Re: Can’t authenticate any users after upgrade. [SOLVED]

2018-04-07 Thread Kevin Cummings 
> On 04/04/18 23:10, Kevin Cummings wrote:
> I’m in the process of upgrading an old server from Fedora 21 to
> something more modern.  Now, Dovecot won’t let any client login to get
> their email.
> 
> PAM audit_log_acct_message() failed: Operation not permitted
> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
> user=, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS,
> session=
> 
> # 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
> 
> # OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two) 
> 
> # Hostname: kjchome.homeip.net 
> 
> mbox_write_locks = fcntl
> 
> namespace inbox {
> 
>   inbox = yes
> 
>   location = 
> 
>   mailbox Drafts {
> 
> special_use = \Drafts
> 
>   }
> 
>   mailbox Junk {
> 
> special_use = \Junk
> 
>   }
> 
>   mailbox Sent {
> 
> special_use = \Sent
> 
>   }
> 
>   mailbox "Sent Messages" {
> 
> special_use = \Sent
> 
>   }
> 
>   mailbox Trash {
> 
> special_use = \Trash
> 
>   }
> 
>   prefix = 
> 
> }
> 
> passdb {
> 
>   driver = pam
> 
> }
> 
> ssl = required
> 
> ssl_cert =  
> ssl_cipher_list = PROFILE=SYSTEM
> 
> ssl_dh =  # hidden, use -P to show it
> 
> ssl_key =  # hidden, use -P to show it
> 
> userdb {
> 
>   driver = passwd
> 
> }

What ened up working for me.

I ended up downgrading to version 2.2.25 as packaged by city-fan.org

That worked.

Then, at the urging of the packager, I re-installed 2.3.1 (from the same
repository), but replaced the dovecot.service file with the one from 2.2.35.

[Always did a systemctl daemon-reload; systemctl restart dovecot between
attemptsz]

That worked.

Next he had me comment out the line that starts:

CapabilityBoundingSet=

That also worked

-- 
Kevin J. Cummings
cummi...@kjchome.homeip.net
cummi...@kjc386.framingham.ma.us
kjch...@icloud.com
Registered Linux User #1232 (http://www.linuxcounter.net/)

Re: Can’t authenticate any users after upgrade.

2018-04-05 Thread Helmut K. C. Tessarek 
On 2018-04-05 22:14, Kevin Cummings wrote:
> OK, so I went this root, added the new file, stopped dovecot, did the
> daemon-reload, then started it up again.
> It did not work for me.  As I continued to read the other emails in this
> thread, I came to the conclusion that the Fedora configuration, as
> packaged by City-Fan.org  is what is broken. 
> Luckily for me, there was still a 2.2.35 version of dovecot in the
> repository, so I ended up doing the "dnf downgrade dovecot" and now I
> can read my emails again.  I'm assuming that the packager for Fedora
> will ensure that this gets fixed in the current releases.  I checked,
> and F26

Interesting, I'm still on an older Fedora release, but I used the
original Fedora spec file, which I adjusted a bit (so that it uses my
own openssl version instead of the system's, and a few other minor
tweaks), and created my own dovecot 2.3.1 package.

In any case, the changes I described fixed it for me.

I don't think the Fedora packager even knows about the PAM configuration
issue, otherwise he would have written a patch, but there's nothing in
git master of the dovecot package repo.

I've opend a bug with Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1564348

Cheers,
  K. C.

-- 
regards Helmut K. C. Tessarek  KeyID 0x172380A011EF4944
Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/



signature.asc
Description: OpenPGP digital signature

Re: Can’t authenticate any users after upgrade.

2018-04-05 Thread Kevin Cummings 
> On 04/05/18 02:34, B. Reino wrote:
>> On 2018-04-05 06:33, Helmut K. C. Tessarek wrote: 
>>> On 2018-04-04 23:10, Kevin Cummings wrote: 
>>> PAM audit_log_acct_message() failed: Operation not permitted 
>>> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): 
>>> user=, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, 
>>> session= 
>> 
>> Please look at my pull request at: 
>> https://github.com/dovecot/core/pull/71 
>> 
>> Or, if it's any easier: 
>> 
>> 1) Stop dovecot 
>> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file 
> 
> I'd recommend to just override the necessary options by creating 
> /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following 
> content: 
> 
> -<<-- 
> [Service] 
> NoNewPrivileges=false 
> -->>- 
> 
> This way the fix survives any updates and you don't have to mess with 
> package-provided files.   
> 
>> 3) systemctl daemon-reload 
>> 4) systemctl start dovecot 

OK, so I went this root, added the new file, stopped dovecot, did the 
daemon-reload, then started it up again.
It did not work for me.  As I continued to read the other emails in this 
thread, I came to the conclusion that the Fedora configuration, as packaged by 
City-Fan.org is what is broken.  Luckily for me, there was still a 2.2.35 
version of dovecot in the repository, so I ended up doing the "dnf downgrade 
dovecot" and now I can read my emails again.  I'm assuming that the packager 
for Fedora will ensure that this gets fixed in the current releases.  I 
checked, and F26

Re: Can’t authenticate any users after upgrade.

2018-04-05 Thread Helmut K. C. Tessarek 
On 2018-04-05 02:34, B. Reino wrote:
> This way the fix survives any updates and you don't have to mess with
> package-provided files.

You'd also have to add the following:

CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL
CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
CAP_SYS_RESOURCE CAP_AUDIT_WRITE

It won't work without CAP_AUDIT_WRITE, even, if NoNewPrivileges is set
to false, at least not on my server.

But as I've mentioned this _could_ be counterproductive if in the future
the systemd file that comes with dovecot is changed and you forget to
delete /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf again.


-- 
regards Helmut K. C. Tessarek  KeyID 0x172380A011EF4944
Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/



signature.asc
Description: OpenPGP digital signature

Re: Can’t authenticate any users after upgrade.

2018-04-05 Thread Helmut K. C. Tessarek 
On 2018-04-05 03:01, Aki Tuomi wrote:
> Never replace /lib or /usr/lib systemd unit files, if you want to
> replace the whole unit file, please put it under /etc/systemd/system/
> directory. If unit file with same name is found under there, it is used
> instead.

Usually I'd agree, but let's assume you change something in the file
that comes with dovecot in the future, systemd will still use the one in
/etc/system.d/system and you'd never know that the original file has
ever even changed.

On the other side, if with the next version of dovecot this
NoNewPrivileges issue will not have been resolved, you just change the
file again.
If it has been fixed, all is good anyway.

Anyhow, both concepts are valid in this instance in my opinion.

-- 
regards Helmut K. C. Tessarek  KeyID 0x172380A011EF4944
Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/



signature.asc
Description: OpenPGP digital signature

Re: Can’t authenticate any users after upgrade.

2018-04-05 Thread Aki Tuomi 


On 05.04.2018 07:33, Helmut K. C. Tessarek wrote:
> On 2018-04-04 23:10, Kevin Cummings wrote:
>> PAM audit_log_acct_message() failed: Operation not permitted
>> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
>> user=, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS,
>> session=
> Please look at my pull request at:
> https://github.com/dovecot/core/pull/71
>
> Or, if it's any easier:
>
> 1) Stop dovecot
> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file
> 3) systemctl daemon-reload
> 4) systemctl start dovecot
>
> Done.
>
> Cheers,
>  K. C.
>

Hi!

Never replace /lib or /usr/lib systemd unit files, if you want to
replace the whole unit file, please put it under /etc/systemd/system/
directory. If unit file with same name is found under there, it is used
instead.

Aki

Re: Can’t authenticate any users after upgrade.

2018-04-04 Thread B. Reino 

On 2018-04-05 06:33, Helmut K. C. Tessarek wrote:

On 2018-04-04 23:10, Kevin Cummings wrote:

PAM audit_log_acct_message() failed: Operation not permitted
imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
user=, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS,
session=


Please look at my pull request at:
https://github.com/dovecot/core/pull/71

Or, if it's any easier:

1) Stop dovecot
2) Replace /usr/lib/systemd/system/dovecot.service with the attached 
file


I'd recommend to just override the necessary options by creating 
/etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the 
following content:


-<<--
[Service]
NoNewPrivileges=false
-->>-

This way the fix survives any updates and you don't have to mess with 
package-provided files.



3) systemctl daemon-reload
4) systemctl start dovecot

Re: Can’t authenticate any users after upgrade.

2018-04-04 Thread Helmut K. C. Tessarek 
On 2018-04-04 23:10, Kevin Cummings wrote:
> PAM audit_log_acct_message() failed: Operation not permitted
> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
> user=, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS,
> session=

Please look at my pull request at:
https://github.com/dovecot/core/pull/71

Or, if it's any easier:

1) Stop dovecot
2) Replace /usr/lib/systemd/system/dovecot.service with the attached file
3) systemctl daemon-reload
4) systemctl start dovecot

Done.

Cheers,
 K. C.

-- 
regards Helmut K. C. Tessarek  KeyID 0x172380A011EF4944
Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/
# This file is part of Dovecot
#
# If you want to pass additionally command line options to the dovecot
# binary, create the file:
#   `/etc/systemd/system/dovecot.service.d/service.conf'.

[Unit]
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
After=local-fs.target network-online.target dovecot-init.service
Requires=dovecot-init.service

[Service]
Type=simple
ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=/usr/sbin/dovecot -F
PIDFile=/var/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
PrivateTmp=true
NonBlocking=yes
# this will make /usr /boot /etc read only for dovecot
ProtectSystem=full
PrivateDevices=true
# disable this if you want to use apparmor plugin
#NoNewPrivileges=true
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL 
CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE 
CAP_AUDIT_WRITE

# You can add environment variables with e.g.:
#Environment='CORE_OUTOFMEM=1'
# If you have trouble with `Too many open files' you may set:
#LimitNOFILE=8192
# If you want to allow the Dovecot services to produce core dumps, use:
#LimitCORE=infinity

[Install]
WantedBy=multi-user.target


signature.asc
Description: OpenPGP digital signature

Can’t authenticate any users after upgrade.

2018-04-04 Thread Kevin Cummings 
I’m in the process of upgrading an old server from Fedora 21 to something more 
modern.  Now, Dovecot won’t let any client login to get their email.

PAM audit_log_acct_message() failed: Operation not permitted
imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=, 
method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=

# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
# OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two) 
# Hostname: kjchome.homeip.net
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
ssl = required
ssl_cert = http://www.linuxcounter.net/)