postmaster_address = postmas...@vps342401.ovh.net
>>> ssl_cert = >> ssl_key = >> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>> ssl_cipher_list =
>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
>>> ssl_prefer_server_ciphers = yes
>>> ssl_dh_parameters_length = 2048
>>>
>>>
>>> mail_max_userip_connections = 100
>>> passdb {
&g

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

This is debug log files in syslog:
Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4=
Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT
Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
'/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail,
uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1'
Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5 scheme, but we
have only CRYPT
Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
FAIL#0112#011user=do_not_re...@example.com
Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication
failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4=
Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
(/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo
`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
(/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#011lip=173.72.31.7#011rip=12.173.211.32#011secured
Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoLm5ldD4=
Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT
Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
do_not_re...@example.com,12.173.211.32): query: SELECT email as user,
password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
'/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail,
uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
mail_user WHERE (login = 'do_not_re...@example.com' OR email = '
do_not_re...@example.com') AND `disablesmtp` = 'n' AND server_id = '1'
Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5 scheme, but we
have only CRYPT
Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
FAIL#0113#011user=do_not_re...@example.com



#
I added in dovecot.conf lines in passdb block:
   driver = passwd-file
   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
and commented out default lines
  #args = /etc/dovecot/dovecot-sql.conf
  #driver = sql
When I try set again default lines I got above error


2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:

>
>
> On 31.01.2017 09:06, Poliman - Serwis wrote:
> > I set up cram-md5 using this tutorial
> > https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in
> > passdb code block:
> > listen = *,[::]
> > protocols = imap pop3
> > #auth_mechanisms = plain login cram-md5
> > auth_mechanisms = cram-md5 plain login
> > #dodana nizej linia
> > ssl = required
> > disable_plaintext_auth = yes
> > log_timestamp = "%Y-%m-%d %H:%M:%S "
> > mail_privileged_group = vmail
> > postmaster_address = postmas...@vps342401.ovh.net
> > ssl_cert =  > ssl_key =  > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> > ssl_cipher_list =
> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
> > :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
> > ssl_prefer_server_ciphers = yes
> > ssl_dh_parameters_length = 2048
> >
> >
> > mail_max_userip_connections = 100
> > passdb {
> > # args = /etc/dovecot/dovecot-sql.conf
> > # driver = sql
> > driver = passwd-file
> > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > }
> > userdb {
> > driver = prefetch
> > }
> > userdb {
> > args = /etc/dovecot/dovecot-sql.conf
> > driver = sql
> > }
> > Of course I created cram-md5.pwd file. All mails go out and come nicely.
> > But after I want to do default settings by commented out these two lines:
> > driver = passwd-file
> > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > and uncomment
> > # args = /etc/doveco

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

On 31.01.2017 09:47, Poliman - Serwis wrote:
> Output will be in console or in some king  of log file?
>
> 2017-01-31 8:27 GMT+01:00 Evgeniy Korneechev <ekorneec...@altlinux.org>:
>
>> - Исходное сообщение -
>>> От: "Poliman - Serwis" <ser...@poliman.pl>
>>> Кому: "Aki Tuomi" <aki.tu...@dovecot.fi>
>>> Копия: "dovecot" <dovecot@dovecot.org>
>>> Отправленные: Вторник, 31 Январь 2017 г 10:16:48
>>> Тема: Re: Dovecot auth-worker error after cram-md5 auth
>>> Thank You for answer. Where could I setup these two lines?
>> dovecot.conf?
>>
>> --
>> WBR,
>> BaseALT/ALTLinux Team
>>
>
>
That depends on your logging settings, but it will emit them into
whatever your debug_log_path is. Default is syslog.

Aki

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

Output will be in console or in some king  of log file?

2017-01-31 8:27 GMT+01:00 Evgeniy Korneechev <ekorneec...@altlinux.org>:

> - Исходное сообщение -
> > От: "Poliman - Serwis" <ser...@poliman.pl>
> > Кому: "Aki Tuomi" <aki.tu...@dovecot.fi>
> > Копия: "dovecot" <dovecot@dovecot.org>
> > Отправленные: Вторник, 31 Январь 2017 г 10:16:48
> > Тема: Re: Dovecot auth-worker error after cram-md5 auth
>
> > Thank You for answer. Where could I setup these two lines?
>
> dovecot.conf?
>
> --
> WBR,
> BaseALT/ALTLinux Team
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*ser...@poliman.pl <ser...@poliman.pl>*

Re: Dovecot auth-worker error after cram-md5 auth

[Evgeniy Korneechev]

- Исходное сообщение -
> От: "Poliman - Serwis" <ser...@poliman.pl>
> Кому: "Aki Tuomi" <aki.tu...@dovecot.fi>
> Копия: "dovecot" <dovecot@dovecot.org>
> Отправленные: Вторник, 31 Январь 2017 г 10:16:48
> Тема: Re: Dovecot auth-worker error after cram-md5 auth

> Thank You for answer. Where could I setup these two lines?

dovecot.conf?

-- 
WBR, 
BaseALT/ALTLinux Team

Re: Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

Thank You for answer. Where could I setup these two lines?

2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:

>
>
> On 31.01.2017 09:06, Poliman - Serwis wrote:
> > I set up cram-md5 using this tutorial
> > https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in
> > passdb code block:
> > listen = *,[::]
> > protocols = imap pop3
> > #auth_mechanisms = plain login cram-md5
> > auth_mechanisms = cram-md5 plain login
> > #dodana nizej linia
> > ssl = required
> > disable_plaintext_auth = yes
> > log_timestamp = "%Y-%m-%d %H:%M:%S "
> > mail_privileged_group = vmail
> > postmaster_address = postmas...@vps342401.ovh.net
> > ssl_cert =  > ssl_key =  > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> > ssl_cipher_list =
> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
> > :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
> > ssl_prefer_server_ciphers = yes
> > ssl_dh_parameters_length = 2048
> >
> >
> > mail_max_userip_connections = 100
> > passdb {
> > # args = /etc/dovecot/dovecot-sql.conf
> > # driver = sql
> > driver = passwd-file
> > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > }
> > userdb {
> > driver = prefetch
> > }
> > userdb {
> > args = /etc/dovecot/dovecot-sql.conf
> > driver = sql
> > }
> > Of course I created cram-md5.pwd file. All mails go out and come nicely.
> > But after I want to do default settings by commented out these two lines:
> > driver = passwd-file
> > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > and uncomment
> > # args = /etc/dovecot/dovecot-sql.conf
> > # driver = sql
> > I can't send emails - I use Thunderbird - get error "logging on server
> > mail.example.com not work out". Error in logs:
> > dovecot: auth-worker(22698): Error: Auth worker sees different
> > passdbs/userdbs than auth server.
> > dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
> >
> > Is it possible that hashed password from cram-md5.pwd file was written to
> > database (if yes then where - I have ISPconfig)? I wasn't change any
> userdb
> > {} block and this second userdb block has this same lines like default
> > settings in passdb block.
> >
> Try
>
> auth_debug=yes
> auth_verbose=yes
>
> and see if it gives any more reasonable messages.
>
> Aki
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*ser...@poliman.pl <ser...@poliman.pl>*

Re: Dovecot auth-worker error after cram-md5 auth

[Aki Tuomi]

On 31.01.2017 09:06, Poliman - Serwis wrote:
> I set up cram-md5 using this tutorial
> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in
> passdb code block:
> listen = *,[::]
> protocols = imap pop3
> #auth_mechanisms = plain login cram-md5
> auth_mechanisms = cram-md5 plain login
> #dodana nizej linia
> ssl = required
> disable_plaintext_auth = yes
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> mail_privileged_group = vmail
> postmaster_address = postmas...@vps342401.ovh.net
> ssl_cert =  ssl_key =  ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
> ssl_prefer_server_ciphers = yes
> ssl_dh_parameters_length = 2048
>
>
> mail_max_userip_connections = 100
> passdb {
> # args = /etc/dovecot/dovecot-sql.conf
> # driver = sql
> driver = passwd-file
> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> }
> userdb {
> driver = prefetch
> }
> userdb {
> args = /etc/dovecot/dovecot-sql.conf
> driver = sql
> }
> Of course I created cram-md5.pwd file. All mails go out and come nicely.
> But after I want to do default settings by commented out these two lines:
> driver = passwd-file
> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> and uncomment
> # args = /etc/dovecot/dovecot-sql.conf
> # driver = sql
> I can't send emails - I use Thunderbird - get error "logging on server
> mail.example.com not work out". Error in logs:
> dovecot: auth-worker(22698): Error: Auth worker sees different
> passdbs/userdbs than auth server.
> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
>
> Is it possible that hashed password from cram-md5.pwd file was written to
> database (if yes then where - I have ISPconfig)? I wasn't change any userdb
> {} block and this second userdb block has this same lines like default
> settings in passdb block.
>
Try

auth_debug=yes
auth_verbose=yes

and see if it gives any more reasonable messages.

Aki

Dovecot auth-worker error after cram-md5 auth

[Poliman - Serwis]

I set up cram-md5 using this tutorial
https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in
passdb code block:
listen = *,[::]
protocols = imap pop3
#auth_mechanisms = plain login cram-md5
auth_mechanisms = cram-md5 plain login
#dodana nizej linia
ssl = required
disable_plaintext_auth = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
postmaster_address = postmas...@vps342401.ovh.net
ssl_cert = *

Re: Haproxy and Dovecot auth

[Arjan Wekking]

On 15 Oct 2015, at 20:26, Giuseppe Civitella  wrote:

> When I redirect the smtpd_sasl_path through an Haproxy balanced
> connection, I receive an error the first time I try to sen an email.
> The error is:
> SASL PLAIN authentication failed: Connection lost to authentication server
> If then I send more emails I receive no errors.
> If I do not send emails for a few minutes, the error appears again.

We’ve seen this happen as well, and concluded that this is caused by the 
Postfix SASL client not recovering gracefully from lost TCP connections. If I 
remember correctly, Postfix keeps a SASL authentication connection open for 
re-use, but when this connection breaks down (e.g. due to a time out in the TCP 
connection itself or due to Dovecot closing it on the other end due to 
inactivity) then the next/first authentication attempt fails. Postfix will then 
not handle this error as a temporary failure, but as an authentication failure 
(i.e. ‘wrong username/password’). After this, it will close the connection and 
the next authentication attempt will re-establish the connection, and that will 
of course succeed again.

This explains why you get this error only the first time (because it failed due 
to the old/broken cnnection) and why after a few minutes the error appears 
again (because by then the connection is stale again).

Now, I haven’t actually confirmed this, but I’m pretty sure the problem is in 
the Dovecot SASL client in Postfix. It is written with the assumption that the 
connection is over a UNIX socket. In those cases a broken connection is 
detected earlier/differently (EPIPE) and Postfix will actually recover by 
reconnecting and trying again. You might be able to confirm and possibly work 
around this issue by forwarding UNIX socket connections to TCP, with tools like 
socat, netcat, spiped etc.

-Arjan


signature.asc
Description: Message signed with OpenPGP using GPGMail

Haproxy and Dovecot auth

[Giuseppe Civitella]

Hi all,

I'd like to use Haproxy to balance an auth service on a couple of
Dovecot directors to have a redundant sasl service for my Postfix instances.
While I configure the Postfixes to use, as smtpd_sasl_path, a direct
connection to one of the directors I notice no errors.
When I redirect the smtpd_sasl_path through an Haproxy balanced
connection, I receive an error the first time I try to sen an email.
The error is:
SASL PLAIN authentication failed: Connection lost to authentication server
If then I send more emails I receive no errors.
If I do not send emails for a few minutes, the error appears again.

The relevant Haproxy configuration is the following:

listen auth *:12345
  mode tcp
  balance source
  log global
  option tcplog
  option log-health-checks
  stick-table type ip size 200k expire 30m
  stick on src
  default-server inter 1000 fall 3 rise 1
  server dovecot-director01 dovecot-director01:12345 check

Do anyone have an idea about what it's missing?

Thanks a lot
Giuseppe

-- 
Giuseppe Civitella
gcivite...@entermail.it

Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://

[Timo Sirainen]

On 08 Oct 2015, at 22:46, Heiko Schlittermann  wrote:
> 
> Hi,
> 
> I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13
> there seems to be the same bug/feature).
> 
> The userdb and passdb use LDAP. All further configuration is done in
> auth-ldap.conf.ext.
> 
>uri = ldaps:///
># tls =
>tls_cert_file = /etc/ssl/certs/client-cert.pem
>tls_key_file = /etc/ssl/certs/client-key.file
> 
> Dovecot ignores the tls_* options. If I use an ldap:// URI and
> switch on TLS using tls=yes it works as expected.
> 
> But I do not see any reason why LDAPS should not read the tls_*
> settings.

I guess.

> This small patch solved it for me
> 
> --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100
> +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c   2015-10-08 21:24:47.051446465 
> +0200
> @@ -1043,7 +1043,7 @@
> 
> static void db_ldap_set_tls_options(struct ldap_connection *conn)
> {
> -   if (!conn->set.tls)
> +   if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0))
>return;

That's a bit ugly. I think also the URIs support multiple ones, so some ldap 
and some ldaps URLs could even be mixed, which of course would be quite ugly.. 
I think the fix is to just remove the if (tls)-check completely. I don't think 
setting those harms anything even if tls/ldaps isn't being used?

Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://

[Heiko Schlittermann]

Timo Sirainen  (Di 13 Okt 2015 20:19:54 CEST):
..
> > --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100
> > +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c   2015-10-08 
> > 21:24:47.051446465 +0200
> > @@ -1043,7 +1043,7 @@
> > 
> > static void db_ldap_set_tls_options(struct ldap_connection *conn)
> > {
> > -   if (!conn->set.tls)
> > +   if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0))
> >return;
> 
> That's a bit ugly. I think also the URIs support multiple ones, so some ldap 
> and some ldaps URLs could even be mixed, which of course would be quite 
> ugly.. I think the fix is to just remove the if (tls)-check completely. I 
> don't think setting those harms anything even if tls/ldaps isn't being used?

Yes, thinking about mixed schema in the URIs whould have been my next
question :)

Ok, I can test what happens if we set tls_options w/o using LDAP+TLS or
LDAPS at all.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: Digital signature

Dovecot auth-ldap ignores tls_* settings when using ldaps://

[Heiko Schlittermann]

Hi,

I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13
there seems to be the same bug/feature).

The userdb and passdb use LDAP. All further configuration is done in
auth-ldap.conf.ext.

uri = ldaps:///
# tls =
tls_cert_file = /etc/ssl/certs/client-cert.pem
tls_key_file = /etc/ssl/certs/client-key.file

Dovecot ignores the tls_* options. If I use an ldap:// URI and
switch on TLS using tls=yes it works as expected.

But I do not see any reason why LDAPS should not read the tls_*
settings.

This small patch solved it for me

--- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100
+++ dovecot-2.2.9.hs12/src/auth/db-ldap.c   2015-10-08 21:24:47.051446465 
+0200
@@ -1043,7 +1043,7 @@
 
 static void db_ldap_set_tls_options(struct ldap_connection *conn)
 {
-   if (!conn->set.tls)
+   if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0))
return;
 
 #ifdef OPENLDAP_TLS_OPTIONS

It would be great, if somebody can confirm this and if this or some
equivalent patch could make it upstream.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: Digital signature

Re: dovecot auth using 100% CPU

[Steinar Bang]

 Edward Betts edw...@4angle.com:

 Jorge Bastos mysql.jo...@decimal.pt wrote:
 What do you see in the logs?
 My guess is that someone is trying a brute force auth against you,

 Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP
 authentication. The exim4 logs show brute force attacks.

A little late response, but since you're using debian you could try
pulling in fail2ban:
 apt-get install fail2ban

fail2ban scans the logs of various services for attacks and firewalls
out the attacking IP addresses.

There are no built-in rules for exim or dovecot in the debian fail2ban
package, but there is something here that could possibly be adapted...?
 http://wiki2.dovecot.org/HowTo/Fail2Ban

Here's a filter for exim:
 https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/exim.conf

Re: dovecot auth using 100% CPU

[Felix Zielcke]

Am Freitag, den 03.07.2015, 14:28 +0200 schrieb Steinar Bang:
  
 fail2ban scans the logs of various services for attacks and firewalls
 out the attacking IP addresses.
 
 There are no built-in rules for exim or dovecot in the debian 
 fail2ban
 package, but there is something here that could possibly be 
 adapted...?

Are you talking about wheezy or jessie?
jessie has rules. But they need to be enabled like this:

# cat /etc/fail2ban/jail.d/local.conf 
[exim]
enabled = true

[exim-spam]
enabled = true

[dovecot]
enabled = true

Re: dovecot auth using 100% CPU

[Felix Zielcke]

Am Freitag, den 03.07.2015, 21:53 +0200 schrieb Steinar Bang:
  
  Felix Zielcke fziel...@z-51.de:
 
  Are you talking about wheezy or jessie?
 
 Well I looked on a jessie system, but the fail2ban was pulled in when 
 it
 was wheezy (or maybe even easier).
 
They're in /etc/fail2ban/filter.d

And yes I also needed a while to figure this system out. Escpecially
that they need to be enabled in a jaild/*.conf file.

Though this is a fresh Debian jessie install.
And files in /etc are specially handled on upgrades, instead of all the
other files in a Debian package.

Re: dovecot auth using 100% CPU

[Steinar Bang]

 Felix Zielcke fziel...@z-51.de:

 Are you talking about wheezy or jessie?

Well I looked on a jessie system, but the fail2ban was pulled in when it
was wheezy (or maybe even easier).

 jessie has rules. But they need to be enabled like this:

 # cat /etc/fail2ban/jail.d/local.conf 
 [exim]
 enabled = true

 [exim-spam]
 enabled = true

 [dovecot]
 enabled = true

Ok, thanks!

Re: Dovecot auth username mapping

[Peter Chiochetti]

Am 2015-07-02 um 01:41 schrieb Laz C. Peterson:


I did attempt to switch the PAM/Kerberos authentication to Dovecot
LDAP authentication, but now performance is unbelievably slow.
Any thoughts to this?


In case you have multiple passdb backends, it could be, that LDAP only 
gets its chance, after PAM did time out.



--
peter

Re: Dovecot auth username mapping

[Philon]

Hi Laz,

I’m just wondering… why are you using LDAP and/or PAM to access the MySQL 
server? If also the password is stored in the db you could use MySQL directly?

Because then you could use password_query and user_query to actually split the 
provided email address into name and domain parts. Then you can lookup each 
individually or adjust as needed...

I have something like this:
user_query = SELECT CONCAT('/var/mail/virtual/', SUBSTRING(`mail_addr`, 
LOCATE('@', `mail_addr`) +1 ), '/', \
  SUBSTRING(`mail_addr`, 1, LOCATE('@', `mail_addr`) -1) ) AS 'home', '1000' AS 
'uid', \
  '8' AS 'gid', CONCAT('*:bytes=', `quota`, 'M') AS 'quota_rule' FROM 
`mail_users` \
  WHERE `mail_addr` = '%u' AND `status` = 'ok' AND `mail_type` LIKE '%%_mail%%‘

With an SQL statement you could even use sub-selects and whatnot to do 
complicated things. Perhaps you could do something similar with the LDAP string 
but I never used LDAP that much…


Philon

 Am 02.07.2015 um 02:27 schrieb Laz C. Peterson l...@paravis.net:
 
 It’s actually unbelievable how much slower LDAP auth is than PAM.  Does 
 anyone have any suggestions how I can improve Dovecot LDAP auth?  I have 
 tried caching authentications and that doesn’t help either.
 
 ~ Laz Peterson
 Paravis, LLC
 Ph: 951.319.3240 x201
 
 On Jul 1, 2015, at 4:41 PM, Laz C. Peterson l...@paravis.net wrote:
 
 Thank you for the response Axel.  I will look into that.
 
 I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP 
 authentication, but now performance is unbelievably slow.  For example, with 
 PAM/Kerberos, a user can log into webmail and have all of their 
 emails/folders showing almost immediately.  When using Dovecot LDAP, it 
 takes literally 8-10 seconds to see the same thing.
 
 I was hoping that was a possible replacement for this, but my goodness it 
 was so incredibly slow!  This would definitely be an option though, as it 
 does serve the purpose.  I just can’t figure out how to fix the performance 
 issue.  Any thoughts to this?
 
 ~ Laz Peterson
 Paravis, LLC
 Ph: 951.319.3240 x201
 
 On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttg...@skynet.be wrote:
 
 
 Le 1 juil. 2015 à 04:38, Laz C. Peterson
 
 a écrit :
 
 I have an interesting case here …
 
 Virtual mailboxes, domain/username/aliases stored in MySQL, authentication 
 done using PAM.  PAM authenticates through Kerberos, which are internal 
 realms and not the email domains — for example, my username would be 
 laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be 
 l...@paravis.net mailto:l...@paravis.net.
 
 All of this works just fine.  But what I want to do is allow the users to 
 log in using their email address and not their full Kerberos name.  It is 
 becoming laborious to help the users understand the difference between 
 their username@LOCAL.REALM and username@email.address 
 mailto:username@email.address and why we have to have two separate 
 identities that mean the same thing.
 
 I have the SQL statements to convert either the Kerberos login or the 
 email address to the actual Kerberos login (so they may use either).  But 
 I cannot seem to figure out how to get Dovecot to acknowledge this as the 
 mapped username.
 
 I’m sure there has to be a way.  Any help will be greatly appreciated.  
 Thank you!
 
 Hello Laz,
 
 I fear you’ll have to resort to CheckPassword 
 (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
 
 Indeed, your MySql database may contain everything needed to convert email 
 addresses to kerb login (and vice-versa), but Dovecot’s PAM interface 
 understandably just knows about a (login, password) pair, where the login 
 is the one provided by the user wanting to log in.
 
 That said, I hope to be wrong,
 Axel

Re: Dovecot auth username mapping

[Laz C. Peterson]

Peter,

Yes that is a possibility.  I will try disabling PAM (or switching the auth 
order) and see if that makes a difference.  Thanks for the suggestion!

~ Laz Peterson
Paravis, LLC
Ph: 951.319.3240 x201

 On Jul 1, 2015, at 11:34 PM, Peter Chiochetti p...@myzel.net wrote:
 
 Am 2015-07-02 um 01:41 schrieb Laz C. Peterson:
 
 I did attempt to switch the PAM/Kerberos authentication to Dovecot
 LDAP authentication, but now performance is unbelievably slow.
 Any thoughts to this?
 
 In case you have multiple passdb backends, it could be, that LDAP only gets 
 its chance, after PAM did time out.
 
 
 -- 
 peter

Re: Dovecot auth username mapping

[Laz C. Peterson]

Ahh Peter, good call on this one!

beating head into deskpausebeating head into desk againthumbs up

So after playing around with the order of authentication in Dovecot, you are 
correct, the PAM timeout was causing the holdup.  I guess since PAM has no way 
of looking up whether or not a user exists prior to authenticating, this is 
causing the hiccup, versus LDAP which can search for a user’s existence prior 
to the auth.  Switching these around, I notice almost *no* degradation in 
performance for PAM authentications, and the LDAP authentications run smooth as 
I would hope them to.

Awesome, so now we have our solution!  (I think.)

Gotta say, a lot of love goes out to the Dovecot community (especially Timo!) 
for all the inspiration and help that I’ve received.  Dovecot is a great app 
and this community is the backbone of it all.  Cheers to all!

Thanks again.

~ Laz Peterson
Paravis, LLC
Ph: 951.319.3240 x201

 On Jul 2, 2015, at 6:25 AM, Laz C. Peterson l...@paravis.net wrote:
 
 Peter,
 
 Yes that is a possibility.  I will try disabling PAM (or switching the auth 
 order) and see if that makes a difference.  Thanks for the suggestion!
 
 ~ Laz Peterson
 Paravis, LLC
 Ph: 951.319.3240 x201
 
 On Jul 1, 2015, at 11:34 PM, Peter Chiochetti p...@myzel.net wrote:
 
 Am 2015-07-02 um 01:41 schrieb Laz C. Peterson:
 
 I did attempt to switch the PAM/Kerberos authentication to Dovecot
 LDAP authentication, but now performance is unbelievably slow.
 Any thoughts to this?
 
 In case you have multiple passdb backends, it could be, that LDAP only gets 
 its chance, after PAM did time out.
 
 
 -- 
 peter

Re: Dovecot auth username mapping

[Axel Luttgens]

 Le 1 juil. 2015 à 04:38, Laz C. Peterson

 a écrit :
 
 I have an interesting case here …
 
 Virtual mailboxes, domain/username/aliases stored in MySQL, authentication 
 done using PAM.  PAM authenticates through Kerberos, which are internal 
 realms and not the email domains — for example, my username would be 
 laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be 
 l...@paravis.net mailto:l...@paravis.net.
 
 All of this works just fine.  But what I want to do is allow the users to log 
 in using their email address and not their full Kerberos name.  It is 
 becoming laborious to help the users understand the difference between their 
 username@LOCAL.REALM and username@email.address 
 mailto:username@email.address and why we have to have two separate 
 identities that mean the same thing.
 
 I have the SQL statements to convert either the Kerberos login or the email 
 address to the actual Kerberos login (so they may use either).  But I cannot 
 seem to figure out how to get Dovecot to acknowledge this as the mapped 
 username.
 
 I’m sure there has to be a way.  Any help will be greatly appreciated.  Thank 
 you!

Hello Laz,

I fear you’ll have to resort to CheckPassword 
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.

Indeed, your MySql database may contain everything needed to convert email 
addresses to kerb login (and vice-versa), but Dovecot’s PAM interface 
understandably just knows about a (login, password) pair, where the login is 
the one provided by the user wanting to log in.

That said, I hope to be wrong,
Axel

Re: Dovecot auth username mapping

[Laz C. Peterson]

Thank you for the response Axel.  I will look into that.

I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP 
authentication, but now performance is unbelievably slow.  For example, with 
PAM/Kerberos, a user can log into webmail and have all of their emails/folders 
showing almost immediately.  When using Dovecot LDAP, it takes literally 8-10 
seconds to see the same thing.

I was hoping that was a possible replacement for this, but my goodness it was 
so incredibly slow!  This would definitely be an option though, as it does 
serve the purpose.  I just can’t figure out how to fix the performance issue.  
Any thoughts to this?

~ Laz Peterson
Paravis, LLC
Ph: 951.319.3240 x201

 On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttg...@skynet.be wrote:
 
 
 Le 1 juil. 2015 à 04:38, Laz C. Peterson
 
 a écrit :
 
 I have an interesting case here …
 
 Virtual mailboxes, domain/username/aliases stored in MySQL, authentication 
 done using PAM.  PAM authenticates through Kerberos, which are internal 
 realms and not the email domains — for example, my username would be 
 laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be 
 l...@paravis.net mailto:l...@paravis.net.
 
 All of this works just fine.  But what I want to do is allow the users to 
 log in using their email address and not their full Kerberos name.  It is 
 becoming laborious to help the users understand the difference between their 
 username@LOCAL.REALM and username@email.address 
 mailto:username@email.address and why we have to have two separate 
 identities that mean the same thing.
 
 I have the SQL statements to convert either the Kerberos login or the email 
 address to the actual Kerberos login (so they may use either).  But I cannot 
 seem to figure out how to get Dovecot to acknowledge this as the mapped 
 username.
 
 I’m sure there has to be a way.  Any help will be greatly appreciated.  
 Thank you!
 
 Hello Laz,
 
 I fear you’ll have to resort to CheckPassword 
 (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
 
 Indeed, your MySql database may contain everything needed to convert email 
 addresses to kerb login (and vice-versa), but Dovecot’s PAM interface 
 understandably just knows about a (login, password) pair, where the login is 
 the one provided by the user wanting to log in.
 
 That said, I hope to be wrong,
 Axel

Re: Dovecot auth username mapping

[Laz C. Peterson]

It’s actually unbelievable how much slower LDAP auth is than PAM.  Does anyone 
have any suggestions how I can improve Dovecot LDAP auth?  I have tried caching 
authentications and that doesn’t help either.

~ Laz Peterson
Paravis, LLC
Ph: 951.319.3240 x201

 On Jul 1, 2015, at 4:41 PM, Laz C. Peterson l...@paravis.net wrote:
 
 Thank you for the response Axel.  I will look into that.
 
 I did attempt to switch the PAM/Kerberos authentication to Dovecot LDAP 
 authentication, but now performance is unbelievably slow.  For example, with 
 PAM/Kerberos, a user can log into webmail and have all of their 
 emails/folders showing almost immediately.  When using Dovecot LDAP, it takes 
 literally 8-10 seconds to see the same thing.
 
 I was hoping that was a possible replacement for this, but my goodness it was 
 so incredibly slow!  This would definitely be an option though, as it does 
 serve the purpose.  I just can’t figure out how to fix the performance issue. 
  Any thoughts to this?
 
 ~ Laz Peterson
 Paravis, LLC
 Ph: 951.319.3240 x201
 
 On Jul 1, 2015, at 3:24 PM, Axel Luttgens axel.luttg...@skynet.be wrote:
 
 
 Le 1 juil. 2015 à 04:38, Laz C. Peterson
 
 a écrit :
 
 I have an interesting case here …
 
 Virtual mailboxes, domain/username/aliases stored in MySQL, authentication 
 done using PAM.  PAM authenticates through Kerberos, which are internal 
 realms and not the email domains — for example, my username would be 
 laz@PARAVIS.LOCAL mailto:laz@PARAVIS.LOCAL and my email address would be 
 l...@paravis.net mailto:l...@paravis.net.
 
 All of this works just fine.  But what I want to do is allow the users to 
 log in using their email address and not their full Kerberos name.  It is 
 becoming laborious to help the users understand the difference between 
 their username@LOCAL.REALM and username@email.address 
 mailto:username@email.address and why we have to have two separate 
 identities that mean the same thing.
 
 I have the SQL statements to convert either the Kerberos login or the email 
 address to the actual Kerberos login (so they may use either).  But I 
 cannot seem to figure out how to get Dovecot to acknowledge this as the 
 mapped username.
 
 I’m sure there has to be a way.  Any help will be greatly appreciated.  
 Thank you!
 
 Hello Laz,
 
 I fear you’ll have to resort to CheckPassword 
 (http://wiki2.dovecot.org/AuthDatabase/CheckPassword) or something similar.
 
 Indeed, your MySql database may contain everything needed to convert email 
 addresses to kerb login (and vice-versa), but Dovecot’s PAM interface 
 understandably just knows about a (login, password) pair, where the login is 
 the one provided by the user wanting to log in.
 
 That said, I hope to be wrong,
 Axel

Re: dovecot auth using 100% CPU

[Edward Betts]

Jorge Bastos mysql.jo...@decimal.pt wrote:
 What do you see in the logs?
 My guess is that someone is trying a brute force auth against you,

Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP
authentication. The exim4 logs show brute force attacks.

-- 
Edward.

Re: dovecot auth using 100% CPU

[Marcus Rueckert]

On 2015-06-21 10:41:48 +0100, Edward Betts wrote:
  0.40 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 
 EPIPE (Broken pipe)
  0.35 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 
 EPIPE (Broken pipe)

something is fishy in your setup

darix

-- 
   openSUSE - SUSE Linux is my linux
   openSUSE is good for you
   www.opensuse.org

RE: dovecot auth using 100% CPU

[Jorge Bastos]

What do you see in the logs?
My guess is that someone is trying a brute force auth against you,

 -Original Message-
 From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Edward
 Betts
 Sent: domingo, 21 de Junho de 2015 10:42
 To: dovecot@dovecot.org
 Subject: dovecot auth using 100% CPU
 
 Every few days I find that dovecot auth is using all my CPU.
 
 This is from dovecot 2.2.13, I've just upgraded to 2.2.18
 
 strace -r -p 17956 output:
 
 Process 17956 attached
  0.00 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek)
  0.57 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
  0.43 epoll_ctl(15, EPOLL_CTL_ADD, 19,
 {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
 u64=140128453618224}}) = 0
  0.40 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97)
 = -1 EPIPE (Broken pipe)
  0.35 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
 si_pid=17956, si_uid=108} ---
  0.20 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
 u64=140128453618224}}}, 14, 12614) = 1
  0.31 read(19, , 8192)= 0
  0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
  0.27 close(19) = 0
  0.29 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
  0.27 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR)
  0.28 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
  0.29 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker},
 110) = 0
  0.33 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
  0.33 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek)
  0.26 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
  0.30 epoll_ctl(15, EPOLL_CTL_ADD, 19,
 {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
 u64=140128453618224}}) = 0
  0.35 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97)
 = -1 EPIPE (Broken pipe)
  0.29 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
 si_pid=17956, si_uid=108} ---
  0.15 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
 u64=140128453618224}}}, 14, 12614) = 1
  0.31 read(19, , 8192)= 0
  0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
  0.27 close(19) = 0
  0.28 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
  0.36 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR)
  0.26 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
  0.24 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker},
 110) = 0
  0.34 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
  0.30 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek)
  0.25 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
  0.31 epoll_ctl(15, EPOLL_CTL_ADD, 19,
 {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
 u64=140128453618224}}) = 0
  0.36 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97)
 = -1 EPIPE (Broken pipe)
  0.30 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
 si_pid=17956, si_uid=108} ---
  0.16 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
 u64=140128453618224}}}, 14, 12614) = 1
  0.31 read(19, , 8192)= 0
  0.27 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
  0.28 close(19) = 0
 
 Any ideas what's wrong? The machine is running Debian.
 --
 Edward.

dovecot auth using 100% CPU

[Edward Betts]

Every few days I find that dovecot auth is using all my CPU.

This is from dovecot 2.2.13, I've just upgraded to 2.2.18

strace -r -p 17956 output:

Process 17956 attached
 0.00 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek)
 0.57 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
 0.43 epoll_ctl(15, EPOLL_CTL_ADD, 19, 
{EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0
 0.40 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 
EPIPE (Broken pipe)
 0.35 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, 
si_uid=108} ---
 0.20 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, 
u64=140128453618224}}}, 14, 12614) = 1
 0.31 read(19, , 8192)= 0
 0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
 0.27 close(19) = 0
 0.29 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
 0.27 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR)
 0.28 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
 0.29 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker}, 110) = 0
 0.33 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
 0.33 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek)
 0.26 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
 0.30 epoll_ctl(15, EPOLL_CTL_ADD, 19, 
{EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0
 0.35 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 
EPIPE (Broken pipe)
 0.29 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, 
si_uid=108} ---
 0.15 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, 
u64=140128453618224}}}, 14, 12614) = 1
 0.31 read(19, , 8192)= 0
 0.26 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
 0.27 close(19) = 0
 0.28 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
 0.36 fcntl(19, F_GETFL)= 0x2 (flags O_RDWR)
 0.26 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
 0.24 connect(19, {sa_family=AF_LOCAL, sun_path=auth-worker}, 110) = 0
 0.34 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
 0.30 lseek(19, 0, SEEK_CUR)= -1 ESPIPE (Illegal seek)
 0.25 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
 0.31 epoll_ctl(15, EPOLL_CTL_ADD, 19, 
{EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0
 0.36 write(19, VERSION\tauth-worker\t1\t0\nDBHASH\t5..., 97) = -1 
EPIPE (Broken pipe)
 0.30 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956, 
si_uid=108} ---
 0.16 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928, 
u64=140128453618224}}}, 14, 12614) = 1
 0.31 read(19, , 8192)= 0
 0.27 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
 0.28 close(19) = 0

Any ideas what's wrong? The machine is running Debian.
-- 
Edward.

what's the different between the processes dovecot-auth and dovecot -w

[刘莹莹]

hi：
what's the different between the processes dovecot-auth and dovecot -w ? 
What's the function on each of them ?
 thanks 

Googling: dovecot: auth-worker(default): pam_start() failed: Critical error - immediate abort

[david]

Howdy, Googling:

dovecot: auth-worker(default): pam_start() failed: Critical error - immediate 
abort
dobbeltganger dovecot: auth-worker(default): pam(user,1.2.3.4): lookup 
service=dovecot
dobbeltganger out of memory [4543]

returns just 3 references.

Examining memory server side reveals use of virtual memory but not 100%

OS: Ubuntu 14.04 client 10.04 server-side.
Email client: Thunderbird (Thunderbird prompts for the password which has 
worked for years).

dovecot -n

# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.34.1-rscloud x86_64 Ubuntu 10.04.4 LTS 
log_timestamp: %Y-%m-%d %H:%M:%S 
ssl: required
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-logina
login_processes_count: 5
login_max_processes_count: 256
mail_max_userip_connections: 40
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_debug: yes
mbox_write_locks: fcntl dotlock
auth default:
  realms: davidwbrown.name, karlbrown.name
  default_realm: dobbeltganger.com
  username_format: %n
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
driver: pam
  userdb:
driver: passwd
  socket:
type: listen
client:
  path: /var/spool/postfix/private/auth
  mode: 432
  user: postfix
  group: postfix

Re: Crash in dovecot/auth with backtrace

[Ralf Hildebrandt]

* Timo Sirainen dovecot@dovecot.org:
 On 23 Apr 2015, at 17:34, Ralf Hildebrandt ralf.hildebra...@charite.de 
 wrote:
  
  I'm seeing this odd crash with 
  USER\t531\t*@liquid-scan.de\tservice=quota-status
  Which looks like something is being tested against our quota-status --
  but I fail to see why an NON LOCAL address is being tested
 
 Oh, that's not very good. Fixed: 
 http://hg.dovecot.org/dovecot-2.2/rev/65f825a8cd0b

Thanks a lot :)

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Crash in dovecot/auth with backtrace

[Ralf Hildebrandt]

I'm seeing this odd crash with 
USER\t531\t*@liquid-scan.de\tservice=quota-status
Which looks like something is being tested against our quota-status --
but I fail to see why an NON LOCAL address is being tested

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type show copying
and show warranty for details.
This GDB was configured as i486-linux-gnu.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/dovecot-2.2/libexec/dovecot/auth...done.
[New LWP 2289]
[Thread debugging using libthread_db enabled]
Using host libthread_db library 
/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1.
Core was generated by `dovecot/auth'.
Program terminated with signal 6, Aborted.
#0  0xb7724424 in __kernel_vsyscall ()
#0  0xb7724424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb74a0661 in *__GI_raise (sig=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
resultvar = optimized out
pid = -1218617356
selftid = 2289
#2  0xb74a3a92 in *__GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0xbfd1c924, 
sa_sigaction = 0xbfd1c924}, sa_mask = {__val = {3077760610, 
  3218196756, 3076712520, 3218196744, 3077843556, 0, 3074764848, 
  1, 0, 1, 3077716256, 145215752, 1097, 3077184659, 3, 145244200, 
  1, 128, 0, 3218196816, 3218196744, 3218196756, 3218196764, 
  3077716256, 0, 3077194863, 145215720, 3076749582, 3077199789, 
  3077686824, 1097, 3077686824}}, sa_flags = 0, 
  sa_restorer = 0xb76a5c2f internal_handler+527}
sigs = {__val = {32, 0 repeats 31 times}}
#3  0xb76a624e in default_fatal_finish (type=optimized out, 
status=status@entry=0) at failures.c:202
backtrace = 0x8a7c8d8 
/usr/local/dovecot-2.2/lib/dovecot/libdovecot.so.0(+0x7825e) [0xb76a625e] - 
/usr/local/dovecot-2.2/lib/dovecot/libdovecot.so.0(+0x782e1) [0xb76a62e1] - 
/usr/local/dovecot-2.2/lib/dovecot/libdovecot
#4  0xb76a62e1 in i_internal_fatal_handler (ctx=0xbfd1c9f0, 
format=0x807a0c4 file %s: line %d (%s): assertion failed: (%s), 
args=0xbfd1ca14 \257j\a\b\371\004) at failures.c:671
status = 0
#5  0xb76a6e5f in i_panic (
format=format@entry=0x807a0c4 file %s: line %d (%s): assertion failed: 
(%s)) at failures.c:276
ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0, 
  timestamp_usecs = 0}
args = 0xbfd1ca14 \257j\a\b\371\004
#6  0x0805873a in auth_request_set_login_username (request=0x8a945d8, 
username=0x8a7c548 , error_r=0xbfd1cad4) at auth-request.c:1273
master_passdb = optimized out
__FUNCTION__ = auth_request_set_login_username
#7  0x08054c44 in master_input_auth_request (conn=conn@entry=0x8aa18b8, 
args=args@entry=0x8a941c1 531\t*@liquid-scan.de\tservice=quota-status, 
cmd=cmd@entry=0x8076925 USER, request_r=request_r@entry=0xbfd1cad0, 
error_r=error_r@entry=0xbfd1cad4) at auth-master-connection.c:209
auth_request = 0x8a945d8
list = 0x8a7c53c
name = optimized out
arg = optimized out
username = 0x8a7c504 *@liquid-scan.de
id = 531
#8  0x0805539c in master_input_user (
args=0x8a941c1 531\t*@liquid-scan.de\tservice=quota-status, 
conn=0x8aa18b8) at auth-master-connection.c:306
auth_request = 0x8a92e70
error = 0x8ab8e81 31298
ret = optimized out
#9  auth_master_input_line (
line=0x8a941bc USER\t531\t*@liquid-scan.de\tservice=quota-status, 
conn=0x8aa18b8) at auth-master-connection.c:615
No locals.
#10 master_input (conn=0x8aa18b8) at auth-master-connection.c:679
_data_stack_cur_id = 3
line = optimized out
ret = 40
#11 0xb76baf8b in io_loop_call_io (io=0x8a92ba8) at ioloop.c:501
ioloop = 0x8a844e8
t_id = 2
__FUNCTION__ = io_loop_call_io
#12 0xb76bc272 in io_loop_handler_run_internal (ioloop=ioloop@entry=0x8a844e8)
at ioloop-epoll.c:220
ctx = 0x8a8b500
events = 0x8f1
event = 0x8a8b558
list = 0x8a92be0
io = optimized out
tv = {tv_sec = 0, tv_usec = 999856}
events_count = error reading variable events_count (Could not find 
type for DW_OP_GNU_const_type)
msecs = optimized out
ret = 3
i = optimized out
j = optimized out
call = optimized out
__FUNCTION__ = io_loop_handler_run_internal
#13 0xb76bb01c in io_loop_handler_run (ioloop=ioloop@entry=0x8a844e8)
at ioloop.c:548
No locals.
#14 0xb76bb0a8 in io_loop_run (ioloop=0x8a844e8) at ioloop.c:525
__FUNCTION__ = io_loop_run
#15 0xb76527ae in master_service_run (service=0x8a84418, 
callback=0x8063df0 client_connected

Re: Crash in dovecot/auth with backtrace

[Timo Sirainen]

On 23 Apr 2015, at 17:34, Ralf Hildebrandt ralf.hildebra...@charite.de wrote:
 
 I'm seeing this odd crash with 
 USER\t531\t*@liquid-scan.de\tservice=quota-status
 Which looks like something is being tested against our quota-status --
 but I fail to see why an NON LOCAL address is being tested

Oh, that's not very good. Fixed: 
http://hg.dovecot.org/dovecot-2.2/rev/65f825a8cd0b

postfix sasl - haproxy - dovecot auth

[Edgaras Lukoševičius]

Hello,

is it possible to configure configure haproxy to work with postfix sasl and 
dovecot auth like this:

clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1, 
20025:auth-backend-2

The configuration I have now gives me this error randomly:
535 5.7.8 Error: authentication failed: Connection lost to authentication server

This is probably because haproxy change servers while session is still active 
(postfix sasl don’t establish new connection to auth service every time new 
auth request arrives)

Note that haproxy is between postfix and dovecot and is not facing clients 
directly, so there is no way to keep persistent connections by client ip.


# POSTFIX
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = inet:127.0.0.1:20025
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot


# HAPROX
frontend  postfix-sasl
bind  127.0.0.1:20025
default_backend dovecot-auth

backend dovecot-auth
mode tcp
option tcplog
option srvtcpka
hash-type consistent

balance roundrobin
server  mail-backend-1 31.220.19.52:20025 check
server  mail-backend-2 31.220.19.53:20025 check

Re: postfix sasl - haproxy - dovecot auth

[Benny Pedersen]

Edgaras Lukoševičius skrev den 2015-03-27 12:21:


is it possible to configure configure haproxy to work with postfix
sasl and dovecot auth like this:

clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1,
20025:auth-backend-2


configure cyrus-sasl as a remote imap client is more simple

if imap hostname is dns round robin it would be ha-avail already

keep postfix simple

Re: postfix sasl - haproxy - dovecot auth

[Edgaras Lukoševičius]

Can’t dovecot authenticate against imap?

What I need is to make smtp authentication balanced and keep everything in 
backend (private network)


On 27 Mar 2015, at 13:29, Benny Pedersen m...@junc.eu wrote:

 Edgaras Lukoševičius skrev den 2015-03-27 12:21:
 
 is it possible to configure configure haproxy to work with postfix
 sasl and dovecot auth like this:
 clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1,
 20025:auth-backend-2
 
 configure cyrus-sasl as a remote imap client is more simple
 
 if imap hostname is dns round robin it would be ha-avail already
 
 keep postfix simple

Re: postfix sasl - haproxy - dovecot auth

[Gedalya]

On 03/27/2015 07:21 AM, Edgaras Lukoševičius wrote:

Hello,

is it possible to configure configure haproxy to work with postfix sasl and 
dovecot auth like this:

clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1, 
20025:auth-backend-2
Why don't you set up a dovecot locally (with only auth service) on each 
postfix box?

Re: postfix sasl - haproxy - dovecot auth

[Chris Adams]

Once upon a time, Edgaras Lukoševičius edgaras.lukosevic...@gmail.com said:
 What I need is to make smtp authentication balanced and keep everything in 
 backend (private network)

If you have more than one Postfix server, each one must talk to its own
private Dovecot server for auth.  The Dovecot auth protocol includes a
client (Postfix) assigned ID, and Postfix uses the process ID.  If you
have multiple Postfix servers talking to one Dovecot server, you'll get
ID conflicts and dropped auths.

I ended up putting a local instance of Dovecot on each Postfix server,
with no protcols configured except for auth.  Not quite as HA, but I
have my monitoring system doing SMTP AUTH (never have had a problem with
the setup); you could probably have HAProxy do it as well (IIRC it can
do some basic expect-style send/receive).

-- 
Chris Adams c...@cmadams.net