[Dovecot] MySQL passdb, auth_verbose, and documentation
Tom Metro
tmetro+dovecot at vl.com
Mon Aug 9 09:31:12 EEST 2004
I've been playing around with Dovecot for the past few months for
testing (on a Debian 3.0 system), and initially it was easy to setup
and worked well.
Recently I upgraded to 0.99.10.9, and when I rebuilt it I enabled
MySQL and SSL.
The first problem I ran into was upon startup it complained that there
was no certificate, which makes sense, except that I hadn't enabled
imaps in the config file. It would make more sense not to require SSL
support files if SSL isn't being used. But this is minor.
I encountered more serious problems when I tried migrating from real
user accounts to virtual accounts via MySQL. Has anyone written a
howto on setting up Dovecot with MySQL? (Just pointing to
dovecot-mysql.conf leaves out a lot.) If not, I'll volunteer to write
something up.
I set up dovecot-mysql.conf as I thought it should be, created a
database, added a record with a digest-md5 password, and changed some
dovecot.conf directives as follows:
default_mail_env = maildir:/var/mail/%d/%n/
auth_mechanisms = digest-md5
auth_default_realm = example.com
auth_userdb = static uid=5000 gid=5000 home=/var/mail/%d/%n/
auth_passdb = mysql /etc/dovecot-mysql.conf
For the static auth_userdb I wasn't quite sure what to put after home=
as I wasn't really defining a home directory location. I initially
tried making it identical to default_mail_env, but later learned that
it clearly didn't like the "maildir:" prefix.
Some questions the documentation left unanswered: Is home= required if
default_mail_env will suffice for virtual users? Can mail= be used
instead, as implied by the database documentation? Practically
speaking, is there any difference between the two in the case of
virtual user accounts?
I tried to access Dovecot from a mail client and repeatedly received a
login failure. Unfortunately, this is typical of what I saw in the log
file:
Aug 8 03:53:50 lex dovecot: Dovecot starting up
Aug 8 03:53:52 lex dovecot-auth: MySQL: connected to localhost
Aug 8 03:55:13 lex imap-login: Disconnected: Inactivity [192.168.0.200]
I enabled auth_verbose:
auth_verbose = yes
and checked my syslog.conf to make sure all priorities were being
logged:
mail.* /var/log/syslog/mail.log
but still no additional verbosity. How should things look different
when auth_verbose is enabled?
Checking MySQL's log I could see that Dovecot was successfully
connecting to the database server, but never executing any queries. I
was going to next turn on logging of all IMAP traffic, but noticed the
Wiki suggested trying a manual session, which I did:
% telnet localhost imap
* OK dovecot ready.
1 LOGIN tmetro at example.com password
1 NO Login failed: Unsupported authentication mechanism
Isn't this the kind of thing that should appear in the log when
auth_verbose is enabled?
That seemed odd, as 'digest-md5' is mentioned right in dovecot.conf as
a valid choice.
In retrospect, I gather what the message above is trying to tell me is
that Dovecot wasn't configured to accept a 'plain' authentication,
which is apparently what I was using in my manual session. It would be
nice if the error message could express that a bit better.
I did have some suspicion that it might be the that plain text
authentication was being prevented, as at that point I didn't know
what auth_mechanisms applied to, but I looked at dovecot.conf and
found disable_plaintext_auth = no, which seemed to imply that plain
text at the IMAP protocol level should have been permitted. Might it
be clearer if that attribute was incorporated into the auth_mechanisms
settings or at least moved into the auth section?
I switched it to 'plain-md5', as mentioned in auth.txt, and tried
again. That resulted in:
Aug 8 21:11:53 lex dovecot-auth: Unknown authentication mechanism 'plain-md5'
Aug 8 21:11:53 lex dovecot: Auth process died too early - shutting down
Aug 8 21:11:53 lex dovecot: child 10293 (auth) returned error 89
Aug 8 21:11:53 lex imap-login: fd_send(-1) failed: Broken pipe
That got me wondering whether there were two different areas where
authentication terms apply - one being the password exchange in
the IMAP protocol, and the other being how the password is stored on
the server - yet the discussion of the two seems to be mixed together
in the documentation.
I tried switching to:
auth_mechanisms = plain
and finally got something more expected:
Aug 8 21:20:44 lex dovecot-auth: mysql(tmetro at example.com): Password mismatch
I tried putting the password into the database unencrypted, but that
didn't work (probably because of my default_pass_scheme setting?).
Generating a PLAIN-MD5 per auth.txt finally worked.
This leads to some questions: auth_mechanisms doesn't seem to be
describing the way in which the password is stored, so what does it
describe? In dovecot-mysql.conf I had:
default_pass_scheme = DIGEST-MD5
and didn't change it. What purpose does it serve? Is it only to
identify the encryption used when there isn't a {SCHEME} tag present?
For DIGEST-MD5, which encrypts "user:realm:pass", does realm include
the @? Does user include @realm? I assumed no in both cases, yet it
didn't work.
In other matters...during one of my login attempts I got:
* OK dovecot ready.
1 LOGIN tmetro at example.com password
1 OK Logged in.
Connection closed by foreign host.
The abrupt disconnect after an apparently successful login seemed odd.
The log file showed:
Aug 8 21:23:47 lex dovecot: chdir(maildir:/var/mail/example.com/tmetro/) failed with uid 5000: Permission denied
Aug 8 21:23:47 lex dovecot: child 10315 (imap) returned error 89
which is the problem I discussed above, but is it reasonable for
Dovecot to disconnect the IMAP socket and not send an error message to
the client?
At the end of the dovecot-example.conf is:
#auth = digest_md5
#auth_methods = digest-md5
#auth_realms =
#auth_userdb = passwd-file /etc/passwd.imap
#auth_passdb = passwd-file /etc/passwd.imap
#auth_user = imapauth
#auth_chroot =
Is auth_methods an alias for auth_mechanisms?
Aside from the insufficient detail in the log, most of the difficulty
I encountered could be avoided with better documentation and comments
in the config files. I'd be happy to submit clarified comments once I
get some answers to the above questions and confirm my understanding
of how things work.
-Tom
More information about the dovecot
mailing list