Dovecot auth-worker error after cram-md5 auth

Aki Tuomi aki.tuomi at dovecot.fi
Wed Feb 1 07:59:08 UTC 2017


Are you still trying to authenticate using cram-md5?

Aki


On 01.02.2017 09:51, Poliman - Serwis wrote:
> It still use:
> passdb {
>   driver = passwd-file
>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> }
>
> When I delete above and delete "cram-md5" in auth_mechanisms it still not
> working.
>
> 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>> You are probably wanting to do
>> passdb {
>>   driver = passwd-file
>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>> }
>>
>> passdb {
>>   driver = sql
>>   args = /etc/dovecot/dovecot-sql.conf
>> }
>>
>> Why you want to use cram-md5 is beyond me, because using SSL is much
>> more safer.
>>
>> Aki
>>
>> On 01.02.2017 09:41, Poliman - Serwis wrote:
>>> Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
>>> After restart all work perfectly. But after I added:
>>>    driver = passwd-file
>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>> I can't set default lines because I got error. Please tell me which lines
>>> should be changed to resolve this issue. Should I remove "login" from
>>> auth_mechanism ("login" was default setting and I would like to move back
>>> to default settings)?
>>>
>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>
>>>> Because cram-md5 needs the user's password for calculating responses, it
>>>> cannot work with hashed passwords (one-way encrypted). The only
>>>> supported password schemes are PLAIN and CRAM-MD5.
>>>>
>>>> Aki
>>>>
>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>>>>> I always restart dovecot after change config. ;) Sure, I commented out
>>>>> added two lines by me, restarted dovecot and here it is:
>>>>>
>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>>>>> auth_mechanisms = plain login cram-md5
>>>>> listen = *,[::]
>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>> mail_max_userip_connections = 100
>>>>> mail_plugins = " quota"
>>>>> mail_privileged_group = vmail
>>>>> passdb {
>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>   driver = sql
>>>>> }
>>>>> plugin {
>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>>>>   sieve = /var/vmail/%d/%n/.sieve
>>>>>   sieve_max_redirects = 25
>>>>> }
>>>>> postmaster_address = postmaster at example.com
>>>>> protocols = imap pop3
>>>>> service auth {
>>>>>   unix_listener /var/spool/postfix/private/auth {
>>>>>     group = postfix
>>>>>     mode = 0660
>>>>>     user = postfix
>>>>>   }
>>>>>   unix_listener auth-userdb {
>>>>>     group = vmail
>>>>>     mode = 0600
>>>>>     user = vmail
>>>>>   }
>>>>>   user = root
>>>>> }
>>>>> service imap-login {
>>>>>   client_limit = 1000
>>>>>   process_limit = 512
>>>>> }
>>>>> service lmtp {
>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>>>     group = postfix
>>>>>     mode = 0600
>>>>>     user = postfix
>>>>>   }
>>>>> }
>>>>> ssl = required
>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>> ssl_cipher_list =
>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>>>>> ssl_dh_parameters_length = 2048
>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>> ssl_prefer_server_ciphers = yes
>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>> userdb {
>>>>>   driver = prefetch
>>>>> }
>>>>> userdb {
>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>   driver = sql
>>>>> }
>>>>> protocol imap {
>>>>>   mail_plugins = quota imap_quota
>>>>> }
>>>>> protocol pop3 {
>>>>>   mail_plugins = quota
>>>>>   pop3_uidl_format = %08Xu%08Xv
>>>>> }
>>>>> protocol lda {
>>>>>   mail_plugins = sieve quota
>>>>>   postmaster_address = webmaster at localhost
>>>>> }
>>>>> protocol lmtp {
>>>>>   mail_plugins = quota sieve
>>>>>   postmaster_address = webmaster at localhost
>>>>> }
>>>>>
>>>>>
>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>
>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>>>>>> This is debug log files in syslog:
>>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
>>>>>> m5ldD4=
>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
>> CONT<hidden>
>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
>> user,
>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
>> maildir,
>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>>>> userdb_mail,
>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
>> 'B')
>>>> AS
>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id =
>> '1'
>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
>>>>>>> do_not_reply at example.com, 12.173.211.32): Requested CRAM-MD5 scheme,
>>>>>> but we
>>>>>>> have only CRYPT
>>>>>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>> FAIL#0112#011user=do_not_reply at example.com
>>>>>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
>>>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5
>> authentication
>>>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5l
>>>> dD4=
>>>>>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
>>>>>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do
>> echo
>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>>>> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
>>>>>>> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>>>>>>> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
>>>>>> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ
>> 4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
>>>>>> m5ldD4=
>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>> CONT<hidden>
>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
>> user,
>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
>> maildir,
>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>>>> userdb_mail,
>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
>> 'B')
>>>> AS
>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id =
>> '1'
>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
>>>>>>> do_not_reply at example.com,12.173.211.32): Requested CRAM-MD5 scheme,
>>>> but
>>>>>> we
>>>>>>> have only CRYPT
>>>>>>> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>> FAIL#0113#011user=do_not_reply at example.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> #####################
>>>>>>> I added in dovecot.conf lines in passdb block:
>>>>>>>    driver = passwd-file
>>>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>> and commented out default lines
>>>>>>>   #args = /etc/dovecot/dovecot-sql.conf
>>>>>>>   #driver = sql
>>>>>>> When I try set again default lines I got above error
>>>>>> Can you run doveconf -n with the configuration that causes the above
>>>>>> error? Also it clearly does SQL lookup, so that error is happening
>> with
>>>>>> SQL passdb. You need to remember to restart dovecot between
>>>>>> configuration changes.
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>>> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>>>
>>>>>>>> On 31.01.2017 09:06, Poliman - Serwis wrote:
>>>>>>>>> I set up cram-md5 using this tutorial
>>>>>>>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in
>>>> /etc/dovecot/dovecot.conf
>>>>>> in
>>>>>>>>> passdb code block:
>>>>>>>>> listen = *,[::]
>>>>>>>>> protocols = imap pop3
>>>>>>>>> #auth_mechanisms = plain login cram-md5
>>>>>>>>> auth_mechanisms = cram-md5 plain login
>>>>>>>>> #dodana nizej linia
>>>>>>>>> ssl = required
>>>>>>>>> disable_plaintext_auth = yes
>>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>>>>>> mail_privileged_group = vmail
>>>>>>>>> postmaster_address = postmaster at vps342401.ovh.net
>>>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>>>> ssl_cipher_list =
>>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
>>>>>>>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
>>>>>>>>> ssl_prefer_server_ciphers = yes
>>>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> mail_max_userip_connections = 100
>>>>>>>>> passdb {
>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>> # driver = sql
>>>>>>>>> driver = passwd-file
>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>> }
>>>>>>>>> userdb {
>>>>>>>>> driver = prefetch
>>>>>>>>> }
>>>>>>>>> userdb {
>>>>>>>>> args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>> driver = sql
>>>>>>>>> }
>>>>>>>>> Of course I created cram-md5.pwd file. All mails go out and come
>>>>>> nicely.
>>>>>>>>> But after I want to do default settings by commented out these two
>>>>>> lines:
>>>>>>>>> driver = passwd-file
>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>> and uncomment
>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>> # driver = sql
>>>>>>>>> I can't send emails - I use Thunderbird - get error "logging on
>>>> server
>>>>>>>>> mail.example.com not work out". Error in logs:
>>>>>>>>> dovecot: auth-worker(22698): Error: Auth worker sees different
>>>>>>>>> passdbs/userdbs than auth server.
>>>>>>>>> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
>>>>>>>>>
>>>>>>>>> Is it possible that hashed password from cram-md5.pwd file was
>>>> written
>>>>>> to
>>>>>>>>> database (if yes then where - I have ISPconfig)? I wasn't change
>> any
>>>>>>>> userdb
>>>>>>>>> {} block and this second userdb block has this same lines like
>>>> default
>>>>>>>>> settings in passdb block.
>>>>>>>>>
>>>>>>>> Try
>>>>>>>>
>>>>>>>> auth_debug=yes
>>>>>>>> auth_verbose=yes
>>>>>>>>
>>>>>>>> and see if it gives any more reasonable messages.
>>>>>>>>
>>>>>>>> Aki
>>>>>>>>
>>>
>
>



More information about the dovecot mailing list